The document discusses the OWASP Offensive (Web) Testing Framework (OWTF) and its integration with Kali Linux for automated web penetration testing. It includes installation instructions, execution methods, and a structured approach to performing both passive and active web analysis. The document emphasizes that while OWTF streamlines routine tasks in penetration testing, human intelligence and customized testing still hold significant value.

1. OWASP OWTF the Offensive
(Web) Testing Framework
+
PTES Penetration Testing
Execution Standard
=
Kali Power Auto Web Pentests!
Mauro Risonho de Paula Assumpçao
aka firebitsbr
Sao Paulo, Brasil - 2014

2. $WHOIS
Mauro Risonho de Paula Assumpção
Especialista em SGTI pela ICTS Protiviti
mauro.assumpcao@icts.com.br
 Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/
Security Researcher/Instrutor/Palestrante e
Eterno Aprendiz de Conhecimentos
•https://github.com/firebitsbr
•https://www.linkedin.com
•http://www.backtrack-linux.org
•www.slideshare.net/firebits/ (migrando Google)
•@firebitsbr
•mauro.risonho@gmail.com mrpa.security@gmail.com
•Google+ mauro.risonho / mrpa.security

3. Agenda
● OWTF Intro
– Instalando OWTF com o Kali (apenas tools web)
● Executando OWTF
– Parte 1: OWTF Passive + Semi-passive Web analysis
– Parte 2: OWTF Active Web analysis
– Parte 3: OWTF aux plugins – SE, IDs testing
● Conclusao
● Q&A

4. Email do Autor

5. Offensive (Web) Testing Framework
= Multi-level “cheating” tactics

6. OWTF Chess-like approach
Kasparov against Deep Blue - http://www.robotikka.com

7. Steps
- http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso
- http://docs.kali.org/network-install/kali-linux-network-mini-iso-install
- https://www.owasp.org/index.php/OWASP_OWTF
- github
git clone git://github.com/owtf/owtf.git
- OWTF 0.45.0 Winter Blizzard
wget https://github.com/owtf/owtf/archive/v0.45.0_Winter_Blizzard.tar.gz
tar -xvvf v0.45.0_Winter_Blizzard.tar.gz
kali-linux-web = Kali Linux web app assessment tools (group install)
apt-get install kali-linux-web -y

8. Install – via git
#git clone https://github.com/owtf/owtf.git
#cd /root/owtf/install
#python install.py
#YES, YES, YES...FOREVER!

9. Escolher opcao 1

10. Escolher “Y” YES

11. Acabou de instalar
com sucesso! :)

12. Definir quais tools usar
#vim /root/owtf/profiles/general/default.cfg
Framework path: @@@FRAMEWORK_DIR@@@/tools/...
#TOOL_WHATWEB:
@@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb-
0.4.7/whatweb
TOOL_WHATWEB:
@@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatwe
b-0.4.7/whatweb

14. OWTF CLI
python owtf.py -h|more

15. Listar plugins OWTF - Web Attacks
# python owtf.py -l web

16. Simulation mode
Simulation mode “-s ”:
1) SIMULATES what OWTF will do (so it does
not do it!):
2) Is useful to check the effect of a command
before running it
#python owtf.py -s https://accounts.google.com
| more

17. DEMO
python owtf.py www.google.com

18. Reports?
● file:///root/owtf/owtf_review/index.html
–

19. DEMOS
– Parte 1: OWTF Passive + Semi-passive Web
analysis
– Parte 2: OWTF Active Web analysis
– Parte 3: OWTF aux plugins – SE, IDs testing

20. Conclusao
● OWASP OWTF um framework que automatiza
e faz ganhar muito tempo em pentest(s) com
foco em targets em web applications e
infraweb, nas tarefas rotineiras, mas pentests
customizados, apenas agrega um pouco mais
valor, mas nao substitui o processo manual,
inteligente e humano.

21. Duvidas?

22. $WHOIS
Mauro Risonho de Paula Assumpção
Especialista em SGTI pela ICTS Protiviti
mauro.assumpcao@icts.com.br
 Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/
Security Researcher/Instrutor/Palestrante e
Eterno Aprendiz de Conhecimentos
•https://github.com/firebitsbr
•https://www.linkedin.com
•http://www.backtrack-linux.org
•www.slideshare.net/firebits/ (migrando Google)
•@firebitsbr
•mauro.risonho@gmail.com mrpa.security@gmail.com
•Google+ mauro.risonho / mrpa.security