Rugged by Example
with
Gauntlt
@wickett
College Startup
Web Systems Engineer
Media Startup
Web Ops Lead
DevOps
CISSP
CISSP, sounds cool
a brief history of infosec
1337 tools
the worms and viruses didn’t stop
we faced skilled
adversaries
we couldn’t win
Instead of
Engineering
InfoSec
became
Actuaries
“[RISK ASSESSMENT] INTRODUCES A DANGEROUS FALLACY: THAT STRUCTURED INADEQUACY IS ALMOST AS GOOD AS ADEQUACY AND THAT UNDERFUNDED SECURITY EFFORTS PLUS RISK MANAGEMENT ARE ABOUT AS GOOD AS PROPERLY FUNDED SECURITY WORK”
there were other
movements
devs became cool
devs became cool agile
the biz sells time
now
dev and ops now play nice
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr
cultureautomationmeasurementsharing
credit to John Willis and Damon Edwards
infosec hasn’t kept
pace
Your punch is soft,just like your heart
“Is this
Secure?”
-Your
Customer
“It’s
Certified”
-You
there’s a better way
6 R’s of Rugged DevOps
http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain
how does one join rugged devops?
enter gauntlt
gauntlt is
like this
sqlmap sslyze
dirbcurl
generic
nmap
your appgauntlt
exit status: 0
gauntlt credits:
Project Leads:
James Wickett
Jeremiah Shirk
Friends: Jason Chan, NetflixNeil Matatall, TwitterMani Tadayon
security tools are confusing
mapping
discovery
exploitation
fuzzfind inject
security
tests on
every change
wisdom from
a video game
always
listen to
Doc
Find the
weakness of
your enemy
Codify your
knowledge
(cheat sheets)
sometimes, you
face the same
enemies again
gauntlt is
collaboration
Gauntlt helps
dev and ops
and security
to communicate
gauntlt
harmonizes
our languages
Behavior Driven
Development
BDD is a second-generation, outside–in, pull-based, multiple-stakeholder, multiple-scale, high-automation, agile methodology. It describes a cycle of interactions with well-defined outputs, resulting in the delivery of working, tested software that matters.
Dan North , 2009
we have to start
somewhere
$ gem install gauntlt
install gauntlt
gauntlt design
Simple
Extensible
UNIX™: stdin, stdout, exit status
Minimum features yield maximum utility
$ gauntlt --list
Defined attacks: curl dirb garmr generic nmap sqlmap sslyze
Attack File
Plain Text File
Gherkin syntax:
Given
When
Then
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
Given
When
Then
When
Then
running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s
$ gauntlt
Feature: nmap attacks for example.com
Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m18.341s
running gauntlt with passing tests
$ gauntlt --steps/^"(\w+)" is installed in my path$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//^I launch a "curl" attack with:$//^I launch a "dirb" attack with:$//^I launch a "garmr" attack with:$//^I launch a "generic" attack with:$//^I launch an "nmap" attack with:$//^I launch an "sslyze" attack with:$//^I launch an? "sqlmap" attack with:$//^the "(.*?)" command line binary is installed$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following profile:$/
$ gauntlt --steps/^"(\w+)" is installed in my path$//^"sqlmap" is installed$//^I launch a "generic" attack with:$//^I launch an? "sqlmap" attack with:$/
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
setup steps
verify tool
set config
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
attack
get config
Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |
Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """
assert
needle
haystack
Supported Tools
curlnmapsqlmapsslyzeGarmrdirbgeneric
Netflix
Use Case
Real World Cloud Application Security, Jason Chanhttps://vimeo.com/54157394
Check your ssl certs
cookie tampering
curl hacking
Look for common apache
misconfigurations
@slowFeature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common vulnerabilities in apache
Given "dirb" is installed And the following profile: | name | value | | hostname | http://example.com | | wordlist | vulns/apache.txt |
When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """
Then the output should contain: """ FOUND: 0 """
.htaccess.htpasswd
.meta.web
access_logcgi
cgi-bincgi-pub
cgi-scriptdummyerror
error_loghtdocshttpd
httpd.pidicons
server-infoserver-status
logsmanualprintenvtest-cgi
tmp~bin~ftp
~nobody~root
I have my weakness. But I won't tell you! Ha Ha Ha!
Test for SQL
Injection
@slow @announceFeature: Run sqlmap against a target Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed And the following profile: | name | value | | target_url | http://example.com?x=1 |
When I launch a "sqlmap" attack with: """ python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables """
my_first.attack
See ‘GET STARTED’ on project repo
Start here > https://github.com/gauntlt/gauntlt/tree/master/examples
Find examples for the attacks
Add your config (hostname, login url, user)
Repeat
Starter Kit on GitHub
The starter kit is on GitHub:
github.com/gauntlt/gauntlt-starter-kit
Or, download a copy from:
www.gauntlt.org/
@gauntlt
future plans
Next Features
More output parsers
More attack adapters
JRuby & Java Support
Front end UI / web
reports
Add feature requests here:
https://github.com/gauntlt/gauntlt/
issues
Contribute
to gauntlt
See ‘FOR DEVELOPERS’ in
the README
Get started in 7 steps
If you get
stuck
Check the README
IRC Channel: #gauntlt
on freenode
@gauntlt on twitter
Mailing List (https://groups.google.com/forum/#!forum/
gauntlt)
Office hours with
weekly google hangout
get started with gauntlt
github/gauntlt
gauntlt.orgvideos
tutorials
google group@gauntlt
IRC #gauntltwe
help!
start here
cool vids!
Recommended
