Pen Test Automation - WordPress.com

Download PDF
7 downloads 2320 Views 230KB Size Report
Comment
Pen Test. Automation. HELPING YOU GET HOME/TO THE PUB ON TIME. Page 2. About Me. ▷ IT/InfoSec/IT Sec/Testing for a while. ▷ Currently Director of ...
Pen Test Automation HELPING YOU GET HOME/TO THE PUB ON TIME

About Me 

IT/InfoSec/IT Sec/Testing for a while



Currently Director of ScotSTS



OWASP Scotland Chapter Leader



3rd highest ranked Security.Stackexchange member here today



Not a trained programmer

Why Automate? 





Time 

Lots of areas to check, always time limited



Report to write

Repetition, Repetition, Repetition 

Think of checking something on one server then realise you have 200+ to check that on



Analysing huge amounts of tool output

Accuracy 

Computers don’t get bored!

When to Automate 

Once you realise you’ll be doing this a lot 

Either on one test or every test



When you realise it’s hard to do manually



When you realise it would be quicker to write the code instead of doing it manually.

General Principles 

Pick a language



Useful features 



Dynamic, Interactive Shell, fast development time.

Source Code Control 

Use it!

Example 1 – The throw away 

The Problem 

Testers are often provided with target ranges in CIDR format but some tools (e.g. Nikto) don’t work with that format.



Difficulty – Very easy



Repeatability – High



Example..

The code #!/usr/bin/env ruby

require 'ipaddress' ip = IPAddress ARGV[0] ip.each {|addr| puts addr}

Example 2 – Building a Template 

Useful for tasks which are similar but not identical



The problem 

Cookie grabbing on two-stage logins



Difficulty – Easy/Medium



Repeatability – Medium 

Each use will be similar but not identical

Example 2 – Solution features 

Uses an HTTP automation library (Ruby Mechanize)



An Aside – Libraries.



Provides a generic template for later versions



Code comments!



Code

Example 3 – The Old Stalwart 

Things you find yourself doing all the time



Code you might actually want to let others use



The Problem 

Tools can produce huge quantities of output and finding the “important” things to look at first takes time



Difficulty – moderate



Repeatability - High

Example 3 – Solution Features 

Error Handling



Option Parsing



Classes



Code

Example 4 – The Full Application 

Larger Functionality 

Think Burp, Dradis, Metasploit



In Most Cases…… Don’t



Find existing projects and contribute to them 

Conclusion 

If you’re a tester, learn to script 

If you’re not a tester, still learn to script 



Pick a language



Proportional Effort



Follow good practices

Questions?