Gauntlt Rugged By Example

Rugged by Example

with

Gauntlt

@wickett

College Startup

Web Systems Engineer

Media Startup

Web Ops Lead

DevOps

CISSP

CISSP, sounds cool

a brief history of infosec

1337 tools

the worms and viruses didn’t stop

we faced skilled

adversaries

we couldn’t win

Instead of

Engineering

InfoSec

became

Actuaries

“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”

there were other

movements

devs became cool

devs became cool agile

the biz sells time

now

dev and ops now play nice

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

cultureautomationmeasurementsharing

credit to John Willis and Damon Edwards

infosec hasn’t kept

pace

Your punch is soft,just like your heart

“Is this

Secure?”

-Your

Customer

“It’s

Certified”

-You

there’s a better way

6 R’s of Rugged DevOps

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

how does one join rugged devops?

enter gauntlt

gauntlt is

like this

sqlmap sslyze

dirbcurl

generic

nmap

your appgauntlt

exit status: 0

gauntlt credits:

Project Leads:

James Wickett

Jeremiah Shirk

Friends: Jason Chan, NetflixNeil Matatall, TwitterMani Tadayon

security tools are confusing

mapping

discovery

exploitation

fuzzfind inject

security

tests on

every change

wisdom from

a video game

always

listen to

Doc

Find the

weakness of

your enemy

Codify your

knowledge

(cheat sheets)

sometimes, you

face the same

enemies again

gauntlt is

collaboration

Gauntlt helps

dev and ops

and security

to communicate

gauntlt

harmonizes

our languages

Behavior Driven

Development

BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.

Dan North , 2009

we have to start

somewhere

$ gem install gauntlt

install gauntlt

gauntlt design

Simple

Extensible

UNIX™: stdin, stdout, exit status

Minimum features yield maximum utility

$ gauntlt --list

Defined attacks: curl dirb garmr generic nmap sqlmap sslyze

Attack File

Plain Text File

Gherkin syntax:

Given

When

Then

Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

Given

When

Then

When

Then

running gauntlt with failing tests

$ gauntlt

Feature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s

$ gauntlt

Feature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m18.341s

running gauntlt with passing tests

$ gauntlt --steps/^"(\w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch a "curl" attack with:$//^I launch a "dirb" attack with:$//^I launch a "garmr" attack with:$//^I launch a "generic" attack with:$//^I launch an "nmap" attack with:$//^I launch an "sslyze" attack with:$//^I launch an? "sqlmap" attack with:$//^the "(.*?)" command line binary is installed$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following profile:$/

$ gauntlt --steps/^"(\w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launch an? "sqlmap" attack with:$/

Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

setup steps

verify tool

set config

Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

attack

get config

Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

assert

needle

haystack

Supported Tools

curlnmapsqlmapsslyzeGarmrdirbgeneric

Netflix

Use Case

Real World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394

Check your ssl certs

cookie tampering

curl hacking

Look for common apache

misconfigurations

@slowFeature: Run dirb scan on a URL

Scenario: Run a dirb scan looking for common vulnerabilities in apache

Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt |

When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """

Then the output should contain: """ FOUND: 0 """

.htaccess.htpasswd

.meta.web

access_logcgi

cgi-bincgi-pub

cgi-scriptdummyerror

error_loghtdocshttpd

httpd.pidicons

server-infoserver-status

logsmanualprintenvtest-cgi

tmp~bin~ftp

~nobody~root

I have my weakness. But I won't tell you! Ha Ha Ha!

Test for SQL

Injection

@slow @announceFeature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities

Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://example.com?x=1 |

When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables """

my_first.attack

See ‘GET STARTED’ on project repo

Start here > https://github.com/gauntlt/gauntlt/tree/master/examples

Find examples for the attacks

Add your config (hostname, login url, user)

Repeat

Starter Kit on GitHub

The starter kit is on GitHub:

github.com/gauntlt/gauntlt-starter-kit

Or, download a copy from:

www.gauntlt.org/

@gauntlt

future plans

Next Features

More output parsers

More attack adapters

JRuby & Java Support

Front end UI / web

reports

Add feature requests here:

https://github.com/gauntlt/gauntlt/

issues

Contribute

to gauntlt

See ‘FOR DEVELOPERS’ in

the README

Get started in 7 steps

If you get

stuck

Check the README

IRC Channel: #gauntlt

on freenode

@gauntlt on twitter

Mailing List (https://groups.google.com/forum/#!forum/

gauntlt)

Office hours with

weekly google hangout

get started with gauntlt

github/gauntlt

gauntlt.orgvideos

tutorials

google group@gauntlt

IRC #gauntltwe

help!

start here

cool vids!

@wickett

james@gauntlt.org

Be Mean to Your Code!