Home
Add Document
Sign In
Create An Account
Pen Test Automation - WordPress.com
Recommend Documents
No documents
Pen Test Automation - WordPress.com
Download PDF
7 downloads
2320 Views
230KB Size
Report
Comment
Pen Test. Automation. HELPING YOU GET HOME/TO THE PUB ON TIME. Page 2. About Me. ▷ IT/InfoSec/IT Sec/Testing for a while. ▷ Currently Director of ...
Pen Test Automation HELPING YOU GET HOME/TO THE PUB ON TIME
About Me
IT/InfoSec/IT Sec/Testing for a while
Currently Director of ScotSTS
OWASP Scotland Chapter Leader
3rd highest ranked Security.Stackexchange member here today
Not a trained programmer
Why Automate?
Time
Lots of areas to check, always time limited
Report to write
Repetition, Repetition, Repetition
Think of checking something on one server then realise you have 200+ to check that on
Analysing huge amounts of tool output
Accuracy
Computers don’t get bored!
When to Automate
Once you realise you’ll be doing this a lot
Either on one test or every test
When you realise it’s hard to do manually
When you realise it would be quicker to write the code instead of doing it manually.
General Principles
Pick a language
Useful features
Dynamic, Interactive Shell, fast development time.
Source Code Control
Use it!
Example 1 – The throw away
The Problem
Testers are often provided with target ranges in CIDR format but some tools (e.g. Nikto) don’t work with that format.
Difficulty – Very easy
Repeatability – High
Example..
The code #!/usr/bin/env ruby
require 'ipaddress' ip = IPAddress ARGV[0] ip.each {|addr| puts addr}
Example 2 – Building a Template
Useful for tasks which are similar but not identical
The problem
Cookie grabbing on two-stage logins
Difficulty – Easy/Medium
Repeatability – Medium
Each use will be similar but not identical
Example 2 – Solution features
Uses an HTTP automation library (Ruby Mechanize)
An Aside – Libraries.
Provides a generic template for later versions
Code comments!
Code
Example 3 – The Old Stalwart
Things you find yourself doing all the time
Code you might actually want to let others use
The Problem
Tools can produce huge quantities of output and finding the “important” things to look at first takes time
Difficulty – moderate
Repeatability - High
Example 3 – Solution Features
Error Handling
Option Parsing
Classes
Code
Example 4 – The Full Application
Larger Functionality
Think Burp, Dradis, Metasploit
In Most Cases…… Don’t
Find existing projects and contribute to them
Conclusion
If you’re a tester, learn to script
If you’re not a tester, still learn to script
Pick a language
Proportional Effort
Follow good practices
Questions?
×
Report "Pen Test Automation - WordPress.com"
Your name
Email
Reason
-Select Reason-
Pornographic
Defamatory
Illegal/Unlawful
Spam
Other Terms Of Service Violation
File a copyright complaint
Description
×
Sign In
Email
Password
Remember me
Forgot password?
Sign In
Our partners will collect data and use cookies for ad personalization and measurement.
Learn how we and our ad partner Google, collect and use data
.
Agree & close