Rugged Driven Development with Gauntlt

Rugged Driven Development with Gauntlt

@wickett // @gauntlt // gauntlt.org

@wickett

• Austin, TX

• LASCON Founder

• DevOps Days Organizer

• DevOps, AppSec, Ruby, Chef, Cucumber


Work like a Captain

Play like a Pirate


So far, infosec is good at the pirate part...



Gauntlt is Rugged Theology

Applied


rugged



http://www.slideshare.net/wickett/putting-rugged-into-your-devops-toolchain




Rugged & DevOps

http://www.slideshare.net/jallspaw/10-deploys-per-day-dev-and-ops-cooperation-at-flickr






Gauntlt is Rugged Theology

Applied


security tools today


Core Tenets of Gauntlt

• Facilitate communication between Infosec and Dev and Ops

• Cultural shift from compliance driven, auditor-led security

• Build a new language and currency in organizations


gauntlt connects people


https://speakerdeck.com/garethr/security-monitoring-penetration-testing-meets-monitoring






github.com/gauntlt

Our Philosophy• Run security tools in a repeatable, easy to

read way

• Handle stdin, stdout, exit status

• Favor speed and utility over complexity and slowness

• Be part of the pipeline (CI/CD)

• We aren’t package managers... install your own tools


Let’s be Captains


Install your own tools

you are in fact a captain, right?


$ rvm --ruby-version use 1.9.3

optional, but recommended@wickett // @gauntlt // gauntlt.org

$ mkdir lascon$ cd ./lascon$ vim Gemfile


# Gemfile

source ‘https://rubygems.org’

gem ‘gauntlt’


https://rubygems.org


$ bundle


$ bundleFetching gem metadata from https://rubygems.org/..........Fetching gem metadata from https://rubygems.org/..Resolving dependencies...Using ffi (1.9.0)Using childprocess (0.3.9)Using builder (3.2.2)Using diff-lcs (1.2.4)Using multi_json (1.8.2)Using gherkin (2.12.2)Using multi_test (0.0.2)Using cucumber (1.3.8)Using rspec-expectations (2.14.3)Using aruba (0.5.3)Using nokogiri (1.5.10)Using trollop (2.0)Using gauntlt (1.0.6)Using bundler (1.3.5)Your bundle is complete!Use `bundle show [gemname]` to see where a bundled gem is installed.






$ gem install gauntlt


Future slides will use:

$ gauntlt

but, really it is:

$ bundle exec gauntlt


$ touch example.attack


Feature: nmap attacks for example.com Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should contain: """ 80/tcp open http """ Scenario: Verify that there are no unexpected ports open When I launch an "nmap" attack with: """ nmap -F <hostname> """ Then the output should not contain: """ 25/tcp """

Given

When

Then

When

Then


running gauntlt with failing tests

$ gauntlt

Feature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 failed)5 steps (1 failed, 4 passed)0m18.341s


http://www.example.com


$ gauntlt

Feature: nmap attacks for example.com

Background: Given "nmap" is installed And the following profile: | name | value | | hostname | example.com |

Scenario: Verify server is open on expected ports When I launch an "nmap" attack with: """ nmap -F www.example.com """ Then the output should contain: """ 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m18.341s

running gauntlt with passing tests




$ gauntlt --list

Defined attacks: arachni curl dirb garmr generic nmap sqlmap sslyze


$ gauntlt --steps/^"(\w+)" is installed in my path$//^"arachni" is installed$//^"curl" is installed$//^"dirb" is installed$//^"garmr" is installed$//^"nmap" is installed$//^"sqlmap" is installed$//^"sslyze" is installed$//Î launch (?:a|an) "arachni" attack with:$//Î launch (?:a|an) "arachni-(.*?)" attack$//Î launch (?:a|an) "curl" attack with:$//Î launch (?:a|an) "dirb" attack with:$//Î launch (?:a|an) "garmr" attack with:$//Î launch (?:a|an) "generic" attack with:$//Î launch (?:a|an) "nmap" attack with:$//Î launch (?:a|an) "nmap-(.*?)" attack$//Î launch (?:a|an) "sqlmap" attack with:$//Î launch (?:a|an) "sslyze" attack with:$//^the "(.*?)" command line binary is installed$//^the DIRB_WORDLISTS environment variable is set$//^the file "(.*?)" should contain XML:$//^the file "(.*?)" should not contain XML:$//^the following cookies should be received:$//^the following environment variables:$//^the following profile:$/

$ gauntlt --help

$ gauntlt --allsteps


https://github.com/gauntlt/gauntlt/wiki/Output-parsing-with-Gauntlt








RegEx in Gauntlt

Then the output should match /80.tcp\s+open/

Then the output should match:

"""

80\/tcp\s+open

"""


Create network.attack

@slowFeature: check to make sure the right ports are open on our server

Background: Given "nmap" is installed And the following profile: | name | value | | host | lascon.org |

Scenario: Verify server is open on expected ports When I launch an "nmap-fast" attack Then the output should match /80.tcp\s+open/

https://gist.github.com/7121100@wickett // @gauntlt // gauntlt.org

https://gist.github.com/7121100


$ gauntlt@slowFeature: check to make sure the right ports are open on our server

Background: # network.attack:4 Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:4 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | host | lascon.org |

Scenario: Verify server is open on expected ports # network.attack:10Running a nmap-fast attack. This attack has this description: This is a fast nmap scan that should run in 10 seconds or less on most networks. It looks for the most common ports and services. When I launch an "nmap-fast" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:12 Then the output should match /80.tcp\s+open/ # aruba-0.5.3/lib/aruba/cucumber.rb:137



Create directory.attack@slowFeature: make sure our website doesn't expose sensitive directories

Scenario: Start with using dirb and check for default apache directories Given "dirb" is installed And the following profile: | name | value | | hostname | http://lascon.org | | wordlist | /opt/wordlists/vulns/apache.txt | When I launch a "dirb" attack with: """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: """ FOUND: 0 """ http://gist.github.com/7124575

http://lascon.org

http://lascon.org

http://gist.github.com/7124575

http://gist.github.com/7124575

@slowFeature: make sure our website doesn't expose sensitive directories

Scenario: Start with using dirb and check for default apache directories # directory.attack:4 Given "dirb" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | hostname | http://lascon.org | | wordlist | vulns/apache.txt | When I launch a "dirb" attack with: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:9 """ dirb <hostname> <dirb_wordlists_path>/<wordlist> """ Then the output should contain: # aruba-0.5.3/lib/aruba/cucumber.rb:113 """ FOUND: 0 """


http://lascon.org

http://lascon.org

captains need dashboards


bundle exec gauntlt --format html > out.html


XSS

...looks cool in this font


$ vim Gemfile

gem ‘arachni’

$ bundle


Create xss.attack


@slowFeature: Look for cross site scripting (xss) using arachni against a URL

Scenario: Using the arachni, look for cross site scripting and verify no issues are found Given "arachni" is installed And the following profile: | name | value | | url | http://lascon.org | When I launch an "arachni-simple_xss" attack Then the output should contain "0 issues were detected."




http://lascon.org

http://lascon.org

@slowFeature: Look for cross site scripting (xss) using arachni against a URL

Scenario: Using the arachni, look for cross site scripting and verify no issues are found # xss.attack:4 Given "arachni" is installed # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1 And the following profile: # gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9 | name | value | | url | http://lascon.org |Running a arachni-simple_xss attack. This attack has this description: This is a scan for cross site scripting (xss) that only runs the base xss module in arachni. The scan only crawls one level deep which makes it faster. For more depth, run the gauntlt attack alias 'arachni-simple_xss_with_depth' and specifiy depth.The arachni-simple_xss attack requires the following to be set in the profile: ["<url>"] When I launch an "arachni-simple_xss" attack # gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9 Then the output should contain "0 issues were detected." # aruba-0.5.3/lib/aruba/cucumber.rb:97



http://lascon.org

http://lascon.org

Other attacks

• Garmr

• HTTP Methods (CURL)

• REST Testing (jerry curl / CURL)

• SQL Injection (sqlmap and arachni)


Resources

• Google Group > https://groups.google.com/d/forum/gauntlt

• Wiki > https://github.com/gauntlt/gauntlt/wiki

• IRC > #gauntlt on freenode

• Weekly hangout > http://bit.ly/gauntlt-hangout

• Issue tracking > http://github.com/gauntlt/gauntlt


https://github.com/gauntlt/gauntlt/wiki

https://github.com/gauntlt/gauntlt/wiki

http://bit.ly/gauntlt-hangout

http://bit.ly/gauntlt-hangout

http://github.com/gauntlt/gauntlt

http://github.com/gauntlt/gauntlt

Future dev work

• Moar Attack Aliases!

• Bring your own Attack Aliases

• Bring your own Attacks

• Gauntlt Server

@gauntltgauntlt.org


Rugged Driven Development with Gauntlt

Technology

cross site

expose sensitive

443tcp open

website doesn

expected ports

rugged theology

match 80

installed