gauntlt rugged by example
DESCRIPTION
Talk given at AppSec USA 2012. See the video here > https://vimeo.com/54250714TRANSCRIPT
![Page 1: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/1.jpg)
GAUNTLT:RUGGEDBY EXAMPLEJAMES WICKETTMANI TADAYONJEREMIAH SHIRKSG: JASON CHAN
![Page 2: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/2.jpg)
WE WANT YOU TO BE SUCCESSFUL AND MAKE A DIFFERENCE
![Page 3: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/3.jpg)
James Wickett
CISSP, GWAPT, CCSK, GSEC, GCFW
@wickett@RuggedDevOps
@gauntlt
![Page 4: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/4.jpg)
A BRIEF HISTORY OFINFORMATION SECURITY
![Page 5: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/5.jpg)
WE USED TO BE COOL
![Page 6: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/6.jpg)
WE HADCINEMA
![Page 7: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/7.jpg)
WE HAD HEROES
![Page 8: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/8.jpg)
WE MADE FREEPHONE CALLS
![Page 9: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/9.jpg)
WE WERE COOL
![Page 10: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/10.jpg)
WE MADE IT INTO THEORGANIZATIONSWE HAD PREVIOUSLY FOUGHT
![Page 11: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/11.jpg)
WE COULDN’T STOP THEVIRUSES AND WORMS
![Page 12: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/12.jpg)
INSTEAD OF ENGINEERING INFOSEC BECAME ACTUARIES
![Page 13: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/13.jpg)
WE BECAME EXPERTSIN BUYING INSURANCE POLICIES
![Page 14: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/14.jpg)
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK” - MICHAL ZALEWSKI
![Page 15: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/15.jpg)
SOMETHING ELSE HAPPENED GLOBALLY
![Page 16: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/16.jpg)
DEVS BECAME COOL
![Page 17: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/17.jpg)
ENTER DEVOPS
![Page 18: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/18.jpg)
![Page 19: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/19.jpg)
![Page 20: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/20.jpg)
CODE BECAME SOCIAL
![Page 21: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/21.jpg)
“I DON’T WANT YOU TO SEND ME AN INSTALLATION DVD”
![Page 22: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/22.jpg)
WE SELL TIME NOW
![Page 23: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/23.jpg)
WE SELL SOCIAL AND FRIENDSHIPS
![Page 24: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/24.jpg)
“IS THIS SECURE?”-YOUR CUSTOMER
![Page 25: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/25.jpg)
“ITS CERTIFIED”- YOU
![Page 26: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/26.jpg)
WHY CAN’T YOU GIVE A BETTER ANSWER?
![Page 27: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/27.jpg)
THE INEQUITABLE DISTRIBUTION OF LABOR IN SECURITY MIMICS THAT IN DEV/OPS
![Page 28: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/28.jpg)
2% OF AN ENGINEERING DEV TEAM ARE WORKING ON SECURITY
- BSIMM 2012 data, http://bsimm.com/
![Page 29: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/29.jpg)
-LEARNING FROM (PREFERABLY OTHER PEOPLE’S) MISTAKES
-DEVELOPING TOOLS TO CORRECT PROBLEMS
- PLANNING TO HAVE EVERYTHING COMPROMISED
![Page 30: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/30.jpg)
ENTER RUGGED
![Page 31: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/31.jpg)
![Page 32: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/32.jpg)
![Page 33: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/33.jpg)
Current Software
![Page 34: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/34.jpg)
Rugged Software
![Page 35: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/35.jpg)
ADVERSITY REQUIRES RUGGED SOLUTIONS
![Page 36: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/36.jpg)
ADVERSITY IS REAL ORPERCEIVED NEGATIVEACTIONS AND EVENTS THAT PROHIBIT NORMALFUNCTION AND OPERATION.
![Page 37: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/37.jpg)
RUGGEDIZATION THEORY
Building solutions to handle adversity will cause unintended, positive benefits that will provide value that would have been unrealized otherwise.
![Page 38: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/38.jpg)
NO PAIN, NO GAIN
![Page 39: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/39.jpg)
"Secondly, our network got a lot stronger as a result of the LulzSec
attacks." -Surviving Lulz: Behind the Scenes of LulzSec @SXSW 2012
by CloudFlare team
![Page 40: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/40.jpg)
![Page 41: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/41.jpg)
RUGGED BY DESIGN,DEVOPS BY CULTURE
![Page 42: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/42.jpg)
RUGGED DEVOPS
![Page 43: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/43.jpg)
REPEATABLE – NO MANUAL STEPS, CIRELIABLE - NO DOS HEREREVIEWABLE – AKA AUDIT, INFRA AS CODERAPID – FAST TO BUILD, DEPLOY, RESTORERESILIENT – AUTOMATED RECONFIGURATION REDUCED - LIMITED ATTACK SURFACE
![Page 44: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/44.jpg)
ENTER GAUNTLT
![Page 45: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/45.jpg)
Put your code through the GAUNTLT
![Page 46: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/46.jpg)
GAUNTLET, N. AN ATTACK FROM
ALL SIDES
![Page 47: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/47.jpg)
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
![Page 48: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/48.jpg)
gauntlt is built for doing security testing in a DevOps world
![Page 49: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/49.jpg)
GAUNTLT IS
![Page 50: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/50.jpg)
AN ALWAYS-ATTACKING ENVIRONMENT FOR DEVELOPERS
![Page 51: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/51.jpg)
WITH ATTACKS WRITTEN IN EASY-TO-READ LANGUAGE
![Page 52: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/52.jpg)
ACCESSIBLE TO EVERYONE INVOLVED IN DEV, OPS, TESTING, SECURITY, ...
![Page 53: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/53.jpg)
WHY GAUNTLT?
SECURITY DOMAIN KNOWLEDGE IS GENERALLY A MYSTERY TO DEV TEAMS
![Page 54: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/54.jpg)
GAUNTLT ALLOWS DEV AND OPS AND SECURITY TO
COMMUNICATE
![Page 55: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/55.jpg)
GAUNTLT JOINSTHE PHILOSOPHY OFRUGGED SOFTWARE& CONTINUOUS INTEGRATION
![Page 56: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/56.jpg)
![Page 57: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/57.jpg)
HTTPS://GITHUB.COM/THEGAUNTLET/GAUNTLT
![Page 58: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/58.jpg)
$ gem install gauntlt# download attacks$ gauntlt
![Page 59: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/59.jpg)
$ gem install gauntlt
# download example attacks from github# customize the example attacks # now you can run gauntlt
$ gauntlt
install gauntlt
Examples > https://github.com/thegauntlet/gauntlt/tree/master/examples
![Page 60: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/60.jpg)
LETS LOOK INSIDE A COUPLE OF THESE FILES
![Page 61: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/61.jpg)
GAUNTLT ATTACKS
![Page 62: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/62.jpg)
@slow
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443"
Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open https """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
nmap.attack
![Page 63: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/63.jpg)
wickett$ gauntlt
@slowFeature: nmap attacks for example.com
Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
running gauntlt with failing tests
![Page 64: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/64.jpg)
wickett$ gauntlt
@slowFeature: nmap attacks for example.com
Background: Given "nmap" is installed And the target hostname is "www.example.com" And the target tcp_ping_ports are "22,25,80,443" Scenario: Verify server is open on expected set of ports using the nmap fast flag When I launch an "nmap" attack with: """ nmap -F www-stage.cloudsourcery.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 passed)5 steps (5 passed)0m18.341s
running gauntlt with passing tests
![Page 65: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/65.jpg)
gauntlt: Netflix Use Case
![Page 66: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/66.jpg)
Problem Statement
• Netflix is a heavy AWS user, and we provide self-service deployment for dev teams
• AWS’ Elastic Load Balancer (ELB) provides cross-datacenter traffic balancing, but no security controls (if your cluster is attached to an ELB, it is available to the Internet)
• Engineers may misunderstand use cases for ELBs, security features, and/or other measures that can be used to protect ELB-fronted clusters
![Page 67: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/67.jpg)
How do we ensure the 100s of clusters associated with ELBs are configured
and protected as intended?
![Page 68: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/68.jpg)
Solution: Use gauntlt to organize and perform
ELB testing
![Page 69: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/69.jpg)
gauntlt test: What response will an ELB provide to an arbitrary Internet node, and is
it expected?
![Page 70: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/70.jpg)
Process
1. Launch gauntlt test runner instance, loaded with “master list” of ELBs and expected state
2. Determine “target list” of current ELBs to evaluate
3. Generate per-ELB listener gauntlt attack files
4. Execute attacks
5. Alert on failures and new ELBs
6. Triage findings and update ELB master list
![Page 71: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/71.jpg)
gauntlt Attack Template• Uses gauntlt curl feature
• Sub in protocol, port, hostname, and response code from ELB master and target list
![Page 72: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/72.jpg)
GAUNTLTA VERY SHORT INTRODUCTION
![Page 73: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/73.jpg)
• Mani Tadayon
• Senior Software Engineer, ZestFinance
• Lots of experience in web development, ruby and test automation
• Learning Clojure
ABOUT MANI
![Page 74: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/74.jpg)
CONWAY’S LAW
Any organization that designs a system ... will inevitably produce a design whose structure is a copy of the organization's communication structure.
Melvin E. Conway, 1968
![Page 75: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/75.jpg)
BEHAVIOR-DRIVEN DEVELOPMENT
BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.
Dan North , 2009
![Page 76: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/76.jpg)
CUCUMBER
![Page 77: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/77.jpg)
ATTACK FILE
• Plain text file
• Gherkin syntax:
• Given
• When
• Then
![Page 78: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/78.jpg)
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
![Page 79: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/79.jpg)
![Page 80: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/80.jpg)
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
setup steps
verify tool
set config
![Page 81: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/81.jpg)
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
attack!
env param
getconfig
![Page 82: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/82.jpg)
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities Given "sqlmap" is installed And the target URL is "http://localhost?id=1" When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> """ Then the output should contain: """ sqlmap identified the following injection points """
assert
needle
haystack
![Page 83: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/83.jpg)
![Page 84: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/84.jpg)
ATTACK ADAPTER
• Step definition for attack file
• Support code in ruby or java
• Support shell script
![Page 85: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/85.jpg)
Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end
When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend
step definition ruby
![Page 86: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/86.jpg)
Given /^"sqlmap" is installed$/ do ensure_python_script_installed('sqlmap')end
When /^I launch an? "sqlmap" attack with:$/ do |command| sqlmap_path = path_to_python_script("sqlmap")
command.gsub!('<target_url>', target_url) command.gsub!('<sqlmap_path>', sqlmap_path) run commandend
step definition
execute
![Page 87: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/87.jpg)
GAUNTLT DESIGN
• Simple
• Extensible
• UNIX™ : stdin, stdout, exit status
• Minimum features yield maximum utility
![Page 88: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/88.jpg)
UPCOMING FEATURES
• More output parsers
• More attack adapters
• More goats
• Better support for JRuby & Java
• Anything you want:
https://github.com/thegauntlet/gauntlt/issues
![Page 89: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/89.jpg)
GauntltUsing the Gauntlt Starter Kit
![Page 90: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/90.jpg)
About me
• Jeremiah Shirk
• Application & Infrastructure Manager, Kansas State University
• 18 years doing unix admin, security, and some open source contributions
• Keeper of tiny flocks
![Page 91: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/91.jpg)
KSU 55 - WVU 14
![Page 92: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/92.jpg)
Gauntlt Starter Kit
![Page 93: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/93.jpg)
Dependencies
VirtualBox Vagrant
![Page 94: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/94.jpg)
Download
• https://www.virtualbox.org/
• http://vagrantup.com/
![Page 95: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/95.jpg)
Starter Kit on GitHub
• The starter kit is on GitHub at https://github.com/thegauntlet/gauntlt-starter-kit
• Or, download a copy from:
www.gauntlt.org/...
![Page 96: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/96.jpg)
Base box
$ vagrant box add precise32 http://files.vagrantup.com/precise32.box[vagrant] Downloading with Vagrant::Downloaders::HTTP...[vagrant] Downloading box: http://files.vagrantup.com/precise32.box[vagrant] Extracting box...[vagrant] Verifying box...[vagrant] Cleaning up downloaded box...$
![Page 97: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/97.jpg)
Start the VM
$ cd gauntlt-starter-kit/vagrant/gauntlt$ vagrant up[default] Importing base box 'precise32'...[default] Matching MAC address for NAT networking...[default] Clearing any previously set forwarded ports...[default] Forwarding ports...[default] -- 22 => 2222 (adapter 1)[default] Creating shared folders metadata...[default] Clearing any previously set network interfaces...[default] Booting VM...[default] Waiting for VM to boot. This can take a few minutes....
![Page 98: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/98.jpg)
![Page 99: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/99.jpg)
VagrantfileVagrant::Config.run do |config| config.ssh.private_key_path = "~/.ssh/id_rsa" config.vm.box = "precise32" config.vm.box_url = "http://files.vagrantup.com/precise32.box" # config.vm.network :hostonly, "33.33.33.10" # config.vm.network :bridged # config.vm.forward_port 80, 8080 # config.vm.share_folder "v-data", "/vagrant_data", "../data" config.vm.provision :chef_solo do |chef| chef.cookbooks_path = ["cookbooks", "site-cookbooks"] chef.add_recipe "vagrant_main" endend
![Page 100: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/100.jpg)
SSH to the VM
$ vagrant ssh
![Page 101: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/101.jpg)
Secure SSH Keys
$ vagrant ssh-config | grep Port Port 2222
$ scp -i ~/.vagrant.d/insecure_private_key -P 2222 \~/.ssh/ id_rsa.pub vagrant@localhost:~/.ssh/authorized_keys
![Page 102: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/102.jpg)
vagrant@precise32:~$ gauntlt attacks/nmapFeature: simple nmap attack (sanity check)
Background: Given "nmap" is installed And the target hostname is "google.com"
Scenario: Verify server is available on standard web ports When I launch an "nmap" attack with: """ nmap -p 80,443 google.com """ Then the output should contain: """ 80/tcp open http 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m0.112svagrant@precise32:~$
![Page 103: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/103.jpg)
vagrant@precise32:~$ gauntlt attacks/sslyze Feature: Run sslyze against a target
Background: # attacks/sslyze:3 Given "sslyze" is installed # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:1 And the target hostname is "google.com" # gauntlt-0.0.8/lib/gauntlt/attack_adapters/nmap.rb:7
Scenario: Ensure no anonymous certificates # attacks/sslyze:7 When I launch an "sslyze" attack with: # gauntlt-0.0.8/lib/gauntlt/attack_adapters/sslyze.rb:5 """ python /home/vagrant/sslyze/sslyze.py google.com:443 """ Then the output should not contain: # aruba-0.5.0/lib/aruba/cucumber.rb:111 """ Anon """
1 scenario (1 passed)4 steps (4 passed)0m0.736svagrant@precise32:~$
![Page 105: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/105.jpg)
Office hours
Hotel bar
Tonight, 10 p.m.
![Page 106: Gauntlt Rugged By Example](https://reader031.vdocuments.mx/reader031/viewer/2022013101/554c9a36b4c905f0178b4bbc/html5/thumbnails/106.jpg)
Questions?