14. “[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT
STRUCTURED INADEQUACY
IS ALMOST AS GOOD AS
ADEQUACY AND THAT
UNDERFUNDED SECURITY
EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT
AS GOOD AS PROPERLY
FUNDED SECURITY WORK”
49. Conway’s Law
Any organization that designs a system ... will
inevitably produce a design whose structure is
a copy of the organization's communication
structure.
Melvin E. Conway, 1968
50. Behavior
Driven
Development
BDD is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-automation, agile
methodology. It describes a cycle of interactions with well-
defined outputs, resulting in the delivery of working, tested
software that matters.
Dan North , 2009
56. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
Given
When
Then
When
Then
57. running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s
58. $ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
4 steps (4 passed)
0m18.341s
running gauntlt with passing tests
59. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"curl" is installed$/
/^"dirb" is installed$/
/^"garmr" is installed$/
/^"nmap" is installed$/
/^"sqlmap" is installed$/
/^"sslyze" is installed$/
/^I launch a "curl" attack with:$/
/^I launch a "dirb" attack with:$/
/^I launch a "garmr" attack with:$/
/^I launch a "generic" attack with:$/
/^I launch an "nmap" attack with:$/
/^I launch an "sslyze" attack with:$/
/^I launch an? "sqlmap" attack with:$/
/^the "(.*?)" command line binary is installed$/
/^the file "(.*?)" should contain XML:$/
/^the file "(.*?)" should not contain XML:$/
/^the following cookies should be received:$/
/^the following profile:$/
60. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"sqlmap" is installed$/
/^I launch a "generic" attack with:$/
/^I launch an? "sqlmap" attack with:$/
61. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
setup steps
verify
tool
set
config
62. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
attack
get
config
63. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
assert
needle
haystack
70. @slow
Feature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common
vulnerabilities in apache
Given "dirb" is installed
And the following profile:
| name | value |
| hostname | http://example.com |
| wordlist | vulns/apache.txt |
When I launch a "dirb" attack with:
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist>
"""
Then the output should contain:
"""
FOUND: 0
"""
.htaccess
.htpasswd
.meta
.web
access_log
cgi
cgi-bin
cgi-pub
cgi-script
dummy
error
error_log
htdocs
httpd
httpd.pid
icons
server-info
server-status
logs
manual
printenv
test-cgi
tmp
~bin
~ftp
~nobody
~root
71. I have my weakness.
But I won't tell
you! Ha Ha Ha!
73. @slow @announce
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the following profile:
| name | value |
| target_url | http://example.com?x=1 |
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables
"""
74.
75. my_first.attack
See ‘GET STARTED’ on
project repo
Start here > https://
github.com/gauntlt/
gauntlt/tree/master/
examples
Find examples for the
attacks
Add your config (hostname,
login url, user)
Repeat
76. Starter Kit on GitHub
The starter kit is on GitHub:
github.com/gauntlt/gauntlt-starter-kit
Or, download a copy from:
www.gauntlt.org/
78. If you get
stuck
Check the README
IRC Channel: #gauntlt
on freenode
@gauntlt on twitter
Mailing List (https://
groups.google.com/forum/#!forum/
gauntlt)
Office hours with
weekly google hangout