2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

•Descargar como ODP, PDF•

2 recomendaciones•688 vistas

OWASP OWTF THE OFFENSIVE (WEB) TESTING FRAMEWORK + PTES PENETRATION TESTING EXECUTION STANDARD = KALI POWER AUTO WEB PENTESTS Mauro Risonho de Paula Assumpção

Software

PENSAMENTO
Nosso Presente; é o Passado de alguma Civilização no
Futuro.
Mauro Risonho de Paula Assumpção

AGENDA
●
OWTF Intro
– Instalando OWTF com o Kali (apenas tools web)
●
Executando OWTF
– Parte 1: OWTF Passive + Semi-passive Web analysis
– Parte 2: OWTF Active Web analysis
– Parte 3: OWTF aux plugins – SE, IDs testing
●
Conclusão
●
Q&A

WHO I AM?
●
Mauro Risonho de Paula Assumpção aka
firebits
●
Nerd/Autodidata/Entusiasta/Pentester/Analista
em Vulnerabilidades/
Security Researcher/Instrutor/Palestrante e
Eterno Aprendiz de Conhecimentos
●
Analista em Segurança (R&D) pela Agility
Networks, focado no sistema SIS (RE de
Malwares, Deep Web e Pentest)

6
OWASP OWTF
OWASP OWTF
https://www.owasp.org/index.php/OWASP_OWTF
Email de contato (2014) de Abraham Aranguren,
Leader OWASP OWTF Project

7
OWTF - Offensive
(Web) Testing Framework
OWTF
Test Separation
Start
Without
permission
Automation
Unite Tools,
Knowledge,
Standards,
(OWASP and PTES)
Test Separation
Start
Without
permission

8
OWTF Chess-like approach
OWTF
Run Tools
theHarvester
● Nikto
● Arachini
● W3af, etc
Run Tests directly
● Header Searches
● HTML Body searches
● Craftled requests, etc
Knowledge
Repository
● PoCs Links
● Resource Links
● OWASP mapping
Help Human analysis
Flag importance
● Tool Output manager
● Screenshot manager
● Notes Manager
● Report Assistant
Pentester
OWTF

9
OWTF - Install
Kali 1.1.0 ou Kali 2 - tests (conforme o caso)
http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.iso
http://docs.kali.org/network-install/kali-linux-network-mini-iso-install
https://www.owasp.org/index.php/OWASP_OWTF
kali-linux-web = Kali Linux web app assessment tools (group install)
apt-get install kali-linux-web -y
github
git clone git://github.com/owtf/owtf.git
OWTF 1.0.1 Lionheart
wget https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
tar -xvvf https://github.com/owtf/owtf/archive/v1.0.1.tar.gz

10
OWTF - Install
#git clone
https://github.com/owtf/owtf.git
#cd /root/owtf/install
#python install.py
#YES, YES, YES...FOREVER!:)
ou
pip install --upgrade -r install/owtf.pip

12
PTES
Penetration Testing Execution Standard
PTES – MindMap (FreeMind)
http://www.pentest-standard.org/index.php/FAQ
http://iamit.org/docs/Penetration_Testing_Execution_Standard.mm
1) Pre-engagement Interactions
2) Intelligence Gathering
3) Threat Modeling
4) Vulnerability Analysis
5) Exploitation
6) Post Exploitation
7) Reporting

17
Acabou de instalar
com sucesso! :)
KALI

18
python owtf.py -h|more
OWASP OWTF + PTES = KALI
OWTF Comandos em CLI

19
python owtf.py -l web
Listar plugins OWTF - Web Attacks
OWASP OWTF + PTES = KALI

20
Simulation mode “-s ”:
1) SIMULATES what OWTF will do (so it does not do it!):
2) Is useful to check the effect of a command before running it
#python owtf.py -s https://accounts.google.com | more
Simulation mode
OWASP OWTF + PTES = KALI

21
python owtf.py www.google.com
OWASP OWTF + PTES = KALI

22
file:///root/owtf/owtf_review/index.html
OWASP OWTF + PTES = KALI

23
DEMOS
Parte 1: OWTF Passive + Semi-passive Web
analysis
Parte 2: OWTF Active Web analysis
Parte 3: OWTF aux plugins – SE, IDs testing

25
CONCLUSÃO
OWASP OWTF não é “silver-bullet”, ou
seja “bala-de-prata” e não substitui o
processo manual, inteligente e humano
de pentesters, mas ajuda a automatizar
um pouco as coisas.

OBRIGADO!
Mauro Risonho de Paula Assumpção
Email mauro.risonho@gmail.com
Twitter @firebitsbr
Site https://firebitsbr.wordpress.com

Más contenido relacionado

La actualidad más candente

about Debian "squeeze" @201002 OSC Tokyospring

Hideki Yamane

Fastlane

eurosigdoc acm

0d1n

Antonio Costa aka Cooler_

Does Cowgirl Dream of Red Swirl?

Hideki Yamane

find & improve some bottleneck in Debian project (DebConf14 LT)

Hideki Yamane

Hacking the Gateways

Onur Alanbel

La actualidad más candente (6)

about Debian "squeeze" @201002 OSC Tokyospring

Fastlane

0d1n

Does Cowgirl Dream of Red Swirl?

find & improve some bottleneck in Debian project (DebConf14 LT)

Hacking the Gateways

Similar a 2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

Null July - OWTF - Bharadwaj Machiraju

Raghunath G

Open Platform for NFV: Arno and Beyond

OPNFV

Introducing OWASP OWTF Workshop BruCon 2012

Abraham Aranguren

Silent web app testing by example - BerlinSides 2011

Abraham Aranguren

Django district pip, virtualenv, virtualenv wrapper & more

Jacqueline Kazil

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

gmaran23

5 minute intro to virtualenv

amenasse

When it comes to app security, scanning is good, but pen testing is better. That said, we're lucky if we can schedule (and budget for) a web app pen test once a year. Wouldn't it be swell if we could automate the security testing process so it turned up the same weaknesses in QA an attacker would likely try to exploit in Prod? Well, then. You're in luck. OWASP's Offensive Web Testing Framework (OWTF) was designed to help automate the web app pen testing process. By baking the OWTF into your own QA processes, you can benefit from the same knowledge and tools that the bad guys use to attack web apps. Better yet, you can run these tests as frequently as you like for FREE. This presentation will show you how to use the OWTF, helping you improve both the efficiency and effectiveness of your app security testing process.

Automating Security Testing with the OWTF

Jerod Brennen

Startup Camp - Git, Python, Django session

Juraj Michálek

Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -

Puppet

PyWPS at COST WPS Workshop

Jachym Cepicky

Beyond QA

gilforcada

Virtualenv

Jon Nials

Deploy Python apps in 5 min with a PaaS

Appsembler

Operating OPNFV: Deploy it, test it, run it

OPNFV

How we migrated the build and deploy processes to a continuous delivery model, and the implications of such a change in terms of technology but also team changes and the project management with the client. This talk will focus on the Python tooling that enabled to conduct such a change, but also on the human changes it requires. * changes in infrastucture, in particular, the use of python softare : docker-compose and saltstack * tools for collecting errors as soon as possible : sentry (django based) and raven (its python library on the client-side) * tools for continous integration and review : jenkins with the python tool "jenkins-job-builder", and the python based version control "mercurial" * tools for metrics and supervision: graphite-api (python rewrite of graphite which ships with django), and saltstack for collecting custom business-oriented metrics from python script * integrating the projects with cloud infrastructure, using python-nova, python-openstack and salt-cloud (openstack and AWS) * change management in the team of developpers and the project management with the final users and project managers

PyParis2018 - Python tooling for continuous deployment

Arthur Lutz

Sai devops - the art of being specializing generalist

Odd-e

How to run system administrator recruitment process? By creating platform based on open source parts in just 2 nights! I gave this talk in Poland / Kraków OWASP chapter meeting on 17th October 2013 at our local Google for Entrepreneurs site. It's focused on security and also shows how to create recruitment process in CTF / challenge way. This story covers mostly security details of this whole platform. There's great chance, that I will give another talk about this system but this time focusing on technical details. Stay tuned ;)

Shall we play a game?

Maciej Lasyk

PyQt Application Development On Maemo

achipa

I gave a talk titled "Continuous Integration in data centers“ at OSDC in 2013, presenting ways how to realize continuous integration/delivery with Jenkins and related tools.Three years later we gained new tools in our continuous delivery pipeline, including Docker, Gerrit and Goss. Over the years we also had to deal with different problems caused by faster release cycles, a growing team and gaining new projects. We therefore established code review in our pipeline, improved our test infrastructure and invested in our infrastructure automation.In this talk I will discuss the lessons we learned over the last years, demonstrate how a proper continuous delivery pipeline can improve your life and how open source tools like Jenkins, Docker and Gerrit can be leveraged for setting up such an environment.

OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...

NETWAYS

Similar a 2015 mindthesec mauro risonho de paula assumpcao rev01 firebits (20)

Null July - OWTF - Bharadwaj Machiraju

Open Platform for NFV: Arno and Beyond

Introducing OWASP OWTF Workshop BruCon 2012

Silent web app testing by example - BerlinSides 2011

Django district pip, virtualenv, virtualenv wrapper & more

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...

5 minute intro to virtualenv

Automating Security Testing with the OWTF

Startup Camp - Git, Python, Django session

Puppet Camp Atlanta 2014: DEV Toolsets for Ops (Beginner) -

PyWPS at COST WPS Workshop

Beyond QA

Virtualenv

Deploy Python apps in 5 min with a PaaS

Operating OPNFV: Deploy it, test it, run it

PyParis2018 - Python tooling for continuous deployment

Sai devops - the art of being specializing generalist

Shall we play a game?

PyQt Application Development On Maemo

OSDC 2016 - Continous Integration in Data Centers - Further 3 Years later by ...

Más de Mauro Risonho de Paula Assumpcao

Árvores de decisão no FreeBSD com R - PagSeguro

Mauro Risonho de Paula Assumpcao

BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd

Mauro Risonho de Paula Assumpcao

Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs

Mauro Risonho de Paula Assumpcao

Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015

Mauro Risonho de Paula Assumpcao

OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)

Mauro Risonho de Paula Assumpcao

UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01

Mauro Risonho de Paula Assumpcao

Site blindado - Como tornar loja virtual mais segura e vender mais

Mauro Risonho de Paula Assumpcao

Skyfall b sides-c00-l-ed5-sp-2013

Mauro Risonho de Paula Assumpcao

Skyfall flisol-campinas-2013

Mauro Risonho de Paula Assumpcao

2013 - 4 Google Open Source Jam

Mauro Risonho de Paula Assumpcao

Nessus Scanner Vulnerabilidades

Mauro Risonho de Paula Assumpcao

OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...

Mauro Risonho de Paula Assumpcao

Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO

Mauro Risonho de Paula Assumpcao

Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO

Mauro Risonho de Paula Assumpcao

Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC

Mauro Risonho de Paula Assumpcao

3 google open souce jam- a - hardening

Mauro Risonho de Paula Assumpcao

Backtrack 4 rc1 fatec mogi-mirim

Mauro Risonho de Paula Assumpcao

Backtrack 4 Rc1 Volcon2

Mauro Risonho de Paula Assumpcao

Backtrack 4 nessus

Mauro Risonho de Paula Assumpcao

Backtrack4 inguma

Mauro Risonho de Paula Assumpcao

Más de Mauro Risonho de Paula Assumpcao (20)

Árvores de decisão no FreeBSD com R - PagSeguro

BSDDAY 2019 - Data Science e Artificial Intelligence usando Freebsd

Tendências, Tecnicas e soluções no combate aos ataques de APTs e AVTs

Owasp IoT top 10 + IoTGOAT Cyber Security Meeting Brazil 3rd 2015

OpenVAS - Scanner em Vulnerabilidades Open Source (fork Nessus GPL2)

UNICAMP-DevCamp-2014-OpenVAS-ICTS-PROTIVIT-firebits-rev01

Site blindado - Como tornar loja virtual mais segura e vender mais

Skyfall b sides-c00-l-ed5-sp-2013

Skyfall flisol-campinas-2013

2013 - 4 Google Open Source Jam

Nessus Scanner Vulnerabilidades

OWASP AppSec 2010 BRAZIL Information Extraction Art of Testing Network Periph...

Nullcon 2011 RFID - NÂO ENVIADO AO EVENTO

Oficina de Análise em Vulnerabilidades - Openvas4 - GaroaHC

3 google open souce jam- a - hardening

Backtrack 4 rc1 fatec mogi-mirim

Backtrack 4 Rc1 Volcon2

Backtrack 4 nessus

Backtrack4 inguma

Último

Software Quality Assurance Interview Questions

Arshad QA

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

%in Midrand+277-882-255-28 abortion pills for sale in midrand

masabamasaba

Many specialized tools cater to distinct stages within the software development lifecycle (SDLC). These tools target various aspects of development, delivery, and operations, each with its unique strengths. Uniting these diverse testing needs into a single continuous testing platform presents several challenges. Such a platform must seamlessly integrate with various development tools and environments, accommodate different testing methodologies, and remain flexible to adapt to organizational processes and quality standards.

The Guide to Integrating Generative AI into Unified Continuous Testing Platfo...

kalichargn70th171

Unlocking the Future of AI Agents with Large Language Models

aagamshah0812

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

Define the academic and professional writing..pdf

PearlKirahMaeRagusta1

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, etc. Performance can be dialed UP (and back down) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

Azure_Native_Qumulo_High_Performance_Compute_Benchmarks.pdf

ryanfarris8

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

masabamasaba

Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf

kalichargn70th171

Pharm-D Biostatistics and Research methodology

Anusha Are

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

In an era where security concerns are paramount, the integration of artificial intelligence (AI) into CCTV cameras has revolutionized surveillance capabilities. One of the most significant advancements is the ability to achieve real-time threat detection, enabling immediate responses to potential security breaches. This blog explores how AI is reshaping surveillance through real-time threat detection and the implications of this technology.

Optimizing AI for immediate response in Smart CCTV

shikhaohhpro

MakeMyPass" Online Bus Pass Management System illustrates the flow of activities and actions that occur within the system to accomplish specific tasks or use cases. This type of diagram focuses on representing the sequence of activities and decision points involved in a particular process. Below is an example outline and description of key elements that could be included in an Activity Diagram for the system:

BUS PASS MANGEMENT SYSTEM USING PHP.pptx

alwaysnagaraju26

10 Trends Likely to Shape Enterprise Technology in 2024

Mind IT Systems

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

(Vivek)Call Us, 8448380779,Call girls in Delhi NCr – We Offer best in class call girls. escort Service At Affordable Price At low Rate with Space Night 8000 We Are One Of The Oldest Escort and Call girls Agencies in Delhi. You Will Find That Our Female Escorts Are Full Of Fun, Sexy And They Would Love Enjoy Your Company. We Have A Fantastic Selection Of Escort Ladies Available For In-Calls As Well As Out-Calls. Our Escorts Are Not Only Beautiful But All Have Great Personalities Making Them The Perfect Companion For Any Occasion. In-Call:- You Can Come At Our Place in Delhi Our place Which Is Very Clean Hygienic 100% safe Accommodation. Out-Call:- You have To Come Pick The Girl From My Place We Are Also Provide Door Step Services (Delhi Ncr, Noida, Gurgaon, Faridabad, Ghaziabad Note:- Pic Collectors Time Passers Bargainers Stay Away As We Respect The Value For Your Money Time And Expect The Same From You Hygienic:- Full Ac room And Clean Rooms Available In Hotel 24 * 7 Hourly In Delhi NCR More Details, With WhatsApp Number, +91-8448380779

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️

Delhi Call girls

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

In the past six months, the AI landscape has undergone a massive transformation, ushering in a new era of productivity with the latest in Large Language Models (LLMs) and AI technology. This deep dive unlocks how to: Create CustomGPT Models: No coding needed to tailor AI for your unique projects. Integrate your own data, including PDFs and Excel sheets, making information handling a breeze. Plus, discover how to call your own actions/integrations for even more personalized utility. Navigate Advanced Prompting: Overcome AI's memory limits and utilize Retrieval-Augmented Generation for accessing your personalized data, streamlining how you interact with AI. Stay Ahead with AI Trends: Peek into the evolving world of LLMs, featuring newcomers like Google Gemini, Anthropic Claude, Open Sora, and Twitter Grok, and understand what their advancements mean for your productivity. Witness Real-Life Transformations: Through examples and prompt demonstrations, see firsthand how these AI strategies revolutionize routine tasks, from data analysis to content creation. Learn to leverage image output and input for advanced practical use cases, adding a new dimension to your productivity toolkit. No previous coding or AI experience is needed for this talk. Stay ahead in the fast-evolving world of work. Embrace the AI revolution and transform your workflow with advanced LLM techniques. Join us to ensure you're not left behind in the productivity race.

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques

VictorSzoltysek

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

1. OWASP OWTF THE OFFENSIVE (WEB) TESTING FRAMEWORK + PTES PENETRATION TESTING EXECUTION STANDARD = KALI POWER AUTO WEB PENTESTS Mauro Risonho de Paula Assumpção

2. PENSAMENTO Nosso Presente; é o Passado de alguma Civilização no Futuro. Mauro Risonho de Paula Assumpção

3. AGENDA ● OWTF Intro – Instalando OWTF com o Kali (apenas tools web) ● Executando OWTF – Parte 1: OWTF Passive + Semi-passive Web analysis – Parte 2: OWTF Active Web analysis – Parte 3: OWTF aux plugins – SE, IDs testing ● Conclusão ● Q&A

4. WHO I AM? ● Mauro Risonho de Paula Assumpção aka firebits ● Nerd/Autodidata/Entusiasta/Pentester/Analista em Vulnerabilidades/ Security Researcher/Instrutor/Palestrante e Eterno Aprendiz de Conhecimentos ● Analista em Segurança (R&D) pela Agility Networks, focado no sistema SIS (RE de Malwares, Deep Web e Pentest)

5. OWASP OWTF

6. 6 OWASP OWTF OWASP OWTF https://www.owasp.org/index.php/OWASP_OWTF Email de contato (2014) de Abraham Aranguren, Leader OWASP OWTF Project

7. 7 OWTF - Offensive (Web) Testing Framework OWTF Test Separation Start Without permission Automation Unite Tools, Knowledge, Standards, (OWASP and PTES) Test Separation Start Without permission

8. 8 OWTF Chess-like approach OWTF Run Tools theHarvester ● Nikto ● Arachini ● W3af, etc Run Tests directly ● Header Searches ● HTML Body searches ● Craftled requests, etc Knowledge Repository ● PoCs Links ● Resource Links ● OWASP mapping Help Human analysis Flag importance ● Tool Output manager ● Screenshot manager ● Notes Manager ● Report Assistant Pentester OWTF

9. 9 OWTF - Install Kali 1.1.0 ou Kali 2 - tests (conforme o caso) http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.iso http://docs.kali.org/network-install/kali-linux-network-mini-iso-install https://www.owasp.org/index.php/OWASP_OWTF kali-linux-web = Kali Linux web app assessment tools (group install) apt-get install kali-linux-web -y github git clone git://github.com/owtf/owtf.git OWTF 1.0.1 Lionheart wget https://github.com/owtf/owtf/archive/v1.0.1.tar.gz tar -xvvf https://github.com/owtf/owtf/archive/v1.0.1.tar.gz

10. 10 OWTF - Install #git clone https://github.com/owtf/owtf.git #cd /root/owtf/install #python install.py #YES, YES, YES...FOREVER!:) ou pip install --upgrade -r install/owtf.pip

11. PTES

12. 12 PTES Penetration Testing Execution Standard PTES – MindMap (FreeMind) http://www.pentest-standard.org/index.php/FAQ http://iamit.org/docs/Penetration_Testing_Execution_Standard.mm 1) Pre-engagement Interactions 2) Intelligence Gathering 3) Threat Modeling 4) Vulnerability Analysis 5) Exploitation 6) Post Exploitation 7) Reporting

13. KALI

14. 14 KALI OW TF + KALI2 = FAIL!!!

15. 15 KALI Escolher opcao 1

16. 16 Escolher “Y” YES KALI

17. 17 Acabou de instalar com sucesso! :) KALI

18. 18 python owtf.py -h|more OWASP OWTF + PTES = KALI OWTF Comandos em CLI

19. 19 python owtf.py -l web Listar plugins OWTF - Web Attacks OWASP OWTF + PTES = KALI

20. 20 Simulation mode “-s ”: 1) SIMULATES what OWTF will do (so it does not do it!): 2) Is useful to check the effect of a command before running it #python owtf.py -s https://accounts.google.com | more Simulation mode OWASP OWTF + PTES = KALI

21. 21 python owtf.py www.google.com OWASP OWTF + PTES = KALI

22. 22 file:///root/owtf/owtf_review/index.html OWASP OWTF + PTES = KALI

23. 23 DEMOS Parte 1: OWTF Passive + Semi-passive Web analysis Parte 2: OWTF Active Web analysis Parte 3: OWTF aux plugins – SE, IDs testing

24. 24 DÚVIDAS?

25. 25 CONCLUSÃO OWASP OWTF não é “silver-bullet”, ou seja “bala-de-prata” e não substitui o processo manual, inteligente e humano de pentesters, mas ajuda a automatizar um pouco as coisas.

26. OBRIGADO! Mauro Risonho de Paula Assumpção Email mauro.risonho@gmail.com Twitter @firebitsbr Site https://firebitsbr.wordpress.com

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (6)

Similar a 2015 mindthesec mauro risonho de paula assumpcao rev01 firebits

Similar a 2015 mindthesec mauro risonho de paula assumpcao rev01 firebits (20)

Más de Mauro Risonho de Paula Assumpcao

Más de Mauro Risonho de Paula Assumpcao (20)

Último

Último (20)

2015 mindthesec mauro risonho de paula assumpcao rev01 firebits