SlideShare ist ein Scribd-Unternehmen logo

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Als ODP, PDF herunterladen
Mauro Risonho de Paula Assumpcao
Mauro Risonho de Paula Assumpcao

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Software
1 von 22
OWASP OWTF the Offensive (Web) Testing Framework + PTES Penetration Testing Execution Standard = Kali Power Auto Web Pentests! Mauro Risonho de Paula Assumpçao aka firebitsbr Sao Paulo, Brasil - 2014
$WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security
Agenda ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusao ● Q&A
Email do Autor
Offensive (Web) Testing Framework = Multi-level “cheating” tactics
OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
Steps - http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso - http://docs.kali.org/network-install/kali-linux-network-mini-iso-install - https://www.owasp.org/index.php/OWASP_OWTF - github git clone git://github.com/owtf/owtf.git - OWTF 0.45.0 Winter Blizzard wget https://github.com/owtf/owtf/archive/v0.45.0_Winter_Blizzard.tar.gz tar -xvvf v0.45.0_Winter_Blizzard.tar.gz kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y
Install – via git #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!
Escolher opcao 1
Escolher “Y” YES
Acabou de instalar com sucesso! :)
Definir quais tools usar #vim /root/owtf/profiles/general/default.cfg Framework path: @@@FRAMEWORK_DIR@@@/tools/... #TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb- 0.4.7/whatweb TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatwe b-0.4.7/whatweb
OWTF CLI python owtf.py -h|more
Listar plugins OWTF - Web Attacks # python owtf.py -l web
Simulation mode Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more
DEMO python owtf.py www.google.com
Reports? ● file:///root/owtf/owtf_review/index.html –
DEMOS – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing
Conclusao ● OWASP OWTF um framework que automatiza e faz ganhar muito tempo em pentest(s) com foco em targets em web applications e infraweb, nas tarefas rotineiras, mas pentests customizados, apenas agrega um pouco mais valor, mas nao substitui o processo manual, inteligente e humano.
Duvidas?
$WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security

Empfohlen

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
Mauro Risonho de Paula Assumpcao
 
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
Tobias Liebig
 
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and JenkinsScalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
mhelmich
 
Instant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and PuppetInstant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and Puppet
Patrick Lee
 
T3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surfT3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surf
Tobias Liebig
 
Building Open-source React Components
Building Open-source React ComponentsBuilding Open-source React Components
Building Open-source React Components
Zack Argyle
 
Building Open-Source React Components
Building Open-Source React ComponentsBuilding Open-Source React Components
Building Open-Source React Components
Zack Argyle
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 

Empfohlen

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
Mauro Risonho de Paula Assumpcao
 
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
T3DD13 - Automated deployment for TYPO3 CMS (Workshop)
Tobias Liebig
 
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and JenkinsScalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
Scalable Deployment Architectures with TYPO3 Surf, Git and Jenkins
mhelmich
 
Instant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and PuppetInstant LAMP Stack with Vagrant and Puppet
Instant LAMP Stack with Vagrant and Puppet
Patrick Lee
 
T3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surfT3CON12 Flow and TYPO3 deployment with surf
T3CON12 Flow and TYPO3 deployment with surf
Tobias Liebig
 
Building Open-source React Components
Building Open-source React ComponentsBuilding Open-source React Components
Building Open-source React Components
Zack Argyle
 
Building Open-Source React Components
Building Open-Source React ComponentsBuilding Open-Source React Components
Building Open-Source React Components
Zack Argyle
 
Fuzzing - Part 2
Fuzzing - Part 2Fuzzing - Part 2
Fuzzing - Part 2
UTD Computer Security Group
 
Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
Anant Shrivastava
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
AOE
 
The typo3.org Relaunch Project
The typo3.org Relaunch ProjectThe typo3.org Relaunch Project
The typo3.org Relaunch Project
AOE
 
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
CONNECT FOUNDATION
 
5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)
Erwin Elling
 
Erjang
ErjangErjang
Erjang
Jéferson Machado
 
Firefox os how large open source project works
Firefox os how large open source project worksFirefox os how large open source project works
Firefox os how large open source project works
Fred Lin
 
镐京入场培训.Key
镐京入场培训.Key镐京入场培训.Key
镐京入场培训.Key
Bean Tsang
 
Git and the inQbation Experience
Git and the inQbation ExperienceGit and the inQbation Experience
Git and the inQbation Experience
Blake Newman
 
Code analysis for a better future
Code analysis for a better futureCode analysis for a better future
Code analysis for a better future
gilforcada
 
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
CONNECT FOUNDATION
 
LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...
将之 小野
 
Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
Abraham Aranguren
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
Anant Shrivastava
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj Machiraju
Raghunath G
 
An introduction to Phing the PHP build system
An introduction to Phing the PHP build systemAn introduction to Phing the PHP build system
An introduction to Phing the PHP build system
Jeremy Coates
 
Phing
PhingPhing
Phing
Jeremy Coates
 
An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)
Jeremy Coates
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
c0c0n2010 -
c0c0n2010 - c0c0n2010 -
c0c0n2010 -
Mauro Risonho de Paula Assumpcao
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
SmartBear
 

Weitere ähnliche Inhalte

Was ist angesagt?

镐京入场培训.Key
镐京入场培训.Key镐京入场培训.Key
镐京入场培训.Key
Bean Tsang
 

Was ist angesagt? (12)

Nullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk throughNullcon Hack IM 2011 walk through
Nullcon Hack IM 2011 walk through
 
Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3Debugging, Monitoring and Profiling in TYPO3
Debugging, Monitoring and Profiling in TYPO3
 
The typo3.org Relaunch Project
The typo3.org Relaunch ProjectThe typo3.org Relaunch Project
The typo3.org Relaunch Project
 
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
[부스트캠프 Tech Talk] 진명훈_datasets로 협업하기
 
5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)5 best practices for (web/ software) development (2010)
5 best practices for (web/ software) development (2010)
 
Erjang
ErjangErjang
Erjang
 
Firefox os how large open source project works
Firefox os how large open source project worksFirefox os how large open source project works
Firefox os how large open source project works
 
镐京入场培训.Key
镐京入场培训.Key镐京入场培训.Key
镐京入场培训.Key
 
Git and the inQbation Experience
Git and the inQbation ExperienceGit and the inQbation Experience
Git and the inQbation Experience
 
Code analysis for a better future
Code analysis for a better futureCode analysis for a better future
Code analysis for a better future
 
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
[부스트캠프 Tech Talk] 고지형_내 자식 하나쯤은 있어야죠
 
LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...LicensePlist - A license list generator of all your dependencies for iOS appl...
LicensePlist - A license list generator of all your dependencies for iOS appl...
 

Ähnlich wie Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

Auto integration testing
Auto integration testingAuto integration testing
Auto integration testing
Arthur Yueh
 

Ähnlich wie Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests (20)

Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012Introducing OWASP OWTF Workshop BruCon 2012
Introducing OWASP OWTF Workshop BruCon 2012
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
 
Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011Silent web app testing by example - BerlinSides 2011
Silent web app testing by example - BerlinSides 2011
 
Null July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj MachirajuNull July - OWTF - Bharadwaj Machiraju
Null July - OWTF - Bharadwaj Machiraju
 
An introduction to Phing the PHP build system
An introduction to Phing the PHP build systemAn introduction to Phing the PHP build system
An introduction to Phing the PHP build system
 
Phing
PhingPhing
Phing
 
An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)An introduction to Phing the PHP build system (PHPDay, May 2012)
An introduction to Phing the PHP build system (PHPDay, May 2012)
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 201510 Useful Testing Tools for Open Source Projects @ TuxCon 2015
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
 
c0c0n2010 -
c0c0n2010 - c0c0n2010 -
c0c0n2010 -
 
Developing Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & PythonDeveloping Brilliant and Powerful APIs in Ruby & Python
Developing Brilliant and Powerful APIs in Ruby & Python
 
Work with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec CaliforniaWork with Developers for Fun and Progress - AppSec California
Work with Developers for Fun and Progress - AppSec California
 
Beyond QA
Beyond QABeyond QA
Beyond QA
 
we45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Pythonwe45 DEFCON Workshop - Building AppSec Automation with Python
we45 DEFCON Workshop - Building AppSec Automation with Python
 
Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101Web Hacking With Burp Suite 101
Web Hacking With Burp Suite 101
 
Django getting start
Django getting startDjango getting start
Django getting start
 
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
PHP Conf Taiwan 2016 自動化與持續整合實作工作坊
 
WebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testingWebdriverIO: the Swiss Army Knife of testing
WebdriverIO: the Swiss Army Knife of testing
 
Auto integration testing
Auto integration testingAuto integration testing
Auto integration testing
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sink
 
Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)Advanced deployment scenarios (netcoreconf)
Advanced deployment scenarios (netcoreconf)
 

Mehr von Mauro Risonho de Paula Assumpcao

Mehr von Mauro Risonho de Paula Assumpcao (20)

Árvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguroÁrvores de decisão no FreeBSD com R - PagSeguro
Árvores de decisão no FreeBSD com R - PagSeguro
 
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando FreebsdBSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd
 
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTsTendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs
 
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015
 
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)
 
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01
 
Site blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender maisSite blindado - Como tornar loja virtual mais segura e vender mais
Site blindado - Como tornar loja virtual mais segura e vender mais
 
Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013Skyfall b sides-c00-l-ed5-sp-2013
Skyfall b sides-c00-l-ed5-sp-2013
 
Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013Skyfall flisol-campinas-2013
Skyfall flisol-campinas-2013
 
2013 - 4 Google Open Source Jam
2013 - 4 Google Open Source Jam2013 - 4 Google Open Source Jam
2013 - 4 Google Open Source Jam
 
Nessus Scanner Vulnerabilidades
Nessus Scanner VulnerabilidadesNessus Scanner Vulnerabilidades
Nessus Scanner Vulnerabilidades
 
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
 
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTONullcon 2011 RFID - NÂO ENVIADO AO EVENTO
Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO
 
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHCOficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC
 
3 google open souce jam- a - hardening
3 google open souce jam- a - hardening3 google open souce jam- a - hardening
3 google open souce jam- a - hardening
 
Backtrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirimBacktrack 4 rc1 fatec mogi-mirim
Backtrack 4 rc1 fatec mogi-mirim
 
Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2Backtrack 4 Rc1 Volcon2
Backtrack 4 Rc1 Volcon2
 
Backtrack 4 nessus
Backtrack 4 nessusBacktrack 4 nessus
Backtrack 4 nessus
 
Backtrack4 inguma
Backtrack4 ingumaBacktrack4 inguma
Backtrack4 inguma
 

Kürzlich hochgeladen

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 

Kürzlich hochgeladen (20)

What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With SimplicityWSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity
 
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open SourceWSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
WSO2CON 2024 - Freedom First—Unleashing Developer Potential with Open Source
 
WSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaSWSO2CON 2024 Slides - Open Source to SaaS
WSO2CON 2024 Slides - Open Source to SaaS
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security ProgramWSO2CON 2024 - How to Run a Security Program
WSO2CON 2024 - How to Run a Security Program
 
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni%in Benoni+277-882-255-28 abortion pills for sale in Benoni
%in Benoni+277-882-255-28 abortion pills for sale in Benoni
 
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
WSO2CON 2024 - API Management Usage at La Poste and Its Impact on Business an...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 

Owasp owtf the offensive (web) testing framework + ptes penetration testing execution standard = kali power auto web pentests

  • 1. OWASP OWTF the Offensive (Web) Testing Framework + PTES Penetration Testing Execution Standard = Kali Power Auto Web Pentests! Mauro Risonho de Paula Assumpçao aka firebitsbr Sao Paulo, Brasil - 2014
  • 2. $WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security
  • 3. Agenda ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusao ● Q&A
  • 5. Offensive (Web) Testing Framework = Multi-level “cheating” tactics
  • 6. OWTF Chess-like approach Kasparov against Deep Blue - http://www.robotikka.com
  • 7. Steps - http://cdimage.kali.org/kali-1.0.8/kali-linux-1.0.8-amd64.iso - http://docs.kali.org/network-install/kali-linux-network-mini-iso-install - https://www.owasp.org/index.php/OWASP_OWTF - github git clone git://github.com/owtf/owtf.git - OWTF 0.45.0 Winter Blizzard wget https://github.com/owtf/owtf/archive/v0.45.0_Winter_Blizzard.tar.gz tar -xvvf v0.45.0_Winter_Blizzard.tar.gz kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y
  • 8. Install – via git #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!
  • 11. Acabou de instalar com sucesso! :)
  • 12. Definir quais tools usar #vim /root/owtf/profiles/general/default.cfg Framework path: @@@FRAMEWORK_DIR@@@/tools/... #TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/whatweb/whatweb- 0.4.7/whatweb TOOL_WHATWEB: @@@FRAMEWORK_DIR@@@/tools/restricted/whatweb/whatwe b-0.4.7/whatweb
  • 13.
  • 14. OWTF CLI python owtf.py -h|more
  • 15. Listar plugins OWTF - Web Attacks # python owtf.py -l web
  • 16. Simulation mode Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more
  • 17. DEMO python owtf.py www.google.com
  • 19. DEMOS – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing
  • 20. Conclusao ● OWASP OWTF um framework que automatiza e faz ganhar muito tempo em pentest(s) com foco em targets em web applications e infraweb, nas tarefas rotineiras, mas pentests customizados, apenas agrega um pouco mais valor, mas nao substitui o processo manual, inteligente e humano.
  • 22. $WHOIS Mauro Risonho de Paula Assumpção Especialista em SGTI pela ICTS Protiviti mauro.assumpcao@icts.com.br  Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos •https://github.com/firebitsbr •https://www.linkedin.com •http://www.backtrack-linux.org •www.slideshare.net/firebits/ (migrando Google) •@firebitsbr •mauro.risonho@gmail.com mrpa.security@gmail.com •Google+ mauro.risonho / mrpa.security