9. “[RISK ASSESSMENT]
INTRODUCES A DANGEROUS
FALLACY: THAT
STRUCTURED INADEQUACY
IS ALMOST AS GOOD AS
ADEQUACY AND THAT
UNDERFUNDED SECURITY
EFFORTS PLUS RISK
MANAGEMENT ARE ABOUT
AS GOOD AS PROPERLY
FUNDED SECURITY WORK”
45. Behavior
Driven
Development
BDD is a second-generation, outside–in, pull-based,
multiple-stakeholder, multiple-scale, high-automation, agile
methodology. It describes a cycle of interactions with well-
defined outputs, resulting in the delivery of working, tested
software that matters.
Dan North , 2009
51. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
Given
When
Then
When
Then
52. running gauntlt with failing tests
$ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 failed)
5 steps (1 failed, 4 passed)
0m18.341s
53. $ gauntlt
Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F www.example.com
"""
Then the output should contain:
"""
443/tcp open https
"""
1 scenario (1 passed)
4 steps (4 passed)
0m18.341s
running gauntlt with passing tests
54. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"curl" is installed$/
/^"dirb" is installed$/
/^"garmr" is installed$/
/^"nmap" is installed$/
/^"sqlmap" is installed$/
/^"sslyze" is installed$/
/^I launch a "curl" attack with:$/
/^I launch a "dirb" attack with:$/
/^I launch a "garmr" attack with:$/
/^I launch a "generic" attack with:$/
/^I launch an "nmap" attack with:$/
/^I launch an "sslyze" attack with:$/
/^I launch an? "sqlmap" attack with:$/
/^the "(.*?)" command line binary is installed$/
/^the file "(.*?)" should contain XML:$/
/^the file "(.*?)" should not contain XML:$/
/^the following cookies should be received:$/
/^the following profile:$/
55. $ gauntlt --steps
/^"(w+)" is installed in my path$/
/^"sqlmap" is installed$/
/^I launch a "generic" attack with:$/
/^I launch an? "sqlmap" attack with:$/
56. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
setup steps
verify
tool
set
config
57. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
attack
get
config
58. Feature: nmap attacks for example.com
Background:
Given "nmap" is installed
And the following profile:
| name | value |
| hostname | example.com |
Scenario: Verify server is open on expected ports
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should contain:
"""
80/tcp open http
"""
Scenario: Verify that there are no unexpected ports open
When I launch an "nmap" attack with:
"""
nmap -F <hostname>
"""
Then the output should not contain:
"""
25/tcp
"""
assert
needle
haystack
65. @slow
Feature: Run dirb scan on a URL
Scenario: Run a dirb scan looking for common
vulnerabilities in apache
Given "dirb" is installed
And the following profile:
| name | value |
| hostname | http://example.com |
| wordlist | vulns/apache.txt |
When I launch a "dirb" attack with:
"""
dirb <hostname> <dirb_wordlists_path>/<wordlist>
"""
Then the output should contain:
"""
FOUND: 0
"""
.htaccess
.htpasswd
.meta
.web
access_log
cgi
cgi-bin
cgi-pub
cgi-script
dummy
error
error_log
htdocs
httpd
httpd.pid
icons
server-info
server-status
logs
manual
printenv
test-cgi
tmp
~bin
~ftp
~nobody
~root
66. I have my weakness.
But I won't tell
you! Ha Ha Ha!
68. @slow @announce
Feature: Run sqlmap against a target
Scenario: Identify SQL injection vulnerabilities
Given "sqlmap" is installed
And the following profile:
| name | value |
| target_url | http://example.com?x=1 |
When I launch a "sqlmap" attack with:
"""
python <sqlmap_path> -u <target_url> --dbms sqlite --batch -v 0 --tables
"""
69.
70. my_first.attack
See ‘GET STARTED’ on
project repo
Start here > https://
github.com/gauntlt/
gauntlt/tree/master/
examples
Find examples for the
attacks
Add your config (hostname,
login url, user)
Repeat
71. Starter Kit on GitHub
The starter kit is on GitHub:
github.com/gauntlt/gauntlt-starter-kit
Or, download a copy from:
www.gauntlt.org/
73. If you get
stuck
Check the README
IRC Channel: #gauntlt
on freenode
@gauntlt on twitter
Mailing List (https://
groups.google.com/forum/#!forum/
gauntlt)
Office hours with
weekly google hangout