Security testing with gauntlt

Put your code through the Gauntlet

gauntlet, n. an attack from all sides

Put your code through the Gauntlet gauntlt

gauntlt - doing security testing using cucumber

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

gauntlt is

an always-attacking environment for

developers

with attacks written in easy-to-read language

accessible to everyone involved in dev, ops, testing, security, ...

gauntlt includes

Why gauntlt?

Security domain knowledge is generally a mystery to dev teams

gauntlt allows dev and ops and security to communicate and collaborate

gauntlt joins:

The Philosophy of Rugged Software

&Principles of Behavior Driven Development

Gauntlet gauntlt has a new home

https://github.com/thegauntlet/gauntlt





gauntlt has a reserved spot at rubygems

what does the gauntlt code include right now?

├── Gemfile

├── Gemfile.lock

├── LICENSE

├── README.md

├── Rakefile

├── bin

│ └── gauntlt

├── features

│ ├── nmap

│ │ └── nmap.feature

│ ├── step_definitions

│ │ ├── nmap.rb

│ │ └── profile.rb

│ └── support

│ └── aruba.rb

├── gauntlt

│ ├── Gemfile

│ ├── Rakefile

│ ├── gauntlt.gemspec

│ └── lib

│ ├── gauntlt

│ │ └── version.rb

│ └── gauntlt.rb

├── gauntlt.gemspec

├── profile

│ └── profile.xml

└── tmp

└── aruba

features - which is the cucumber way of describing tests

├── Gemfile


├── LICENSE

├── README.md

├── Rakefile

├── bin


├── features

│ ├── nmap







├── gauntlt




│ └── lib





├── profile


└── tmp

└── aruba

nmap feature - which verifies nmap is

installed and scans the target from the profile on ports 80 and 443

├── Gemfile


├── LICENSE

├── README.md

├── Rakefile

├── bin


├── features

│ ├── nmap







├── gauntlt




│ └── lib





├── profile


└── tmp

└── aruba

nmap step definitions - which actually defines

the steps that are called in the feature these steps can be

reused in other features

├── Gemfile


├── LICENSE

├── README.md

├── Rakefile

├── bin


├── features

│ ├── nmap







├── gauntlt




│ └── lib





├── profile


└── tmp

└── aruba

the profile - which is where user defined

data lives like hostname, URLs,

usernames, passwords

├── Gemfile


├── LICENSE

├── README.md

├── Rakefile

├── bin


├── features

│ ├── nmap







├── gauntlt




│ └── lib





├── profile


└── tmp

└── aruba

profile step definition - this is where we provide a way to

extract everything in the profile to hand off to features (i.e. target

hostname, URL, ...)

├── Gemfile


├── LICENSE

├── README.md

├── Rakefile

├── bin


├── features

│ ├── nmap







├── gauntlt




│ └── lib





├── profile


└── tmp

└── aruba

all the stuff to package this as a gem for

distribution

├── Gemfile


├── LICENSE

├── README.md

├── Rakefile

├── bin


├── features

│ ├── nmap







├── gauntlt




│ └── lib





├── profile


└── tmp

└── aruba

Did I mention aruba?gauntlt uses cucumber and aruba to execute against the command line making it possible to execute any test, script or language

lets look inside a couple of these files

@gauntlet @run

Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: Given nmap is installed

Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """

feature for nmap:nmap.feature

Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end

When /^I run nmap against the hostname in the profile on ports (\d+),(\d+)$/ do |arg2, arg3| steps %{ When I run `nmap \"#{@hostname}\" -p80,443` }end

step definition for nmap:nmap.rb

lets run gauntlt with the nmap.feature

against google.com

wickett$ gauntlt

@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2

Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...

Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario: Verify server is available on standard web ports

1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s

running gauntlt with failing tests

wickett$ gauntlt

@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.

Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2

Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """

1 scenario (1 passed)4 steps (4 passed)0m1.117s

running gauntlt with passing tests

walk vs. run

• gauntlt has two modes: walk and run

• meaning fast and slow or smoke and full

• This is done by labels in cucumber

• For each feature you will get to decide if it is a @walk or a @run test or both

some realizations

• The core of gauntlt needs to provide a set of functionality that encourages contributors to ‘package’ pen testing tools similar to ubuntu juju, chef or puppet

• A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host...

• gauntlt needs to bootstrap itself and tools into a vagrant ubuntu box

gauntlt as a kickstarter project• A small bit of the funds will be used for

core code bounties: profile, DSL creation, architecture, vagrant bootstrap via chef, packaging architecture...

• The bulk of the funds will be used for feature bounties where we define features we want packaged for gauntlt such as w3af or dirbuster and pay developers for the best code.

gauntlt features that could be built in the

future...

nmap scanning for verifying ports

crawl site and search for passwords in text

(assume fuzzing)

badness with LOIC, slowloris, wget, curl

Include recon, scanning, fuzzing, injecting, load

multi-vector attacks:timing + load, fail

open, ...

all the tools mentioned on the tool slide

Your web app

w3af

fuzzers

nmap

nessus

sqlmapmetasploit

You

dirbustercustom attacks

we need your help

Want to join the core team?

email [email protected]

mailto:[email protected]

mailto:[email protected]

Security testing with gauntlt

Technology

standard web

web app

verify server

dirbustercustom

gauntlet runfeature

run nmap

wickett gauntlt

running gauntlt