Rugged Driven Development with Gauntlt

@wickett // @gauntlt // gauntlt.org

@wickett

• Austin, TX

• LASCON Founder

• DevOps Days Organizer

• DevOps, AppSec, Ruby, Chef, Cucumber

Work like a Captain

Play like a Pirate

So far, infosec is good at the pirate part...

Gauntlt is Rugged Theology

Applied

rugged

http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain

Rugged & DevOps

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr

Gauntlt is Rugged Theology

Applied

security tools today

Core Tenets of Gauntlt

• Facilitate communication between Infosec and Dev and Ops

• Cultural shift from compliance driven, auditor-led security

• Build a new language and currency in organizations

gauntlt connects people

https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring

github.com/gauntlt

Our Philosophy• Run security tools in a repeatable, easy to

read way

• Handle stdin, stdout, exit status

• Favor speed and utility over complexity and slowness

• Be part of the pipeline (CI/CD)

• We aren’t package managers... install your own tools

Let’s be Captains

Install your own tools

you are in fact a captain, right?

$ rvm --ruby-version use 1.9.3

optional, but recommended@wickett // @gauntlt // gauntlt.org

$ mkdir lascon$ cd ./lascon$ vim Gemfile

# Gemfile

source ‘https://rubygems.org’

gem ‘gauntlt’

$ bundle

$ bundleFetching gem metadata from https://rubygems.org/..........Fetching gem metadata from https://rubygems.org/..Resolving dependencies...Using ffi (1.9.0)Using childprocess (0.3.9)Using builder (3.2.2)Using diff-lcs (1.2.4)Using multi_json (1.8.2)Using gherkin (2.12.2)Using multi_test (0.0.2)Using cucumber (1.3.8)Using rspec-expectations (2.14.3)Using aruba (0.5.3)Using nokogiri (1.5.10)Using trollop (2.0)Using gauntlt (1.0.6)Using bundler (1.3.5)Your bundle is complete!Use `bundle show [gemname]` to see where a bundled gem is installed.

$ gem install gauntlt

Future slides will use:

$ gauntlt

but, really it is:

$ bundle exec gauntlt

$ touch example.attack

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

running gauntlt with failing tests

$ gauntlt

Feature: nmap attacks for example.com

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s

$ gauntlt

Feature: nmap attacks for example.com

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m18.341s

running gauntlt with passing tests

$ gauntlt --list

Defined attacks: arachni curl dirb garmr generic nmap sqlmap sslyze

$ gauntlt --steps/^"(\w+)" is installed in my path$//^"arachni" is installed$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//Î launch (?:a|an) "arachni" attack with:$//Î launch (?:a|an) "arachni-(.*?)" attack$//Î launch (?:a|an) "curl" attack with:$//Î launch (?:a|an) "dirb" attack with:$//Î launch (?:a|an) "garmr" attack with:$//Î launch (?:a|an) "generic" attack with:$//Î launch (?:a|an) "nmap" attack with:$//Î launch (?:a|an) "nmap-(.*?)" attack$//Î launch (?:a|an) "sqlmap" attack with:$//Î launch (?:a|an) "sslyze" attack with:$//^the "(.*?)" command line binary is installed$//^the DIRB_WORDLISTS environment variable is set$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following environment variables:$//^the following profile:$/

$ gauntlt --help

$ gauntlt --allsteps

https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt

RegEx in Gauntlt

Then the output should match /80.tcp\s+open/

Then the output should match:

80\/tcp\s+open

Create network.attack

@slowFeature: check to make sure the right ports are open on our server

Scenario: Verify server is open on expected ports When I launch an "nmap-fast" attack Then the output should match /80.tcp\s+open/

https://gist.github.com/7121100@wickett // @gauntlt // gauntlt.org

$ gauntlt@slowFeature: check to make sure the right ports are open on our server

Background: # network.attack:4 Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | host | lascon.org |

Scenario: Verify server is open on expected ports # network.attack:10Running a nmap-fast attack. This attack has this description: This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. When I launch an "nmap-fast" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:12 Then the output should match /80.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:137

Create directory.attack@slowFeature: make sure our website doesn't expose sensitive directories

Scenario: Start with using dirb and check for default apache directories Given "dirb" is installed And the following profile: | name | value | | hostname | http://lascon.org | | wordlist | /opt/wordlists/vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ http://gist.github.com/7124575

@slowFeature: make sure our website doesn't expose sensitive directories

Scenario: Start with using dirb and check for default apache directories # directory.attack:4 Given "dirb" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | hostname | http://lascon.org | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:9 """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113 """ FOUND: 0 """

captains need dashboards

bundle exec gauntlt --format html > out.html

...looks cool in this font

$ vim Gemfile

gem ‘arachni’

$ bundle

Create xss.attack

https://gist.github.com/7121728

@slowFeature: Look for cross site scripting (xss) using arachni against a URL

Scenario: Using the arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://lascon.org | When I launch an "arachni-simple_xss" attack Then the output should contain "0 issues were detected."

@slowFeature: Look for cross site scripting (xss) using arachni against a URL

Scenario: Using the arachni, look for cross site scripting and verify no issues are found # xss.attack:4 Given "arachni" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | url | http://lascon.org |Running a arachni-simple_xss attack. This attack has this description: This is a scan for cross site scripting (xss) that only runs the base xss module in arachni. The scan only crawls one level deep which makes it faster. For more depth, run the gauntlt attack alias 'arachni-simple_xss_with_depth' and specifiy depth.The arachni-simple_xss attack requires the following to be set in the profile: ["<url>"] When I launch an "arachni-simple_xss" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9 Then the output should contain "0 issues were detected." # aruba-0.5.3/lib/aruba/cucumber.rb:97

Other attacks

• Garmr

• HTTP Methods (CURL)

• REST Testing (jerry curl / CURL)

• SQL Injection (sqlmap and arachni)

Resources

• Google Group > https://groups.google.com/d/forum/gauntlt

• Wiki > https://github.com/gauntlt/gauntlt/wiki

• IRC > #gauntlt on freenode

• Weekly hangout > http://bit.ly/gauntlt-hangout

• Issue tracking > http://github.com/gauntlt/gauntlt

Future dev work

• Moar Attack Aliases!

• Bring your own Attack Aliases

• Bring your own Attacks

• Gauntlt Server

@gauntltgauntlt.org

Rugged Driven Development with Gauntlt

cross site

expose sensitive

443tcp open

website doesn

expected ports

rugged theology

match 80

installed

Technology

Latitude Rugged Extreme -...

In-Situ Rugged TROLL 100 and 200 and Rugged BaroTROLL ...

Rugged computer

Gauntlt: Go Ahead, Be Mean to your Code

Rugged Software Using Rugged Driven Development

RUGGED - williamsrdmdev.com

Rugged DevOps

Rugged Landscape

Rugged Computing -- rugged tablet pc

Rugged by example with Gauntlt (Hacker Headshot)

Typical Applications - RamParts®...

8” RUGGED WINDOWS TABLET - Conker Rugged Tablets...

RUGGED MOBILE DEVICES FOR PROFESSIONALS · 2019-12-04 ·.....

LATITUDE 7220EX RUGGED EXTREME The 12” fully-rugged tablet...

DT311Series Rugged Tablet - rugged-tablet.de von...

Rugged Mag