Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security monitoring - with open source penetration testing tools

Gareth Rushgrove
November 15, 2013
Technology
11
2.4k

Security monitoring - with open source penetration testing tools

Talk given at Velocity Europe. This is an extended version of my previous security monitoring talk given at Monitorama. This talk contains even more examples and a new section on security monitoring as part of the development process.

Gareth Rushgrove

November 15, 2013
Tweet

More Decks by Gareth Rushgrove

See All by Gareth Rushgrove
GTM vs Open Source
garethr
0
590
Software Build of Materials For Cloud Native applications
garethr
1
310
Evolving vulnerabilities in CycloneDX
garethr
0
230
Configuration security is a developer problem
garethr
2
1.8k
Patterns for secure container base image management
garethr
1
1.7k
Testing configuration with Open Policy Agent
garethr
0
430
Building a Docker Image Packaging Pipeline Using GitHub Actions
garethr
5
1.7k
The perils of configuration security
garethr
1
170
Shifting Terraform security left
garethr
3
1.4k

Other Decks in Technology

See All in Technology
Princess APIのAPIクライアントをTypeScriptで作ってnpmで公開してみた
ohmori_yusuke
1
470
CloudWatch複合アラームでELBの5XXをいい感じに検知しようとしたらうまくいかなかった話 / cloudwatch alarm elb 5xx
gotok365
0
580
組織の立ち上げと体制変更の1年
tarappo
2
580
食べログChatGPTプラグイン導入で見えてきた未来:データサイエンティストの向き合い方
moritama1515
PRO
3
410
Microsoft Build 2023 ふりかえり - IoT と AI 周りを中心に
mode86
0
140
AIの標準化や法規制に関する動向 (2023年版)
asei
1
200
GLOBIS データサイエンスチームのご紹介/ GLOBIS Data Science Team is hiring.
globis_gdp
0
1.9k
[春のDojo祭り'23] いまからでも遅くない!データベース超入門 ハンズオン編
leekwangsoo1995
2
340
microCMSのエンジニア組織と文化
microcms
0
500
【Oracle Cloud ウェビナー】Oracle Databaseはクラウドに移行するべきか否か 全10ケースをご紹介 (2023年5月24日)
oracle4engineer
PRO
1
110
ユーザーストーリーマッピング
kawaguti
PRO
4
860
NAB Show 2023 動画技術関連レポート / NAB Show 2023 Report
cyberagentdevelopers
PRO
1
130

Featured

See All Featured
Art, The Web, and Tiny UX
lynnandtonic
285
18k
Agile that works and the tools we love
rasmusluckow
322
20k
Six Lessons from altMBA
skipperchong
16
2.5k
The Cult of Friendly URLs
andyhume
70
5.2k
4 Signs Your Business is Dying
shpigford
171
20k
WebSockets: Embracing the real-time Web
robhawkes
58
6.2k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
Ruby is Unlike a Banana
tanoku
93
9.7k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Writing Fast Ruby
sferik
613
58k
Git: the NoSQL Database
bkeepers
PRO
420
60k
Building Flexible Design Systems
yeseniaperezcruz
315
35k

Transcript

  1. Security
    Monitoring!
    With Open Source !
    Penetration Testing!
    Tools
    Gareth Rushgrove

    View Slide

  2. Who
    (Who is this person?)

    View Slide

  3. @garethr

    View Slide

  4. UK Government
    Digital Service

    View Slide

  5. View Slide

  6. How did it come to this, that the government
    has one of the most exciting start-ups in the
    UK?!

    View Slide

  7. View Slide

  8. The Problem
    (Why talk about security
    monitoring)

    View Slide

  9. The continuous
    delivery argument
    Gareth Rushgrove

    View Slide

  10. How often do you
    change your
    applications?
    Gareth Rushgrove

    View Slide

  11. Gareth Rushgrove
    How often do you
    conduct penetration
    tests?

    View Slide

  12. The security is part
    of quality assurance
    argument
    Gareth Rushgrove

    View Slide

  13. Testing used to be
    manual, slow and
    expensive
    Gareth Rushgrove

    View Slide

  14. Testing is now
    automated, fast and
    done on every commit
    Gareth Rushgrove

    View Slide

  15. Security testing is
    still mainly manual,
    slow and expensive
    Gareth Rushgrove

    View Slide

  16. This presentation
    (What to expect from this talk)

    View Slide

  17. Reactive security
    monitoring
    Gareth Rushgrove
    1

    View Slide

  18. Monitoring security in
    development
    Gareth Rushgrove
    2

    View Slide

  19. Proactive security
    testing
    Gareth Rushgrove
    3

    View Slide

  20. Gareth Rushgrove
    4
    What you can do

    View Slide

  21. Gareth Rushgrove
    WARNING. Code in
    this presentation
    works but isn’t always
    pretty

    View Slide

  22. Reactive
    monitoring
    (Watch for weirdness)

    View Slide

  23. rkhunter
    Gareth Rushgrove

    View Slide

  24. Gareth Rushgrove

    View Slide

  25. rkhunter \
    --check \
    --no-mail-on-warning \
    --skip-keypress
    Gareth Rushgrove

    View Slide

  26. Tuxtendo Rootkit [ Not found ]
    URK Rootkit [ Not found ]
    Vampire Rootkit [ Not found ]
    VcKit Rootkit [ Not found ]
    Volc Rootkit [ Found ]
    Xzibit Rootkit [ Not found ]
    X-Org SunOS Rootkit [ Not found ]
    zaRwT.KiT Rootkit [ Not found ]
    ZK Rootkit [ Not found ]
    Performing additional rootkit checks
    Suckit Rookit additional checks [ OK ]
    Checking for possible rootkit files and directories [ None found ]
    Checking for possible rootkit strings [ None found ]
    Gareth Rushgrove

    View Slide

  27. View Slide

  28. Gareth Rushgrove

    View Slide

  29. rkhunter \
    --check \
    --nocolors \
    --no-mail-on-warning \
    --skip-keypress \
    --no-summary | rkhunter-librato.py
    Gareth Rushgrove

    View Slide

  30. Gareth Rushgrove

    View Slide

  31. Gareth Rushgrove

    View Slide

  32. def test_beastkit_not_installed():
    assert (metric("beastkit_rootkit") == 0)
    Gareth Rushgrove

    View Slide

  33. >> nosetests -v rkhunter-librato-test.py
    rkhunter-libratoo-test.test_beastkit_not_installed ... ok
    ---------------------------------------------------------
    Ran 1 test in 1.585s
    OK
    Gareth Rushgrove

    View Slide

  34. Nginx Naxsi
    Gareth Rushgrove

    View Slide

  35. Web Application
    Firewall
    Gareth Rushgrove

    View Slide

  36. Gareth Rushgrove

    View Slide

  37. SecRulesEnabled;
    DeniedUrl "/RequestDenied";
    CheckRule "$SQL >= 8" BLOCK;
    CheckRule "$RFI >= 8" BLOCK;
    CheckRule "$TRAVERSAL >= 4" BLOCK;
    CheckRule "$EVADE >= 4" BLOCK;
    CheckRule "$XSS >= 8" BLOCK;
    Gareth Rushgrove

    View Slide

  38. 2013/09/18 08:59:57 [error] 891#0: *6 NAXSI_FMT:
    ip=192.168.50.20&server=victim&uri=/pictures/
    search.php&total_processed=14&total_blocked=7&zo
    ne0=ARGS&id0=1007&var_name0=query, client:
    192.168.50.20, server: localhost, request:
    "GET /pictures/search.php?query=--%3E+
    %3Csome_dangerous_input_a1056fd2f0ffbb7f18fec9bd
    33257e12ab5e0494b33011967bcbcbc5699408eb%2F%3E+
    %3C%21-- HTTP/1.1", host: "victim"
    !
    Gareth Rushgrove

    View Slide

  39. id0=1007
    Gareth Rushgrove

    View Slide

  40. SQL Injection
    Gareth Rushgrove

    View Slide

  41. Gareth Rushgrove

    View Slide

  42. grok {
    type => "nginx_error"
    match => ["message", "
    ip=%{IP:client_ip}&
    server=%{IP:server_ip}&
    uri=%{PATH:uri}&
    total_processed=%{NUMBER:total_processed}&
    total_blocked=%{NUMBER:total_blocked}&
    zone0=%{WORD:zone}&
    id0=%{NUMBER:id}"]
    }
    Gareth Rushgrove

    View Slide

  43. Gareth Rushgrove

    View Slide

  44. Fail2Ban
    Gareth Rushgrove

    View Slide

  45. Gareth Rushgrove

    View Slide

  46. [ssh]
    enabled = true
    port = ssh
    filter = sshd
    logpath = /var/log/auth.log
    maxretry = 3
    [ssh-ddos]
    enabled = true
    port = ssh
    filter = sshd-ddos
    logpath = /var/log/auth.log
    maxretry = 6
    Gareth Rushgrove

    View Slide

  47. [ssh-ddos] Ban 192.168.50.20
    Gareth Rushgrove

    View Slide

  48. [nginx-naxsi]
    enabled = true
    port = http,https
    filter = nginx-naxsi
    logpath = /var/log/nginx/*error.log
    maxretry = 2
    Gareth Rushgrove

    View Slide

  49. grok {
    type => "naxsi_fail2ban"
    match => ["message", "
    WARNING \[nginx-naxsi\]
    %{WORD:action} %{IP:ip}"
    ]
    }
    Gareth Rushgrove

    View Slide

  50. Auditd
    Gareth Rushgrove

    View Slide

  51. Auditd in less than 2
    minutes. Maybe.
    Gareth Rushgrove

    View Slide

  52. -a exit,always -S mkdir
    Gareth Rushgrove

    View Slide

  53. type=CWD msg=audit(1379493067.779:57): cwd="/tmp"
    type=PATH msg=audit(1379493067.779:57): item=0
    name="vagrant-puppet" inode=20 dev=fc:00 mode=041777
    ouid=0 ogid=0 rdev=00:00
    type=SYSCALL msg=audit(1379493067.779:58):
    arch=c000003e syscall=83 success=yes exit=0
    a0=7fff172d0e5e a1=1ed a2=1ed a3=7fff172cf910 items=2
    ppid=1239 pid=1241 auid=0 uid=0 gid=0 euid=0 suid=0
    fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=21
    comm="mkdir" exe="/bin/mkdir" key=(null)
    type=CWD msg=audit(1379493067.779:58): cwd="/tmp/
    vagrant-puppet"
    Gareth Rushgrove

    View Slide

  54. cwd="/tmp"
    Gareth Rushgrove

    View Slide

  55. syscall=83
    Gareth Rushgrove

    View Slide

  56. sys_symlink
    Gareth Rushgrove

    View Slide

  57. Gareth Rushgrove

    View Slide

  58. comm="mkdir"
    Gareth Rushgrove

    View Slide

  59. cwd="/tmp/vagrant-puppet"
    Gareth Rushgrove

    View Slide

  60. aureport or ausearch
    and something
    Gareth Rushgrove

    View Slide

  61. Security in
    development
    (Monitor development too)

    View Slide

  62. Monitor security in
    your pipeline
    Gareth Rushgrove

    View Slide

  63. Virus scan your
    artefacts
    Gareth Rushgrove

    View Slide

  64. Gareth Rushgrove
    ClamAV +
    Jenkins

    View Slide

  65. Gareth Rushgrove

    View Slide

  66. Gareth Rushgrove
    Get data to
    Graphite

    View Slide

  67. Static analysis
    Gareth Rushgrove

    View Slide

  68. Brakeman for Ruby
    on Rails
    Gareth Rushgrove

    View Slide

  69. Gareth Rushgrove

    View Slide

  70. Gareth Rushgrove

    View Slide

  71. Vulnerabilities in
    dependencies
    Gareth Rushgrove

    View Slide

  72. Gareth Rushgrove
    OWASP
    dependency
    check

    View Slide

  73. Gareth Rushgrove
    Ruby
    security
    advisories

    View Slide

  74. Gareth Rushgrove
    Bundler
    audit

    View Slide

  75. > bundler-audit
    !
    Name: actionpack
    Version: 3.2.10
    Advisory: OSVDB-91452
    Criticality: Medium
    URL: http://www.osvdb.org/show/osvdb/91452
    Title: XSS vulnerability in sanitize_css in
    Action Pack
    Solution: upgrade to ~> 2.3.18, ~> 3.1.12,
    >= 3.2.13
    Gareth Rushgrove

    View Slide

  76. Gareth Rushgrove

    View Slide

  77. it "should have no vulnerable gems" do
    @issues.should have(0).items
    end
    Gareth Rushgrove

    View Slide

  78. rspec audit-rspec.rb -f d
    my application dependencies
    should have no vulnerable gems (FAILED - 1)
    should have a safe version of ruby on rails
    !
    Finished in 0.03949 seconds
    2 examples, 1 failure
    Gareth Rushgrove

    View Slide

  79. Aside:
    penetration
    testing tools
    (State of open source)

    View Slide

  80. Skipfish, nikto, w3af,
    garmr, sslyze, owasp
    zap, arachni, sqlmap,
    sslscan, TLSSLed,
    slowhttptest, DIRB,
    SQLiBF
    Gareth Rushgrove

    View Slide

  81. BackTrack
    Gareth Rushgrove

    View Slide

  82. The problem with
    distributing software
    as a Linux distribution
    Gareth Rushgrove

    View Slide

  83. Configuration
    management +
    Vagrant
    Gareth Rushgrove

    View Slide

  84. Penetration
    testing tools

    View Slide

  85. Vulnerable
    web apps

    View Slide

  86. Source
    code

    View Slide

  87. Puppet
    module

    View Slide

  88. Proactive
    monitoring
    (Attack yourself)

    View Slide

  89. Gareth Rushgrove

    View Slide

  90. nmap monitorama.eu
    Gareth Rushgrove

    View Slide

  91. Starting Nmap 5.21 ( http://nmap.org ) at
    2013-09-18 15:09 BST
    Nmap scan report for monitorama.eu
    (141.101.116.49)
    Host is up (0.17s latency).
    Hostname monitorama.eu resolves to 2 IPs. Only
    scanned 141.101.116.49
    Not shown: 998 filtered ports
    PORT STATE SERVICE
    80/tcp open http
    8080/tcp open http-proxy
    Nmap done: 1 IP address (1 host up) scanned in
    24.18 seconds
    Gareth Rushgrove

    View Slide

  92. Gareth Rushgrove

    View Slide

  93. it "should have one port open" do
    @open_ports.should have(1).items
    end
    Gareth Rushgrove

    View Slide

  94. it "should have port 80 open" do
    @open_ports.should contain(80)
    end
    Gareth Rushgrove

    View Slide

  95. Gareth Rushgrove

    View Slide

  96. 1) the monitorama.eu website should have one port open
    Failure/Error: @open_ports.should have(1).items
    expected 1 items, got 12
    # ./nmap-rspec.rb:24:in `block (2 levels) in (required)>'
    !
    Finished in 2.47 seconds
    2 examples, 1 failure
    Gareth Rushgrove

    View Slide

  97. Arachni
    Gareth Rushgrove

    View Slide

  98. Gareth Rushgrove

    View Slide

  99. Web application
    security scanner
    Gareth Rushgrove

    View Slide

  100. arachni http://victim --modules=xss
    Gareth Rushgrove

    View Slide

  101. +
    +[+] 2 issues were detected.
    +
    +[+] [1] Trusted -- Cross-Site Scripting (XSS)
    +[~] ~~~~~~~~~~~~~~~~~~~~
    +[~] ID Hash:
    +[~] Severity: High
    +[~] URL: http://victim/pictures/search.php
    +[~] Element: form
    +[~] Method: GET
    +[~] Tags: xss, regexp, injection, script
    +[~] Variable: query
    +[~] Description:
    +[~] Client-side code (like JavaScript) can be injected
    + into the web application which is then returned to
    + the user's browser. This can lead to a compromise
    + of the client's system or serve as a pivoting
    + point for other attacks.
    +
    Gareth Rushgrove

    View Slide

  102. Gareth Rushgrove

    View Slide

  103. OWASP ZAP
    Gareth Rushgrove
    OWASP
    ZAP

    View Slide

  104. Gareth Rushgrove

    View Slide

  105. Spider an entire site
    Gareth Rushgrove

    View Slide

  106. Record session via
    HTTP proxy
    Gareth Rushgrove

    View Slide

  107. ./zap.sh -daemon
    Gareth Rushgrove

    View Slide

  108. Gareth Rushgrove
    Python
    API

    View Slide

  109. Gareth Rushgrove

    View Slide

  110. zap = ZAP()
    zap.openurl(TARGET)
    zap.start_spider(TARGET)
    zap.start_scan(TARGET)
    Gareth Rushgrove

    View Slide

  111. http://victim/pictures/search.php
    +------+----------------------------------+
    | Risk | Description |
    +------+----------------------------------+
    | High | Cross Site Scripting (Reflected) |
    +------+----------------------------------+
    http://victim/css/
    +--------+--------------------+
    | Risk | Description |
    +--------+--------------------+
    | Medium | Directory browsing |
    +--------+--------------------+
    http://victim/users/login.php
    +---------------+---------------------------------------+
    | Risk | Description |
    +---------------+---------------------------------------+
    | Informational | X-Frame-Options header not set |
    | Low | Cookie set without HttpOnly flag |
    | Low | Password Autocomplete in browser |
    | Low | X-Content-Type-Options header missing |
    | Medium | Application Error disclosure |
    +---------------+---------------------------------------+
    Gareth Rushgrove

    View Slide

  112. Gauntlt
    Gareth Rushgrove

    View Slide

  113. Gareth Rushgrove

    View Slide

  114. Cucumber + security
    tool integrations
    Gareth Rushgrove

    View Slide

  115. Officially supports!
    curl, nmap, sslyze,
    sqlmap, garmr
    Gareth Rushgrove

    View Slide

  116. Gareth Rushgrove

    View Slide

  117. $ gauntlt methods.attack
    Gareth Rushgrove

    View Slide

  118. Gareth Rushgrove

    View Slide

  119. Support in master
    dirb, arachni
    Gareth Rushgrove

    View Slide

  120. Gareth Rushgrove

    View Slide

  121. $ gauntlt xss.attack
    Gareth Rushgrove

    View Slide

  122. Conclusions
    (You convinced me, now what?)

    View Slide

  123. Gareth Rushgrove
    Use security
    monitoring to build and
    maintain checklists
    1

    View Slide

  124. Gareth Rushgrove
    Use penetration tests
    to discover how
    attackers work
    2

    View Slide

  125. Get security
    (monitoring) into your
    development pipeline
    Gareth Rushgrove
    3

    View Slide

  126. Gareth Rushgrove
    Help with packaging
    and configuration
    management
    4

    View Slide

  127. Gareth Rushgrove
    5
    Help integrate
    security tools with
    monitoring systems

    View Slide

  128. Gareth Rushgrove
    Get security together
    with developers and
    operations
    6

    View Slide

  129. Questions?
    (And thanks for listening)

    View Slide