View
817
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Talk from LASCON 2013.
Citation preview
Rugged Driven Development with Gauntlt
@wickett // @gauntlt // gauntlt.org
@wickett
• Austin, TX
• LASCON Founder
• DevOps Days Organizer
• DevOps, AppSec, Ruby, Chef, Cucumber
@wickett // @gauntlt // gauntlt.org
Work like a Captain
Play like a Pirate
@wickett // @gauntlt // gauntlt.org
So far, infosec is good at the pirate part...
@wickett // @gauntlt // gauntlt.org
@wickett // @gauntlt // gauntlt.org
Gauntlt is Rugged Theology
Applied
@wickett // @gauntlt // gauntlt.org
rugged
@wickett // @gauntlt // gauntlt.org
@wickett // @gauntlt // gauntlt.org
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
@wickett // @gauntlt // gauntlt.org
Rugged & DevOps
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
Gauntlt is Rugged Theology
Applied
@wickett // @gauntlt // gauntlt.org
security tools today
@wickett // @gauntlt // gauntlt.org
Core Tenets of Gauntlt
• Facilitate communication between Infosec and Dev and Ops
• Cultural shift from compliance driven, auditor-led security
• Build a new language and currency in organizations
@wickett // @gauntlt // gauntlt.org
gauntlt connects people
@wickett // @gauntlt // gauntlt.org
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring
github.com/gauntlt
Our Philosophy• Run security tools in a repeatable, easy to
read way
• Handle stdin, stdout, exit status
• Favor speed and utility over complexity and slowness
• Be part of the pipeline (CI/CD)
• We aren’t package managers... install your own tools
@wickett // @gauntlt // gauntlt.org
Let’s be Captains
@wickett // @gauntlt // gauntlt.org
Install your own tools
you are in fact a captain, right?
@wickett // @gauntlt // gauntlt.org
$ rvm --ruby-version use 1.9.3
optional, but recommended@wickett // @gauntlt // gauntlt.org
$ mkdir lascon$ cd ./lascon$ vim Gemfile
optional, but recommended@wickett // @gauntlt // gauntlt.org
# Gemfile
source ‘https://rubygems.org’
gem ‘gauntlt’
optional, but recommended@wickett // @gauntlt // gauntlt.org
$ bundle
optional, but recommended@wickett // @gauntlt // gauntlt.org
$ bundleFetching gem metadata from https://rubygems.org/..........Fetching gem metadata from https://rubygems.org/..Resolving dependencies...Using ffi (1.9.0)Using childprocess (0.3.9)Using builder (3.2.2)Using diff-lcs (1.2.4)Using multi_json (1.8.2)Using gherkin (2.12.2)Using multi_test (0.0.2)Using cucumber (1.3.8)Using rspec-expectations (2.14.3)Using aruba (0.5.3)Using nokogiri (1.5.10)Using trollop (2.0)Using gauntlt (1.0.6)Using bundler (1.3.5)Your bundle is complete!Use `bundle show [gemname]` to see where a bundled gem is installed.
optional, but recommended@wickett // @gauntlt // gauntlt.org
$ gem install gauntlt
@wickett // @gauntlt // gauntlt.org
Future slides will use:
$ gauntlt
but, really it is:
$ bundle exec gauntlt
@wickett // @gauntlt // gauntlt.org
$ touch example.attack
@wickett // @gauntlt // gauntlt.org
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
Given
When
Then
When
Then
@wickett // @gauntlt // gauntlt.org
running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
@wickett // @gauntlt // gauntlt.org
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m18.341s
running gauntlt with passing tests
@wickett // @gauntlt // gauntlt.org
$ gauntlt --list
Defined attacks: arachni curl dirb garmr generic nmap sqlmap sslyze
@wickett // @gauntlt // gauntlt.org
$ gauntlt --steps/^"(\w+)" is installed in my path$//^"arachni" is installed$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch (?:a|an) "arachni" attack with:$//^I launch (?:a|an) "arachni-(.*?)" attack$//^I launch (?:a|an) "curl" attack with:$//^I launch (?:a|an) "dirb" attack with:$//^I launch (?:a|an) "garmr" attack with:$//^I launch (?:a|an) "generic" attack with:$//^I launch (?:a|an) "nmap" attack with:$//^I launch (?:a|an) "nmap-(.*?)" attack$//^I launch (?:a|an) "sqlmap" attack with:$//^I launch (?:a|an) "sslyze" attack with:$//^the "(.*?)" command line binary is installed$//^the DIRB_WORDLISTS environment variable is set$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following environment variables:$//^the following profile:$/
$ gauntlt --help
$ gauntlt --allsteps
@wickett // @gauntlt // gauntlt.org
https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt
@wickett // @gauntlt // gauntlt.org
https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt
@wickett // @gauntlt // gauntlt.org
RegEx in Gauntlt
Then the output should match /80.tcp\s+open/
Then the output should match:
"""
80\/tcp\s+open
"""
@wickett // @gauntlt // gauntlt.org
Create network.attack
@slowFeature: check to make sure the right ports are open on our server
Background: Given "nmap" is installed And the following profile: | name | value | | host | lascon.org |
Scenario: Verify server is open on expected ports When I launch an "nmap-fast" attack Then the output should match /80.tcp\s+open/
https://gist.github.com/7121100@wickett // @gauntlt // gauntlt.org
$ gauntlt@slowFeature: check to make sure the right ports are open on our server
Background: # network.attack:4 Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | host | lascon.org |
Scenario: Verify server is open on expected ports # network.attack:10Running a nmap-fast attack. This attack has this description: This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. When I launch an "nmap-fast" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:12 Then the output should match /80.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:137
1 scenario (1 passed)4 steps (4 passed)0m4.799s
@wickett // @gauntlt // gauntlt.org
Create directory.attack@slowFeature: make sure our website doesn't expose sensitive directories
Scenario: Start with using dirb and check for default apache directories Given "dirb" is installed And the following profile: | name | value | | hostname | http://lascon.org | | wordlist | /opt/wordlists/vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ http://gist.github.com/7124575
@slowFeature: make sure our website doesn't expose sensitive directories
Scenario: Start with using dirb and check for default apache directories # directory.attack:4 Given "dirb" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | hostname | http://lascon.org | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:9 """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113 """ FOUND: 0 """
1 scenario (1 passed)4 steps (4 passed)0m23.878s
captains need dashboards
@wickett // @gauntlt // gauntlt.org
bundle exec gauntlt --format html > out.html
@wickett // @gauntlt // gauntlt.org
XSS
...looks cool in this font
@wickett // @gauntlt // gauntlt.org
$ vim Gemfile
gem ‘arachni’
$ bundle
@wickett // @gauntlt // gauntlt.org
Create xss.attack
https://gist.github.com/7121728
@slowFeature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using the arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://lascon.org | When I launch an "arachni-simple_xss" attack Then the output should contain "0 issues were detected."
@wickett // @gauntlt // gauntlt.org
@slowFeature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using the arachni, look for cross site scripting and verify no issues are found # xss.attack:4 Given "arachni" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | url | http://lascon.org |Running a arachni-simple_xss attack. This attack has this description: This is a scan for cross site scripting (xss) that only runs the base xss module in arachni. The scan only crawls one level deep which makes it faster. For more depth, run the gauntlt attack alias 'arachni-simple_xss_with_depth' and specifiy depth.The arachni-simple_xss attack requires the following to be set in the profile: ["<url>"] When I launch an "arachni-simple_xss" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9 Then the output should contain "0 issues were detected." # aruba-0.5.3/lib/aruba/cucumber.rb:97
1 scenario (1 passed)4 steps (4 passed)0m7.991s
@wickett // @gauntlt // gauntlt.org
Other attacks
• Garmr
• HTTP Methods (CURL)
• REST Testing (jerry curl / CURL)
• SQL Injection (sqlmap and arachni)
@wickett // @gauntlt // gauntlt.org
Resources
• Google Group > https://groups.google.com/d/forum/gauntlt
• Wiki > https://github.com/gauntlt/gauntlt/wiki
• IRC > #gauntlt on freenode
• Weekly hangout > http://bit.ly/gauntlt-hangout
• Issue tracking > http://github.com/gauntlt/gauntlt
@wickett // @gauntlt // gauntlt.org
Future dev work
• Moar Attack Aliases!
• Bring your own Attack Aliases
• Bring your own Attacks
• Gauntlt Server
@gauntltgauntlt.org
@wickett // @gauntlt // gauntlt.org