View
4.248
Download
0
Embed Size (px)
DESCRIPTION
This is a hands-on workshop for working with Gauntlt. The first half is philosophy, theory and social commentary. The second half is the hands on workshop. There are two options for working through the workshop. The recommended way is to use the virtual box image as there are a couple of security tools (arachni, nmap, ...) that we will be using. It is not required for you to use it though and you can just clone the repo if you have ruby 1.9.3 and bundler. If you want to use the vagrant box setup for the workshop, please follow the instructions in 02_Using Vagrant Box.md and if you want to just use our own box, follow the directions in 03_Using Repo Only.md This has been tested to work on linux and OS X. You can follow along using the instructions > https://gist.github.com/wickett/25d90a462706639446cc
Citation preview
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E M E A N T O Y O U R C O D E W I T H G A U N T LT A N D T H E R U G G E D W AY
J A M E S W I C K E T T / / @ W I C K E T T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T
• Austin, TX
• Gauntlt Core Team
• LASCON Founder
• Cloud Austin Organizer
• DevOps Days Austin Organizer
• DevOps, Ruby, AppSec, Chef, Cucumber, Gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R E Q U I R E M E N T S
• Virtual Box
• Vagrant
• Gauntlt Box
• Pre-downloaded
• Ruby 1.9.3
• Git
• Bundler
• Reliable Internet
O R
O P T I O N 1 O P T I O N 2
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
bit.ly/gauntlt-demo-instructions
I N S T R U C T I O N S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W H Y D O E S T H I S M AT T E R ?
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E M AT T E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
– H E N R Y H A Z L I T T
T H E B R O K E N W I N D O W FA L L A C Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E S I D E S L O S S , B R E A C H E S C A U S E C Y N I C I S M A N D D I S T R U S T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S O F T W A R E H A S C H A N G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S O F T W A R E A S A S E R V I C E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S O F T W A R E A S B R I C O L A G E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B O LT O N F E AT U R E A P P R O A C H
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
F R A G I L E C O D E A S A S E R V I C E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E P L O Y T I M E L I N E S H AV E C H A N G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V A N D O P S H AV E F O U N D A N E W R E L I G I O N
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y H A S N O T C H A N G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O M P L I A N C E D R I V E N C U LT U R E : P C I , S O X , …
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
W E H AV E A P E O P L E P R O B L E M
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E R AT I O P R O B L E M
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V: O P S : S E C U R I T Y
1 0 0 : 1 0 : 1
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
L A N G U A G E G A P
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y D O E S N ' T A LW AY S S P E A K T H E L A N G U A G E O F T H E B I Z / D E V / O P S T E A M S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A B D I C AT I N G R E S P O N S I B I L I T Y P R O C E S S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Y O U N E E D E X P E R T S T O T E S T F O R S E C U R I T Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
F O R M A L I Z E D V I A A U D I T O R S A N D C O M P L I A N C E A N N U A L LY
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V - > S V N | | G I T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P S - > T X T | | W I K I S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V - > G I T < - O P S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S E C U R I T Y - > S O U R C E F O R G E !
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S I G N S T H AT S E C U R I T Y I S M O V I N G I N T O A N E W E R A
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A N A LY T I C S , M O N I T O R S , L O G S , T E L E M E T R Y, T E S T I N G , C O N F I G M A N A G E M E N T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT TA C K C H A I N S A N D S I G N A L S
http://www.youtube.com/watch?v=jQblKuMuS0Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
V U L N E R A B I L I T Y E X P L O I TAT I O N I S A T I M E L I N E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D I S C O V E R Y V U L N E R A B I L I T Y E X P L O I T
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
S Q L S Y N TA X E R R O R S D B TA B L E N A M E S L A R G E R E S P O N S E S I Z E S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
I N S T R U M E N T F U L L AT TA C K C H A I N S A N D W AT C H F O R S I G N A L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R U G G E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E T E C T I O N E A R L I E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
security tools today
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
E N T E R G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
P E O P L E P R O C E S S T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I S A N O P I N I O N AT E D F R A M E W O R K T O D O R U G G E D T E S T I N G
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT = S E C U R I T Y + C U C U M B E R
http://www.flickr.com/photos/35231744@N00/286858571/
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
B U I L D T E S T D E P L O Y
F E E D B A C K
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
B U I L D T E S T D E P L O Y
~ 1 2 M O S . L A T E R
S E C U R I T Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
B U I L D T E S T S E C U R I T Y D E P L O Y
F E E D B A C K
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
A S T O R Y F R O M 2 0 1 0 …
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V O P S ( + S E C U R I T Y ! )
@ernestmueller, @iteration1, @bproverb and friends
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R E S T E N D P O I N T S
Ruby Script
Questionable Payloads
Invalid Sessions
Large Payloads
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O L L E C T I O N O F S C R I P T S M E R G E D I N T O O U R T E S T R U N N E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
I N ’ S A N D O U T ’ S A R E E A S Y T O M E S S U P
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C U C U M B E R A N D O U T S I D E I N T E S T I N G
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
T H E S TA R T O F G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O U T S I D E I N T E S T I N G F O R S E C U R I T Y T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O U T P U T F R O M S E C U R I T Y T O O L S I S H A R D T O D E C I P H E R
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E M E A N T O Y O U R C O D E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
GARMRNMAP
SQLMAPARACHNI
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
SQLMAPARACHNIGARMR
NMAP
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E
ARACHNIGARMRNMAP
SQLMAP
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O D E C O D E C O D E
GARMRNMAP
SQLMAPARACHNI
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B U T W H AT A B O U T T H E P E O P L E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
C O N V E R S AT I O N A N D C O L L A B O R AT I O N I S T H E C O R E O F G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
D E V
O P S
S E C U R I T Y
*.attack• Execution Knowledge
• Testing Logic Captured
• Repeatable
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I N A C T I O N
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
*.attack
something.attackelse.attack
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Structure
Feature
Background
Scenario
Description
Setup
Logic
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Logic
Given
When
Then
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Given
Setup steps
Check Resource Available
Given “arachni” is installed
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: When
Action steps
When I launch an “arachni-xss” attack
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
Attack Step: Then
Parsing Steps
Then the output should not contain “fail”
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT P H I L O S O P H Y
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
R U N S E C U R I T Y T O O L S I N A R E P E ATA B L E , E A S Y T O R E A D W AY
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT D O E S N O T I N S TA L L T O O L S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT S H I P W I T H P R E -C A N N E D AT TA C K S A N D S T E P S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E PA R T O F T H E C I / C D P I P E L I N E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
H A N D L E S T D I N , S T D O U T, A N D E X I T S TAT U S
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G A U N T LT I N U S E
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT A G A M E D E V S H O P
• Check for XSS (cross site scripting) [Arachni]
• Check for new login pages [Garmr]
• Check for insecure refs in login flows [Garmr]
• Extended XSS testing [Custom Arachni] (PR coming soon)
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
M E N T O R G R A P H I C S
• Smoke Test integration on environment build
• Checks REST services [curl]
• Tests for XSS [arachni]
• Injection attacks [sqlmap, dirb]
• Misconfiguration [dirb]
• SSL checks [sslyze]
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
AT C A B F O R W A R D
• Ruby Dev Shop
• Integrated into CI for customers
• GITHUB -> TravisCI -> Unit Tests / Integration Tests / Gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
G I T H U B . C O M / G A U N T LT / G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gem install gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
!Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com | ! Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
Given
When
Then
When
Then
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
H A N D S O N
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
E V E R Y T H I N G Y O U N E E D …
http://bit.ly/gauntlt-demo-instructions
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P T I O N 1
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P T I O N 1 - C O N T I N U E D
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
O P T I O N 2
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ vagrant ssh !
vagrant@precise32:~$
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ cd gauntlt-demo
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ rvm use 1.9.3
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ cd ./examples
$ gauntlt ./hello_world/hello_world.attack
04_Hello World with Gauntlt.md
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
$ gauntlt --steps /^"(\w+)" is installed in my path$/ /^"arachni" is installed$/ /^"curl" is installed$/ /^"dirb" is installed$/ /^"garmr" is installed$/ /^"nmap" is installed$/ /^"sqlmap" is installed$/ /^"sslyze" is installed$/ /^I launch (?:a|an) "arachni" attack with:$/ /^I launch (?:a|an) "arachni-(.*?)" attack$/ /^I launch (?:a|an) "curl" attack with:$/ /^I launch (?:a|an) "dirb" attack with:$/ /^I launch (?:a|an) "garmr" attack with:$/ /^I launch (?:a|an) "generic" attack with:$/ /^I launch (?:a|an) "nmap" attack with:$/ /^I launch (?:a|an) "nmap-(.*?)" attack$/ /^I launch (?:a|an) "sqlmap" attack with:$/ /^I launch (?:a|an) "sslyze" attack with:$/ /^the "(.*?)" command line binary is installed$/ /^the DIRB_WORDLISTS environment variable is set$/ /^the file "(.*?)" should contain XML:$/ /^the file "(.*?)" should not contain XML:$/ /^the following cookies should be received:$/ /^the following environment variables:$/ /^the following profile:$/
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
bundle exec gauntlt --format html > out.html
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• IRC > #gauntlt on freenode
• Weekly hangout > http://bit.ly/gauntlt-hangout
• Issue tracking > http://github.com/gauntlt/gauntlt
@ W I C K E T T / / # V E L O C I T Y C O N F / / @ G A U N T LT
B E TA I N V I T E T O U D E M Y C L A S S ? E M A I L J A M E S @ G A U N T LT. O R G