Post on 21-Dec-2015
transcript
AppSec USA 2014
Denver, ColoradoOrchestrating Security Testing
With GolismeroMike Landeck
2
Speaker Bio
Mike LandeckMike Landeck led the security implementation and then operationalized the Country’s largest Medicaid Management Information System as the Director of Information Security for Xerox’ State Healthcare and then managed the security program implantation of Colorado’s Health Insurance Exchange as a consulting manager for CGI.
Mike currently consults at one of the World’s largest technology companies on improving security in the software development lifecycle as a Product Security Strategy Consultant.
Mike is a frequent conference speaker and workshop presenter appearing at conferences throughout the United States focusing on topics of software security testing and security program management
3
Disclaimer
I do not speak on behalf of my employer. The information and perspectives I present are personal and do not represent those of my employer.
4
Golismero Project Teamwww.golismero.com
Mario VilasCore developer
Raúl RequeroFrontend developer
Daniel GarcíaBackend developer
Golismero
* My role is that of self-appointed evangelist and bug hunter who wants to promote the concept of automated test orchestration in the cyber security testing community
5
Agenda1. Very Brief Business Context2. Golismero for Senior Users3. Golismero for complete and total rookies
Agenda
6
Top three reason I hear organizations cite for not using more automated assessment tools:• Don’t know how to use• Don’t know which tools to use• Too much time to vet results
Business Context
7
Business Context
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Web Vulnerability
HostVulnerability
NetworkVulnerability
ApplicationVulnerability
Typical Automated Security Assessments
8
Single Request Single Analysis Single Config Single Execution Single Vetting Single Report
Business Context
1. Nikto2. Nmap3. Openvas4. Spiderfoot5. Sslscan6. Sqlmap7. Xsser8. Dns_Malware9. Geoip10.Punkspider11.Shodan12.Plecost
13. Default Error Page14. Directory Listing15. Dns Malware16. Exploit-DB17. Fingerprint Web18. Brute Directories19. Brute Dns20. Brute Extensions21. Brute Permutations22. Brute Predictables23. Brute Prefixes24. Brute Suffixes
9
Simple Demo- Default Settings
Golismero Demo
Golismero scan <host>
Action Test Target
10
File Location: /usr/share/golismero/golismero.conf[openvas]host = localhost#[testing/scan/openvas]user = adminpassword = <your password>#[shodan:Configuration]apikey = <your shodan key>
Golismero Config File
http://goo.gl/im2FLe for detailed instructions on setting up OpenVAShttp://www.shodanhq.com/account/register for a shodan API key
11
Golismero Advanced
golismero scan <host>
--audit-name <user defined name for scan>-o <user defined name of output file> --no-parent --cookie <name=value> --user-agent <user defined value>
Golismero Demo
12
Golismero Plug-ins
golismero plugins returns all loaded plug-insgolismero –e <plug-in name> enables plug-ingolismero –d <plug-in name> disables plug-in
Example:golismero scan <host> -d brute* disables all of the brute force plug-ins
Golismero Demo
13
Report Formats:• Determined by the extension– I.e.: .html, .txt and .rst
Reporting on Previous Scans:golismero report <fileName.ext> -db <scanName.db>
Golismero Reporting
14
Step 1: Download VMWare PlayerStep 2: Download my pre-configured imageStep 3: Open ImageStep 4: Click the button to start wizard
Links and help for all this at:http://SoftwareSecurityAssurance.com/AppSecUSA2014
Golismero for Complete Rookies
15
Demo: Go from zero experience to running golismero!
Setting up a Test System
16
There is not enough time in a one hour workshop to walk through the installation process, however there are literally hundreds of Kali installation demo’s on YouTube.– This one is comprehensive (and narrated!) https://
www.youtube.com/watch?v=k5mNnkG0FVk
Installing Kali
17
Questions
18
Topic Link
Golismero Web Site www.golismero.com
Slides and supporting material
http://SoftwareSecurityAssurance.com/AppSecUSA2014
OpenVAS Help http://goo.gl/im2FLe
Basic Linux commands for Kali users
http://kali4hackers.blogspot.com/2013/06/some-basic-commands-for-kali-linux.html
Kali Installation (video)
https://www.youtube.com/watch?v=k5mNnkG0FVk
Download Kali http://www.kali.org/downloads/
Download VM Player https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0
Shodan Registration http://www.shodanhq.com/account/register
Useful Links
19
End –h now