OWASP OWTF THE OFFENSIVE (WEB) TESTING
FRAMEWORK + PTES PENETRATION TESTING EXECUTION
STANDARD = KALI POWER AUTO WEB PENTESTS
Mauro Risonho de Paula Assumpção
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
1. OWASP OWTF THE OFFENSIVE (WEB) TESTING FRAMEWORK + PTES
PENETRATION TESTING EXECUTION STANDARD = KALI POWER
AUTO WEB PENTESTS
Mauro Risonho de Paula Assumpção
3. AGENDA
●
OWTF Intro
– Instalando OWTF com o Kali (apenas tools web)
●
Executando OWTF
– Parte 1: OWTF Passive + Semi-passive Web analysis
– Parte 2: OWTF Active Web analysis
– Parte 3: OWTF aux plugins – SE, IDs testing
●
Conclusão
●
Q&A
4. WHO I AM?
●
Mauro Risonho de Paula Assumpção aka
firebits
●
Nerd/Autodidata/Entusiasta/Pentester/Analista
em Vulnerabilidades/
Security Researcher/Instrutor/Palestrante e
Eterno Aprendiz de Conhecimentos
●
Analista em Segurança (R&D) pela Agility
Networks, focado no sistema SIS (RE de
Malwares, Deep Web e Pentest)
7. 7
OWTF - Offensive
(Web) Testing Framework
OWTF
Test Separation
Start
Without
permission
Automation
Unite Tools,
Knowledge,
Standards,
(OWASP and PTES)
Test Separation
Start
Without
permission
8. 8
OWTF Chess-like approach
OWTF
Run Tools
theHarvester
● Nikto
● Arachini
● W3af, etc
Run Tests directly
● Header Searches
● HTML Body searches
● Craftled requests, etc
Knowledge
Repository
● PoCs Links
● Resource Links
● OWASP mapping
Help Human analysis
Flag importance
● Tool Output manager
● Screenshot manager
● Notes Manager
● Report Assistant
Pentester
OWTF
9. 9
OWTF - Install
Kali 1.1.0 ou Kali 2 - tests (conforme o caso)
http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.iso
http://docs.kali.org/network-install/kali-linux-network-mini-iso-install
https://www.owasp.org/index.php/OWASP_OWTF
kali-linux-web = Kali Linux web app assessment tools (group install)
apt-get install kali-linux-web -y
github
git clone git://github.com/owtf/owtf.git
OWTF 1.0.1 Lionheart
wget https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
tar -xvvf https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
19. 19
python owtf.py -l web
Listar plugins OWTF - Web Attacks
OWASP OWTF + PTES = KALI
20. 20
Simulation mode “-s ”:
1) SIMULATES what OWTF will do (so it does not do it!):
2) Is useful to check the effect of a command before running it
#python owtf.py -s https://accounts.google.com | more
Simulation mode
OWASP OWTF + PTES = KALI
25. 25
CONCLUSÃO
OWASP OWTF não é “silver-bullet”, ou
seja “bala-de-prata” e não substitui o
processo manual, inteligente e humano
de pentesters, mas ajuda a automatizar
um pouco as coisas.
26. OBRIGADO!
Mauro Risonho de Paula Assumpção
Email mauro.risonho@gmail.com
Twitter @firebitsbr
Site https://firebitsbr.wordpress.com