Post on 19-Oct-2014
description
Put your code through the Gauntlet
gauntlet, n. an attack from all sides
Put your code through the Gauntlet gauntlt
gauntlt - doing security testing using cucumber
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
gauntlt is
an always-attacking environment for
developers
with attacks written in easy-to-read language
accessible to everyone involved in dev, ops, testing, security, ...
gauntlt includes
Why gauntlt?
Security domain knowledge is generally a mystery to dev teams
gauntlt allows dev and ops and security to communicate and collaborate
gauntlt joins:
The Philosophy of Rugged Software
&Principles of Behavior Driven Development
Gauntlet gauntlt has a new home
https://github.com/thegauntlet/gauntlt
gauntlt has a reserved spot at rubygems
what does the gauntlt code include right now?
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
features - which is the cucumber way of describing tests
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
nmap feature - which verifies nmap is
installed and scans the target from the profile on ports 80 and 443
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
nmap step definitions - which actually defines
the steps that are called in the feature these steps can be
reused in other features
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
the profile - which is where user defined
data lives like hostname, URLs,
usernames, passwords
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
profile step definition - this is where we provide a way to
extract everything in the profile to hand off to features (i.e. target
hostname, URL, ...)
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
all the stuff to package this as a gem for
distribution
├── Gemfile
├── Gemfile.lock
├── LICENSE
├── README.md
├── Rakefile
├── bin
│ └── gauntlt
├── features
│ ├── nmap
│ │ └── nmap.feature
│ ├── step_definitions
│ │ ├── nmap.rb
│ │ └── profile.rb
│ └── support
│ └── aruba.rb
├── gauntlt
│ ├── Gemfile
│ ├── Rakefile
│ ├── gauntlt.gemspec
│ └── lib
│ ├── gauntlt
│ │ └── version.rb
│ └── gauntlt.rb
├── gauntlt.gemspec
├── profile
│ └── profile.xml
└── tmp
└── aruba
Did I mention aruba?gauntlt uses cucumber and aruba to execute against the command line making it possible to execute any test, script or language
lets look inside a couple of these files
@gauntlet @run
Feature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: Given nmap is installed
Scenario: Verify server is available on standard web ports Given the hostname in the profile.xml When I run nmap against the hostname in the profile on ports 80,443 Then the output should contain: """ 80/tcp open http 443/tcp open https """
feature for nmap:nmap.feature
Given /^nmap is installed$/ do steps %{ When I run `which nmap` Then the output should contain: """ nmap """ } end
When /^I run nmap against the hostname in the profile on ports (\d+),(\d+)$/ do |arg2, arg3| steps %{ When I run `nmap \"#{@hostname}\" -p80,443` }end
step definition for nmap:nmap.rb
lets run gauntlt with the nmap.feature
against google.com
wickett$ gauntlt
@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 8080,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 8080/tcp open http 443/tcp open https """...
Failing Scenarios:cucumber features/nmap/nmap.feature:8 # Scenario: Verify server is available on standard web ports
1 scenario (1 failed)4 steps (1 failed, 3 passed)0m0.341s
running gauntlt with failing tests
wickett$ gauntlt
@gauntlet @runFeature: Run nmap against a target and pass the value of the hostname from the profile.xml.
Background: # features/nmap/nmap.feature:5 Given nmap is installed # features/step_definitions/nmap.rb:2
Scenario: Verify server is available on standard web ports # features/nmap/nmap.feature:8 Given the hostname in the profile.xml # features/step_definitions/profile.rb:1 When I run nmap against the hostname in the profile on ports 80,443 # features/step_definitions/nmap.rb:12 Then the output should contain: # aruba-0.4.11/lib/aruba/cucumber.rb:98 """ 80/tcp open http 443/tcp open https """
1 scenario (1 passed)4 steps (4 passed)0m1.117s
running gauntlt with passing tests
walk vs. run
• gauntlt has two modes: walk and run
• meaning fast and slow or smoke and full
• This is done by labels in cucumber
• For each feature you will get to decide if it is a @walk or a @run test or both
some realizations
• The core of gauntlt needs to provide a set of functionality that encourages contributors to ‘package’ pen testing tools similar to ubuntu juju, chef or puppet
• A gauntlt DSL (Domain Specific Language) will arise with words like target, scan, attack, host...
• gauntlt needs to bootstrap itself and tools into a vagrant ubuntu box
gauntlt as a kickstarter project• A small bit of the funds will be used for
core code bounties: profile, DSL creation, architecture, vagrant bootstrap via chef, packaging architecture...
• The bulk of the funds will be used for feature bounties where we define features we want packaged for gauntlt such as w3af or dirbuster and pay developers for the best code.
gauntlt features that could be built in the
future...
nmap scanning for verifying ports
crawl site and search for passwords in text
(assume fuzzing)
badness with LOIC, slowloris, wget, curl
Include recon, scanning, fuzzing, injecting, load
multi-vector attacks:timing + load, fail
open, ...
all the tools mentioned on the tool slide
Your web app
w3af
fuzzers
nmap
nessus
sqlmapmetasploit
You
dirbustercustom attacks
we need your help
Want to join the core team?
email james@ruggeddevops.org