Rugged by example with Gauntlt (Hacker Headshot)

4,079 views

Published on

Hacker Hotshot podcast.

http://www.concise-courses.com/infosec/gauntlt-rugged-by-example/

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
4,079
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rugged by example with Gauntlt (Hacker Headshot)

  1. 1. Rugged by Example with Gauntlt
  2. 2. @wickett College Startup Web Systems Engineer Media Startup Web Ops Lead DevOps CISSP CISSP, sounds cool
  3. 3. a brief history of infosec
  4. 4. 1337 tools
  5. 5. the worms and viruses didn’t stop
  6. 6. we faced skilled adversaries
  7. 7. we couldn’t win
  8. 8. Instead of Engineering InfoSec became Actuaries
  9. 9. “[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
  10. 10. there were other movements
  11. 11. devs became cool
  12. 12. devs became cool agile
  13. 13. the biz sells time now
  14. 14. dev and ops now play nice
  15. 15. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  16. 16. http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
  17. 17. culture automation measurement sharing credit to John Willis and Damon Edwards
  18. 18. infosec hasn’t kept pace
  19. 19. Your punch is soft,just like your heart
  20. 20. “Is this Secure?” -Your Customer
  21. 21. “It’s Certified” -You
  22. 22. there’s a better way
  23. 23. 6 R’s of Rugged DevOps
  24. 24. http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
  25. 25. how does one join rugged devops?
  26. 26. enter gauntlt
  27. 27. gauntlt is like this
  28. 28. sqlmap sslyze dirb curl generic nmap your app gauntlt exit status: 0
  29. 29. gauntlt credits: Project Leads: James Wickett Jeremiah Shirk Friends: Jason Chan, Netflix Neil Matatall, Twitter Mani Tadayon
  30. 30. security tools are confusing
  31. 31. mapping discovery exploitation
  32. 32. fuzzfind inject
  33. 33. security tests on every change
  34. 34. wisdom from a video game
  35. 35. always listen to Doc
  36. 36. Find the weakness of your enemy
  37. 37. Codify your knowledge (cheat sheets)
  38. 38. sometimes, you face the same enemies again
  39. 39. gauntlt is collaboration
  40. 40. Gauntlt helps dev and ops and security to communicate
  41. 41. gauntlt harmonizes our languages
  42. 42. Behavior Driven Development BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well- defined outputs, resulting in the delivery of working, tested software that matters. Dan North , 2009
  43. 43. we have to start somewhere
  44. 44. $ gem install gauntlt install gauntlt
  45. 45. gauntlt design Simple Extensible UNIX™: stdin, stdout, exit status Minimum features yield maximum utility
  46. 46. $ gauntlt --list Defined attacks: curl dirb garmr generic nmap sqlmap sslyze
  47. 47. Attack File Plain Text File Gherkin syntax: Given When Then
  48. 48. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ Given When Then When Then
  49. 49. running gauntlt with failing tests $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 failed) 5 steps (1 failed, 4 passed) 0m18.341s
  50. 50. $ gauntlt Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """ 1 scenario (1 passed) 4 steps (4 passed) 0m18.341s running gauntlt with passing tests
  51. 51. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch a "curl" attack with:$/ /^I launch a "dirb" attack with:$/ /^I launch a "garmr" attack with:$/ /^I launch a "generic" attack with:$/ /^I launch an "nmap" attack with:$/ /^I launch an "sslyze" attack with:$/ /^I launch an? "sqlmap" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following profile:$/
  52. 52. $ gauntlt --steps /^"(w+)" is installed in my path$/ /^"sqlmap" is installed$/ /^I launch a "generic" attack with:$/ /^I launch an? "sqlmap" attack with:$/
  53. 53. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ setup steps verify tool set config
  54. 54. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ attack get config
  55. 55. Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """ assert needle haystack
  56. 56. Supported Tools curl nmap sqlmap sslyze Garmr dirb generic
  57. 57. Netflix Use Case Real World Cloud Application Security, Jason Chan https://vimeo.com/54157394
  58. 58. Check your ssl certs
  59. 59. cookie tampering
  60. 60. curl hacking
  61. 61. Look for common apache misconfigurations
  62. 62. @slow Feature: Run dirb scan on a URL Scenario: Run a dirb scan looking for common vulnerabilities in apache Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ .htaccess .htpasswd .meta .web access_log cgi cgi-bin cgi-pub cgi-script dummy error error_log htdocs httpd httpd.pid icons server-info server-status logs manual printenv test-cgi tmp ~bin ~ftp ~nobody ~root
  63. 63. I have my weakness. But I won't tell you! Ha Ha Ha!
  64. 64. Test for SQL Injection
  65. 65. @slow @announce Feature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://example.com?x=1 | When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables """
  66. 66. my_first.attack See ‘GET STARTED’ on project repo Start here > https:// github.com/gauntlt/ gauntlt/tree/master/ examples Find examples for the attacks Add your config (hostname, login url, user) Repeat
  67. 67. Starter Kit on GitHub The starter kit is on GitHub: github.com/gauntlt/gauntlt-starter-kit Or, download a copy from: www.gauntlt.org/
  68. 68. @gauntlt future plans
  69. 69. Next Features More output parsers More attack adapters JRuby & Java Support Front end UI / web reports
  70. 70. Add feature requests here: https://github.com/ gauntlt/gauntlt/ issues
  71. 71. Contribute to gauntlt See ‘FOR DEVELOPERS’ in the README Get started in 7 steps
  72. 72. If you get stuck Check the README IRC Channel: #gauntlt on freenode @gauntlt on twitter Mailing List (https:// groups.google.com/forum/#!forum/ gauntlt) Office hours with weekly google hangout
  73. 73. get started with gauntlt github/gauntlt gauntlt.org videos tutorials google group @gauntlt IRC #gauntlt we help! start here cool vids!
  74. 74. @wickett james@gauntlt.org Be Mean to Your Code!

×