Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security monitoring - with open source penetration testing tools

Security monitoring - with open source penetration testing tools

Talk given at Velocity Europe. This is an extended version of my previous security monitoring talk given at Monitorama. This talk contains even more examples and a new section on security monitoring as part of the development process.

Gareth Rushgrove

November 15, 2013
Tweet

More Decks by Gareth Rushgrove

Other Decks in Technology

Transcript

  1. Security
    Monitoring!
    With Open Source !
    Penetration Testing!
    Tools
    Gareth Rushgrove

    View Slide

  2. Who
    (Who is this person?)

    View Slide

  3. @garethr

    View Slide

  4. UK Government
    Digital Service

    View Slide

  5. View Slide

  6. How did it come to this, that the government
    has one of the most exciting start-ups in the
    UK?!

    View Slide

  7. View Slide

  8. The Problem
    (Why talk about security
    monitoring)

    View Slide

  9. The continuous
    delivery argument
    Gareth Rushgrove

    View Slide

  10. How often do you
    change your
    applications?
    Gareth Rushgrove

    View Slide

  11. Gareth Rushgrove
    How often do you
    conduct penetration
    tests?

    View Slide

  12. The security is part
    of quality assurance
    argument
    Gareth Rushgrove

    View Slide

  13. Testing used to be
    manual, slow and
    expensive
    Gareth Rushgrove

    View Slide

  14. Testing is now
    automated, fast and
    done on every commit
    Gareth Rushgrove

    View Slide

  15. Security testing is
    still mainly manual,
    slow and expensive
    Gareth Rushgrove

    View Slide

  16. This presentation
    (What to expect from this talk)

    View Slide

  17. Reactive security
    monitoring
    Gareth Rushgrove
    1

    View Slide

  18. Monitoring security in
    development
    Gareth Rushgrove
    2

    View Slide

  19. Proactive security
    testing
    Gareth Rushgrove
    3

    View Slide

  20. Gareth Rushgrove
    4
    What you can do

    View Slide

  21. Gareth Rushgrove
    WARNING. Code in
    this presentation
    works but isn’t always
    pretty

    View Slide

  22. Reactive
    monitoring
    (Watch for weirdness)

    View Slide

  23. rkhunter
    Gareth Rushgrove

    View Slide

  24. Gareth Rushgrove

    View Slide

  25. rkhunter \
    --check \
    --no-mail-on-warning \
    --skip-keypress
    Gareth Rushgrove

    View Slide

  26. Tuxtendo Rootkit [ Not found ]
    URK Rootkit [ Not found ]
    Vampire Rootkit [ Not found ]
    VcKit Rootkit [ Not found ]
    Volc Rootkit [ Found ]
    Xzibit Rootkit [ Not found ]
    X-Org SunOS Rootkit [ Not found ]
    zaRwT.KiT Rootkit [ Not found ]
    ZK Rootkit [ Not found ]
    Performing additional rootkit checks
    Suckit Rookit additional checks [ OK ]
    Checking for possible rootkit files and directories [ None found ]
    Checking for possible rootkit strings [ None found ]
    Gareth Rushgrove

    View Slide

  27. View Slide

  28. Gareth Rushgrove

    View Slide

  29. rkhunter \
    --check \
    --nocolors \
    --no-mail-on-warning \
    --skip-keypress \
    --no-summary | rkhunter-librato.py
    Gareth Rushgrove

    View Slide

  30. Gareth Rushgrove

    View Slide

  31. Gareth Rushgrove

    View Slide

  32. def test_beastkit_not_installed():
    assert (metric("beastkit_rootkit") == 0)
    Gareth Rushgrove

    View Slide

  33. >> nosetests -v rkhunter-librato-test.py
    rkhunter-libratoo-test.test_beastkit_not_installed ... ok
    ---------------------------------------------------------
    Ran 1 test in 1.585s
    OK
    Gareth Rushgrove

    View Slide

  34. Nginx Naxsi
    Gareth Rushgrove

    View Slide

  35. Web Application
    Firewall
    Gareth Rushgrove

    View Slide

  36. Gareth Rushgrove

    View Slide

  37. SecRulesEnabled;
    DeniedUrl "/RequestDenied";
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    Gareth Rushgrove

    View Slide

  38. 2013/09/18 08:59:57 [error] 891#0: *6 NAXSI_FMT:
    ip=192.168.50.20&server=victim&uri=/pictures/
    search.php&total_processed=14&total_blocked=7&zo
    ne0=ARGS&id0=1007&var_name0=query, client:
    192.168.50.20, server: localhost, request:
    "GET /pictures/search.php?query=--%3E+
    %3Csome_dangerous_input_a1056fd2f0ffbb7f18fec9bd
    33257e12ab5e0494b33011967bcbcbc5699408eb%2F%3E+
    %3C%21-- HTTP/1.1", host: "victim"
    !
    Gareth Rushgrove

    View Slide

  39. id0=1007
    Gareth Rushgrove

    View Slide

  40. SQL Injection
    Gareth Rushgrove

    View Slide

  41. Gareth Rushgrove

    View Slide

  42. grok {
    type => "nginx_error"
    match => ["message", "
    ip=%{IP:client_ip}&
    server=%{IP:server_ip}&
    uri=%{PATH:uri}&
    total_processed=%{NUMBER:total_processed}&
    total_blocked=%{NUMBER:total_blocked}&
    zone0=%{WORD:zone}&
    id0=%{NUMBER:id}"]
    }
    Gareth Rushgrove

    View Slide

  43. Gareth Rushgrove

    View Slide

  44. Fail2Ban
    Gareth Rushgrove

    View Slide

  45. Gareth Rushgrove

    View Slide

  46. [ssh]
    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3
    [ssh-ddos]
    enabled = true
    port = ssh
    filter = sshd-ddos
    logpath = /var/log/auth.log
    maxretry = 6
    Gareth Rushgrove

    View Slide

  47. [ssh-ddos] Ban 192.168.50.20
    Gareth Rushgrove

    View Slide

  48. [nginx-naxsi]
    enabled = true
    port = http,https
    filter = nginx-naxsi
    logpath = /var/log/nginx/*error.log
    maxretry = 2
    Gareth Rushgrove

    View Slide

  49. grok {
    type => "naxsi_fail2ban"
    match => ["message", "
    WARNING \[nginx-naxsi\]
    %{WORD:action} %{IP:ip}"
    ]
    }
    Gareth Rushgrove

    View Slide

  50. Auditd
    Gareth Rushgrove

    View Slide

  51. Auditd in less than 2
    minutes. Maybe.
    Gareth Rushgrove

    View Slide

  52. -a exit,always -S mkdir
    Gareth Rushgrove

    View Slide

  53. type=CWD msg=audit(1379493067.779:57): cwd="/tmp"
    type=PATH msg=audit(1379493067.779:57): item=0
    name="vagrant-puppet" inode=20 dev=fc:00 mode=041777
    ouid=0 ogid=0 rdev=00:00
    type=SYSCALL msg=audit(1379493067.779:58):
    arch=c000003e syscall=83 success=yes exit=0
    a0=7fff172d0e5e a1=1ed a2=1ed a3=7fff172cf910 items=2
    ppid=1239 pid=1241 auid=0 uid=0 gid=0 euid=0 suid=0
    fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21
    comm="mkdir" exe="/bin/mkdir" key=(null)
    type=CWD msg=audit(1379493067.779:58): cwd="/tmp/
    vagrant-puppet"
    Gareth Rushgrove

    View Slide

  54. cwd="/tmp"
    Gareth Rushgrove

    View Slide

  55. syscall=83
    Gareth Rushgrove

    View Slide

  56. sys_symlink
    Gareth Rushgrove

    View Slide

  57. Gareth Rushgrove

    View Slide

  58. comm="mkdir"
    Gareth Rushgrove

    View Slide

  59. cwd="/tmp/vagrant-puppet"
    Gareth Rushgrove

    View Slide

  60. aureport or ausearch
    and something
    Gareth Rushgrove

    View Slide

  61. Security in
    development
    (Monitor development too)

    View Slide

  62. Monitor security in
    your pipeline
    Gareth Rushgrove

    View Slide

  63. Virus scan your
    artefacts
    Gareth Rushgrove

    View Slide

  64. Gareth Rushgrove
    ClamAV +
    Jenkins

    View Slide

  65. Gareth Rushgrove

    View Slide

  66. Gareth Rushgrove
    Get data to
    Graphite

    View Slide

  67. Static analysis
    Gareth Rushgrove

    View Slide

  68. Brakeman for Ruby
    on Rails
    Gareth Rushgrove

    View Slide

  69. Gareth Rushgrove

    View Slide

  70. Gareth Rushgrove

    View Slide

  71. Vulnerabilities in
    dependencies
    Gareth Rushgrove

    View Slide

  72. Gareth Rushgrove
    OWASP
    dependency
    check

    View Slide

  73. Gareth Rushgrove
    Ruby
    security
    advisories

    View Slide

  74. Gareth Rushgrove
    Bundler
    audit

    View Slide

  75. > bundler-audit
    !
    Name: actionpack
    Version: 3.2.10
    Advisory: OSVDB-91452
    Criticality: Medium
    URL: http://www.osvdb.org/show/osvdb/91452
    Title: XSS vulnerability in sanitize_css in
    Action Pack
    Solution: upgrade to ~> 2.3.18, ~> 3.1.12,
    >= 3.2.13
    Gareth Rushgrove

    View Slide

  76. Gareth Rushgrove

    View Slide

  77. it "should have no vulnerable gems" do
    @issues.should have(0).items
    end
    Gareth Rushgrove

    View Slide

  78. rspec audit-rspec.rb -f d
    my application dependencies
    should have no vulnerable gems (FAILED - 1)
    should have a safe version of ruby on rails
    !
    Finished in 0.03949 seconds
    2 examples, 1 failure
    Gareth Rushgrove

    View Slide

  79. Aside:
    penetration
    testing tools
    (State of open source)

    View Slide

  80. Skipfish, nikto, w3af,
    garmr, sslyze, owasp
    zap, arachni, sqlmap,
    sslscan, TLSSLed,
    slowhttptest, DIRB,
    SQLiBF
    Gareth Rushgrove

    View Slide

  81. BackTrack
    Gareth Rushgrove

    View Slide

  82. The problem with
    distributing software
    as a Linux distribution
    Gareth Rushgrove

    View Slide

  83. Configuration
    management +
    Vagrant
    Gareth Rushgrove

    View Slide

  84. Penetration
    testing tools

    View Slide

  85. Vulnerable
    web apps

    View Slide

  86. Source
    code

    View Slide

  87. Puppet
    module

    View Slide

  88. Proactive
    monitoring
    (Attack yourself)

    View Slide

  89. Gareth Rushgrove

    View Slide

  90. nmap monitorama.eu
    Gareth Rushgrove

    View Slide

  91. Starting Nmap 5.21 ( http://nmap.org ) at
    2013-09-18 15:09 BST
    Nmap scan report for monitorama.eu
    (141.101.116.49)
    Host is up (0.17s latency).
    Hostname monitorama.eu resolves to 2 IPs. Only
    scanned 141.101.116.49
    Not shown: 998 filtered ports
    PORT STATE SERVICE
    80/tcp open http
    8080/tcp open http-proxy
    Nmap done: 1 IP address (1 host up) scanned in
    24.18 seconds
    Gareth Rushgrove

    View Slide

  92. Gareth Rushgrove

    View Slide

  93. it "should have one port open" do
    @open_ports.should have(1).items
    end
    Gareth Rushgrove

    View Slide

  94. it "should have port 80 open" do
    @open_ports.should contain(80)
    end
    Gareth Rushgrove

    View Slide

  95. Gareth Rushgrove

    View Slide

  96. 1) the monitorama.eu website should have one port open
    Failure/Error: @open_ports.should have(1).items
    expected 1 items, got 12
    # ./nmap-rspec.rb:24:in `block (2 levels) in (required)>'
    !
    Finished in 2.47 seconds
    2 examples, 1 failure
    Gareth Rushgrove

    View Slide

  97. Arachni
    Gareth Rushgrove

    View Slide

  98. Gareth Rushgrove

    View Slide

  99. Web application
    security scanner
    Gareth Rushgrove

    View Slide

  100. arachni http://victim --modules=xss
    Gareth Rushgrove

    View Slide

  101. +
    +[+] 2 issues were detected.
    +
    +[+] [1] Trusted -- Cross-Site Scripting (XSS)
    +[~] ~~~~~~~~~~~~~~~~~~~~
    +[~] ID Hash:
    +[~] Severity: High
    +[~] URL: http://victim/pictures/search.php
    +[~] Element: form
    +[~] Method: GET
    +[~] Tags: xss, regexp, injection, script
    +[~] Variable: query
    +[~] Description:
    +[~] Client-side code (like JavaScript) can be injected
    + into the web application which is then returned to
    + the user's browser. This can lead to a compromise
    + of the client's system or serve as a pivoting
    + point for other attacks.
    +
    Gareth Rushgrove

    View Slide

  102. Gareth Rushgrove

    View Slide

  103. OWASP ZAP
    Gareth Rushgrove
    OWASP
    ZAP

    View Slide

  104. Gareth Rushgrove

    View Slide

  105. Spider an entire site
    Gareth Rushgrove

    View Slide

  106. Record session via
    HTTP proxy
    Gareth Rushgrove

    View Slide

  107. ./zap.sh -daemon
    Gareth Rushgrove

    View Slide

  108. Gareth Rushgrove
    Python
    API

    View Slide

  109. Gareth Rushgrove

    View Slide

  110. zap = ZAP()
    zap.openurl(TARGET)
    zap.start_spider(TARGET)
    zap.start_scan(TARGET)
    Gareth Rushgrove

    View Slide

  111. http://victim/pictures/search.php
    +------+----------------------------------+
    | Risk | Description |
    +------+----------------------------------+
    | High | Cross Site Scripting (Reflected) |
    +------+----------------------------------+
    http://victim/css/
    +--------+--------------------+
    | Risk | Description |
    +--------+--------------------+
    | Medium | Directory browsing |
    +--------+--------------------+
    http://victim/users/login.php
    +---------------+---------------------------------------+
    | Risk | Description |
    +---------------+---------------------------------------+
    | Informational | X-Frame-Options header not set |
    | Low | Cookie set without HttpOnly flag |
    | Low | Password Autocomplete in browser |
    | Low | X-Content-Type-Options header missing |
    | Medium | Application Error disclosure |
    +---------------+---------------------------------------+
    Gareth Rushgrove

    View Slide

  112. Gauntlt
    Gareth Rushgrove

    View Slide

  113. Gareth Rushgrove

    View Slide

  114. Cucumber + security
    tool integrations
    Gareth Rushgrove

    View Slide

  115. Officially supports!
    curl, nmap, sslyze,
    sqlmap, garmr
    Gareth Rushgrove

    View Slide

  116. Gareth Rushgrove

    View Slide

  117. $ gauntlt methods.attack
    Gareth Rushgrove

    View Slide

  118. Gareth Rushgrove

    View Slide

  119. Support in master
    dirb, arachni
    Gareth Rushgrove

    View Slide

  120. Gareth Rushgrove

    View Slide

  121. $ gauntlt xss.attack
    Gareth Rushgrove

    View Slide

  122. Conclusions
    (You convinced me, now what?)

    View Slide

  123. Gareth Rushgrove
    Use security
    monitoring to build and
    maintain checklists
    1

    View Slide

  124. Gareth Rushgrove
    Use penetration tests
    to discover how
    attackers work
    2

    View Slide

  125. Get security
    (monitoring) into your
    development pipeline
    Gareth Rushgrove
    3

    View Slide

  126. Gareth Rushgrove
    Help with packaging
    and configuration
    management
    4

    View Slide

  127. Gareth Rushgrove
    5
    Help integrate
    security tools with
    monitoring systems

    View Slide

  128. Gareth Rushgrove
    Get security together
    with developers and
    operations
    6

    View Slide

  129. Questions?
    (And thanks for listening)

    View Slide