15. Core Tenets of Gauntlt
• Facilitate communication between Infosec
and Dev and Ops
• Cultural shift from compliance driven,
auditor-led security
• Build a new language and currency in
organizations
@wickett // @gauntlt // gauntlt.org
22. Our Philosophy
• Run security tools in a repeatable, easy to
read way
• Handle stdin, stdout, exit status
• Favor speed and utility over complexity and
slowness
• Be part of the pipeline (CI/CD)
• We aren’t package managers... install your
own tools
@wickett // @gauntlt // gauntlt.org
29. $ bundle
Fetching gem metadata from https://rubygems.org/..........
Fetching gem metadata from https://rubygems.org/..
Resolving dependencies...
Using ffi (1.9.0)
Using childprocess (0.3.9)
Using builder (3.2.2)
Using diff-lcs (1.2.4)
Using multi_json (1.8.2)
Using gherkin (2.12.2)
Using multi_test (0.0.2)
Using cucumber (1.3.8)
Using rspec-expectations (2.14.3)
Using aruba (0.5.3)
Using nokogiri (1.5.10)
Using trollop (2.0)
Using gauntlt (1.0.6)
Using bundler (1.3.5)
Your bundle is complete!
Use `bundle show [gemname]` to see where a bundled gem is
installed.
optional, but recommended
@wickett // @gauntlt // gauntlt.org
33. Given
When
Then
When
Then
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name
| value
|
| hostname
| example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
@wickett // @gauntlt // gauntlt.org
34. running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name
| value
| hostname
| example.com
|
|
Scenario: Verify server is open on expected ports
When
I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s
@wickett // @gauntlt // gauntlt.org
35. running gauntlt with passing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name
| value
| hostname
| example.com
|
|
Scenario: Verify server is open on expected ports
When
I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
4 steps (4 passed)
0m18.341s
@wickett // @gauntlt // gauntlt.org
41. RegEx in Gauntlt
Then the output should match /80.tcps+open/
Then the output should match:
"""
80/tcps+open
"""
@wickett // @gauntlt // gauntlt.org
42. Create network.attack
@slow
Feature: check to make sure the right ports are open on our server
Background:
Given "nmap" is installed
And the following profile:
| name
| value
| host
| lascon.org
|
|
Scenario: Verify server is open on expected ports
When I launch an "nmap-fast" attack
Then the output should match /80.tcps+open/
https://gist.github.com/7121100
@wickett // @gauntlt // gauntlt.org
43. $ gauntlt
@slow
Feature: check to make sure the right ports are open on our server
Background:
# network.attack:4
Given "nmap" is installed # gauntlt-1.0.6/lib/gauntlt/
attack_adapters/nmap.rb:4
And the following profile: # gauntlt-1.0.6/lib/gauntlt/
attack_adapters/gauntlt.rb:9
| name | value
|
| host | lascon.org |
Scenario: Verify server is open on expected ports #
network.attack:10
Running a nmap-fast attack. This attack has this description:
This is a fast nmap scan that should run in 10 seconds or less on
most networks. It looks for the most common ports and services.
When I launch an "nmap-fast" attack
#
gauntlt-1.0.6/lib/gauntlt/attack_adapters/nmap.rb:12
Then the output should match /80.tcps+open/
# aruba-0.5.3/
lib/aruba/cucumber.rb:137
1 scenario (1 passed)
4 steps (4 passed)
0m4.799s
@wickett // @gauntlt // gauntlt.org
44. Create directory.attack
@slow
Feature: make sure our website doesn't expose sensitive
directories
Scenario: Start with using dirb and check for default apache
directories
Given "dirb" is installed
And the following profile:
| name
| value
|
| hostname
| http://lascon.org
|
| wordlist
| /opt/wordlists/vulns/apache.txt
|
When I launch a "dirb" attack with:
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist>
"""
Then the output should contain:
"""
FOUND: 0
"""
http://gist.github.com/7124575
45. @slow
Feature: make sure our website doesn't expose sensitive directories
Scenario: Start with using dirb and check for default apache
directories # directory.attack:4
Given "dirb" is installed
# gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:1
And the following profile:
# gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
| name
| value
|
| hostname | http://lascon.org |
| wordlist | vulns/apache.txt |
When I launch a "dirb" attack with:
# gauntlt-1.0.6/lib/gauntlt/attack_adapters/dirb.rb:9
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist>
"""
Then the output should contain:
# aruba-0.5.3/lib/aruba/cucumber.rb:113
"""
FOUND: 0
"""
1 scenario (1 passed)
4 steps (4 passed)
0m23.878s
50. Create xss.attack
@slow
Feature: Look for cross site scripting (xss) using
arachni against a URL
Scenario: Using the arachni, look for cross site
scripting and verify no issues are found
Given "arachni" is installed
And the following profile:
| name | value
|
| url | http://lascon.org
|
When I launch an "arachni-simple_xss" attack
Then the output should contain "0 issues were
detected."
@wickett // @gauntlt // gauntlt.org
https://gist.github.com/7121728
51. @slow
Feature: Look for cross site scripting (xss) using arachni against a URL
Scenario: Using the arachni, look for cross site scripting and verify no
issues are found # xss.attack:4
Given "arachni" is installed
# gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:1
And the following profile:
# gauntlt-1.0.6/lib/gauntlt/attack_adapters/gauntlt.rb:9
| name | value
|
| url | http://lascon.org |
Running a arachni-simple_xss attack. This attack has this description:
This is a scan for cross site scripting (xss) that only runs the base xss
module in arachni. The scan only crawls one level deep which makes it
faster. For more depth, run the gauntlt attack alias 'arachnisimple_xss_with_depth' and specifiy depth.
The arachni-simple_xss attack requires the following to be set in the
profile:
["<url>"]
When I launch an "arachni-simple_xss" attack
# gauntlt-1.0.6/lib/gauntlt/attack_adapters/arachni.rb:9
Then the output should contain "0 issues were detected."
# aruba-0.5.3/lib/aruba/cucumber.rb:97
1 scenario (1 passed)
4 steps (4 passed)
0m7.991s
@wickett // @gauntlt // gauntlt.org