2015 mindthesec mauro risonho de paula assumpcao rev01 firebits
If you can't read please download the document
TRANSCRIPT
PowerPoint Presentation
OWASP OWTF THE OFFENSIVE (WEB) TESTING FRAMEWORK + PTES
PENETRATION TESTING EXECUTION STANDARD = KALI POWER AUTO WEB
PENTESTS
Mauro Risonho de Paula Assumpo
PENSAMENTO
Nosso Presente; o Passado de alguma Civilizao no Futuro. Mauro Risonho de Paula Assumpo
AGENDA
OWTF IntroInstalando OWTF com o Kali (apenas tools web)
Executando OWTFParte 1: OWTF Passive + Semi-passive Web analysis
Parte 2: OWTF Active Web analysis
Parte 3: OWTF aux plugins SE, IDs testing
Concluso
Q&A
WHO I AM?
Mauro Risonho de Paula Assumpo aka firebits
Nerd/Autodidata/Entusiasta/Pentester/Analista em
Vulnerabilidades/
Security Researcher/Instrutor/Palestrante e
Eterno Aprendiz de Conhecimentos
Analista em Segurana (R&D) pela Agility Networks, focado no sistema SIS (RE de Malwares, Deep Web e Pentest)
OWASP OWTF
OWASP OWTF
OWASP OWTF
https://www.owasp.org/index.php/OWASP_OWTF
Email de contato (2014) de Abraham Aranguren, Leader OWASP OWTF Project
OWTF - Offensive
(Web) Testing Framework
OWTFTest SeparationStartWithout permissionAutomationUnite Tools,Knowledge, Standards,(OWASP and PTES)Test SeparationStartWithout permission
OWTF Chess-like approach
OWTFRun ToolstheHarvesterNikto
Arachini
W3af, etc
Run Tests directlyHeader Searches
HTML Body searches
Craftled requests, etc
Knowledge RepositoryPoCs Links
Resource Links
OWASP mapping
Help Human analysisFlag importanceTool Output manager
Screenshot manager
Notes Manager
Report Assistant
PentesterOWTF
OWTF - Install
Kali 1.1.0 ou Kali 2 - tests (conforme o caso)
http://cdimage.kali.org/kali-1.1.0/kali-linux-1.1.0-amd64.isohttp://docs.kali.org/network-install/kali-linux-network-mini-iso-installhttps://www.owasp.org/index.php/OWASP_OWTF
kali-linux-web = Kali Linux web app assessment tools (group install)apt-get install kali-linux-web -y
github
git clone git://github.com/owtf/owtf.git
OWTF 1.0.1 Lionheart wget https://github.com/owtf/owtf/archive/v1.0.1.tar.gztar -xvvf https://github.com/owtf/owtf/archive/v1.0.1.tar.gz
OWTF - Install
#git clone https://github.com/owtf/owtf.git#cd
/root/owtf/install#python install.py#YES, YES,
YES...FOREVER!:)ou
pip install --upgrade -r install/owtf.pip
PTES
PTES
Penetration Testing Execution Standard
PTES MindMap (FreeMind)
http://www.pentest-standard.org/index.php/FAQ
http://iamit.org/docs/Penetration_Testing_Execution_Standard.mm1)
Pre-engagement Interactions2) Intelligence Gathering3) Threat
Modeling4) Vulnerability Analysis5) Exploitation6) Post
Exploitation7) Reporting
KALI
KALI
OWTF + KALI2 = FAIL!!!
KALI
Escolher opcao 1
Escolher Y YESKALI
Acabou de instalar com sucesso! :)KALI
python owtf.py -h|more
OWASP OWTF + PTES = KALI
OWTF Comandos em CLI
python owtf.py -l web
Listar plugins OWTF - Web Attacks
OWASP OWTF + PTES = KALI
Simulation mode -s :1) SIMULATES what OWTF will do (so it does not do it!):2) Is useful to check the effect of a command before running it#python owtf.py -s https://accounts.google.com | more
Simulation mode
OWASP OWTF + PTES = KALI
python owtf.py www.google.com
OWASP OWTF + PTES = KALI
file:///root/owtf/owtf_review/index.html
OWASP OWTF + PTES = KALI
DEMOS
Parte 1: OWTF Passive + Semi-passive Web analysis
Parte 2: OWTF Active Web analysis
Parte 3: OWTF aux plugins SE, IDs testing
DVIDAS?
CONCLUSO
OWASP OWTF no silver-bullet, ou seja bala-de-prata e no substitui o
processo manual, inteligente e humano de pentesters, mas ajuda a
automatizar um pouco as coisas.
OBRIGADO!Mauro Risonho de Paula AssumpoEmail [email protected]@firebitsbrSitehttps://firebitsbr.wordpress.com
Click to edit Master title style
Click to edit Master subtitle style
Click to edit Master title style
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelClick to edit Master text styles
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline Level
Seventh Outline LevelClick to edit Master text styles
Click to edit Master title style
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline LevelSeventh Outline LevelClick to edit Master text styles
Click to edit the outline text formatSecond Outline LevelThird Outline LevelFourth Outline LevelFifth Outline LevelSixth Outline Level
Seventh Outline LevelClick to edit Master text styles