gauntlt 0.0.0 → 0.0.5
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +3 -0
- data/.gitmodules +6 -0
- data/.travis.yml +9 -0
- data/Gemfile +3 -2
- data/LICENSE +10 -0
- data/README.md +95 -0
- data/Rakefile +4 -0
- data/bin/gauntlt +51 -2
- data/features/attack.feature +62 -0
- data/features/attacks/cookies.feature +25 -0
- data/features/attacks/curl.feature +23 -0
- data/features/attacks/http_methods.feature +33 -0
- data/features/attacks/nmap.feature +40 -0
- data/features/attacks/sqlmap.feature +17 -0
- data/features/attacks/sslyze.feature +36 -0
- data/features/help.feature +37 -0
- data/features/report.feature +5 -0
- data/features/step_definitions/aruba_extension_steps.rb +3 -0
- data/features/step_definitions/config_steps.rb +3 -0
- data/features/step_definitions/help_steps.rb +8 -0
- data/features/step_definitions/support_steps.rb +5 -0
- data/features/support/aruba.rb +5 -0
- data/features/support/attack_steps.rb +1 -0
- data/features/support/env.rb +1 -0
- data/features/support/hooks.rb +3 -0
- data/features/support/profile/profile.xml +5 -0
- data/gauntlt.gemspec +13 -8
- data/gem_tasks/cucumber.rake +5 -0
- data/gem_tasks/rspec.rake +6 -0
- data/lib/gauntlt.rb +35 -1
- data/lib/gauntlt/attack.rb +32 -0
- data/lib/gauntlt/attack_adapters/cookies.rb +11 -0
- data/lib/gauntlt/attack_adapters/curl.rb +3 -0
- data/lib/gauntlt/attack_adapters/http_methods.rb +12 -0
- data/lib/gauntlt/attack_adapters/nmap.rb +14 -0
- data/lib/gauntlt/attack_adapters/sqlmap.rb +3 -0
- data/lib/gauntlt/attack_adapters/sslyze.rb +15 -0
- data/lib/gauntlt/attack_adapters/support/cli_helper.rb +18 -0
- data/lib/gauntlt/attack_adapters/support/cookie_helper.rb +27 -0
- data/lib/gauntlt/attack_adapters/support/env.rb +1 -0
- data/lib/gauntlt/attack_adapters/support/hooks.rb +3 -0
- data/lib/gauntlt/attack_adapters/support/nmap_helper.rb +13 -0
- data/lib/gauntlt/attack_adapters/support/profile_helper.rb +12 -0
- data/lib/gauntlt/attack_adapters/support/python_script_helper.rb +70 -0
- data/lib/gauntlt/attack_adapters/support/sslyze_output.README +91 -0
- data/lib/gauntlt/version.rb +1 -1
- data/spec/gauntlt/attack_spec.rb +58 -0
- data/spec/gauntlt_spec.rb +43 -0
- data/spec/spec_helper.rb +18 -0
- data/spec/support/mock_constants.rb +46 -0
- metadata +199 -12
- data/Gemfile.lock +0 -44
data/.gitignore
CHANGED
data/.gitmodules
ADDED
data/.travis.yml
ADDED
@@ -0,0 +1,9 @@
|
|
1
|
+
language: ruby
|
2
|
+
rvm:
|
3
|
+
- 1.9.3
|
4
|
+
before_install:
|
5
|
+
- git submodule update --init --recursive
|
6
|
+
before_script:
|
7
|
+
- sudo apt-get install nmap
|
8
|
+
- export SSLYZE_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sslyze/sslyze.py"
|
9
|
+
- export SQLMAP_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sqlmap/sqlmap.py"
|
data/Gemfile
CHANGED
data/LICENSE
ADDED
@@ -0,0 +1,10 @@
|
|
1
|
+
The MIT License (MIT)
|
2
|
+
|
3
|
+
Copyright (c) 2012 James Wickett, Mani Tadayon, gauntlt.org
|
4
|
+
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
|
6
|
+
|
7
|
+
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
|
8
|
+
|
9
|
+
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
10
|
+
|
data/README.md
ADDED
@@ -0,0 +1,95 @@
|
|
1
|
+
# gauntlt [![Build Status](https://secure.travis-ci.org/thegauntlet/gauntlt.png?branch=master)](http://travis-ci.org/thegauntlet/gauntlt)
|
2
|
+
|
3
|
+
gauntlt is a ruggedization framework
|
4
|
+
|
5
|
+
## PROJECT STATUS
|
6
|
+
|
7
|
+
The gauntlt project is under active development and is not ready for production use but we are looking for community feedback and involvement on the project. Please file issues via github and follow the project on twitter: [@gauntlt](https://twitter.com/gauntlt).
|
8
|
+
|
9
|
+
Have questions? Ask us anything on the [gauntlt google group](http://bit.ly/gauntlt_group).
|
10
|
+
|
11
|
+
## GET STARTED
|
12
|
+
|
13
|
+
Before you start, please note that gauntlt is tested regularly against ruby 1.9.3. We don't test againt older versions of ruby. Keep in mind that you run gauntlt separately from the application it targets, so it does not matter whether the targeted application uses ruby.
|
14
|
+
|
15
|
+
1. Clone the git repo
|
16
|
+
|
17
|
+
$ git clone --recursive git@github.com:thegauntlet/gauntlt.git
|
18
|
+
$ cd gauntlt
|
19
|
+
|
20
|
+
|
21
|
+
2. Install bundler
|
22
|
+
|
23
|
+
$ gem install bundler
|
24
|
+
|
25
|
+
|
26
|
+
3. Install dependencies
|
27
|
+
|
28
|
+
Note, you may see errors in bundle related to the curb gem. It is looking for curl dependencies. In ubuntu you can do a sudo apt-get install libcurl4-openssl-dev
|
29
|
+
|
30
|
+
$ bundle
|
31
|
+
|
32
|
+
4. Create an attack file
|
33
|
+
|
34
|
+
# general format
|
35
|
+
$ bin/gauntlt attack --name <attack_name> --attack-file my_attack.attack
|
36
|
+
|
37
|
+
# for example, launch an nmap attack
|
38
|
+
# nmap.attack
|
39
|
+
Feature: nmap attacks
|
40
|
+
Background:
|
41
|
+
Given "nmap" is installed
|
42
|
+
And the target hostname is "google.com"
|
43
|
+
|
44
|
+
Scenario: Verify server is available on standard web ports
|
45
|
+
When I launch an "nmap" attack with:
|
46
|
+
"""
|
47
|
+
nmap -p 80,443 <hostname>
|
48
|
+
"""
|
49
|
+
Then the output should contain:
|
50
|
+
"""
|
51
|
+
80/tcp open http
|
52
|
+
443/tcp open https
|
53
|
+
"""
|
54
|
+
|
55
|
+
$ bin/gauntlt attack -n nmap -a nmap.attack
|
56
|
+
|
57
|
+
For more attack examples, refer to features/attacks.
|
58
|
+
|
59
|
+
5. Other commands
|
60
|
+
|
61
|
+
# list defined attacks
|
62
|
+
$ bin/gauntlt attack --list
|
63
|
+
|
64
|
+
# get help
|
65
|
+
$ bin/gauntlt help
|
66
|
+
|
67
|
+
|
68
|
+
## ROADMAP
|
69
|
+
|
70
|
+
We are adding different features into gauntlt rignt now. Please submit issues via github and tag them as enhancements. The core team meets weekly and will divide out the enhancement requests into our monthly releases.
|
71
|
+
|
72
|
+
Below are some tools we are targeting but don't let that stop you from adding your favorite hacking tool.
|
73
|
+
|
74
|
+
* [curl] [curl]
|
75
|
+
* [nmap] [nmap]
|
76
|
+
* [sslyze] [sslyze]
|
77
|
+
* [sqlmap] [sqlmap]
|
78
|
+
* [w3af] [w3af]
|
79
|
+
* [arachni] [arachni]
|
80
|
+
|
81
|
+
Have questions? Ask us anything on the [gauntlt google group](http://bit.ly/gauntlt_group).
|
82
|
+
|
83
|
+
## ADD A MODULE
|
84
|
+
See the wiki on how to add a module into gauntlt. We would love your contributions.
|
85
|
+
|
86
|
+
## LICENSE
|
87
|
+
|
88
|
+
gauntlt is licensed under The MIT License. See the LICENSE file in the repo or visit [gauntlt.mit-license.org](http://gauntlt.mit-license.org/) for details.
|
89
|
+
|
90
|
+
[curl]: http://curl.haxx.se
|
91
|
+
[nmap]: http://nmap.org
|
92
|
+
[sslyze]: https://github.com/iSECPartners/sslyze
|
93
|
+
[w3af]: http://w3af.sourceforge.net
|
94
|
+
[sqlmap]: http://sqlmap.org
|
95
|
+
[arachni]: http://arachni-scanner.com
|
data/Rakefile
CHANGED
data/bin/gauntlt
CHANGED
@@ -1,4 +1,53 @@
|
|
1
1
|
#!/usr/bin/env ruby
|
2
|
-
|
2
|
+
$:.unshift(File.join(File.dirname(__FILE__), "/../lib"))
|
3
3
|
require 'gauntlt'
|
4
|
-
|
4
|
+
|
5
|
+
require 'acclaim'
|
6
|
+
|
7
|
+
class Gauntlt::Command < Acclaim::Command
|
8
|
+
option :help, '-h', '--help', 'Help outputs available command options'
|
9
|
+
option :version, '-v', '--version', 'Version of app'
|
10
|
+
|
11
|
+
when_called do |options, args|
|
12
|
+
if options.help? || options.empty?
|
13
|
+
help options: false
|
14
|
+
Gauntlt::Command.run 'help'
|
15
|
+
elsif options.version?
|
16
|
+
puts Gauntlt::VERSION
|
17
|
+
end
|
18
|
+
end
|
19
|
+
end
|
20
|
+
|
21
|
+
# gauntlt attack ...
|
22
|
+
class Gauntlt::Command::Attack < Gauntlt::Command
|
23
|
+
option :help, '-h', '--help', 'Help outputs available command options'
|
24
|
+
option :list, '-l', '--list', 'List of available attacks'
|
25
|
+
|
26
|
+
option :name, '-n', '--name', 'Name of attack to launch', arity: [1, 0]
|
27
|
+
option :attack_file, '-a', '--attack-file', 'Name of file with attack definition', arity: [1, 0]
|
28
|
+
|
29
|
+
action do |options, args|
|
30
|
+
if options.list? || options.empty?
|
31
|
+
puts "Available attacks:"
|
32
|
+
puts ""
|
33
|
+
puts Gauntlt.attacks.map{|a| " #{a}"}.join("\n")
|
34
|
+
puts ""
|
35
|
+
puts " try: gauntlt attack -n nmap"
|
36
|
+
elsif options.help?
|
37
|
+
help options: false
|
38
|
+
Gauntlt::Command.run 'help'
|
39
|
+
puts " try: gauntlt attack -n nmap -a your.attack"
|
40
|
+
else
|
41
|
+
if options.attack_file? && options.name?
|
42
|
+
puts Gauntlt.attack(options.name, :attack_file => options.attack_file)
|
43
|
+
else
|
44
|
+
puts " Must specify name and attack-file"
|
45
|
+
puts ""
|
46
|
+
puts " try: gauntlt attack -n nmap -a your.attack"
|
47
|
+
raise
|
48
|
+
end
|
49
|
+
end
|
50
|
+
end
|
51
|
+
end
|
52
|
+
|
53
|
+
Gauntlt::Command.run *ARGV
|
@@ -0,0 +1,62 @@
|
|
1
|
+
Feature: Verify the attack behaviour is correct
|
2
|
+
|
3
|
+
In order to ensure attack behaviour is correct,
|
4
|
+
As a software developer or security expert,
|
5
|
+
I want to run automated attacks that will pass or fail.
|
6
|
+
|
7
|
+
Scenario: List available attack steps
|
8
|
+
Given an attack "nmap" exists
|
9
|
+
When I run `gauntlt attack --list`
|
10
|
+
Then it should pass with:
|
11
|
+
"""
|
12
|
+
nmap
|
13
|
+
"""
|
14
|
+
|
15
|
+
Scenario: Run attack for existing tests
|
16
|
+
Given an attack "nmap" exists
|
17
|
+
And a file named "nmap.attack" with:
|
18
|
+
"""
|
19
|
+
Feature: my nmap attacks
|
20
|
+
Scenario: nmap attack works
|
21
|
+
Given "nmap" is installed
|
22
|
+
And the target hostname is "google.com"
|
23
|
+
When I launch an "nmap" attack with:
|
24
|
+
\"\"\"
|
25
|
+
nmap -p 80,443 <hostname>
|
26
|
+
\"\"\"
|
27
|
+
Then the output should contain:
|
28
|
+
\"\"\"
|
29
|
+
80/tcp open http
|
30
|
+
443/tcp open https
|
31
|
+
\"\"\"
|
32
|
+
"""
|
33
|
+
When I run `gauntlt attack --name nmap --attack-file nmap.attack`
|
34
|
+
Then it should pass
|
35
|
+
|
36
|
+
Scenario: Bad attack name specified
|
37
|
+
When I run `gauntlt attack --name thisattackwouldneverexist`
|
38
|
+
Then it should fail with:
|
39
|
+
"""
|
40
|
+
Must specify name and attack-file
|
41
|
+
"""
|
42
|
+
|
43
|
+
Scenario: No attack name specified
|
44
|
+
When I run `gauntlt attack --attack-file thisattackwouldneverexist`
|
45
|
+
Then it should fail with:
|
46
|
+
"""
|
47
|
+
Must specify name and attack-file
|
48
|
+
"""
|
49
|
+
|
50
|
+
Scenario: Bad attack file specified
|
51
|
+
When I run `gauntlt attack --name nmap --attack-file thisattackwouldneverexist`
|
52
|
+
Then it should fail with:
|
53
|
+
"""
|
54
|
+
No 'thisattackwouldneverexist' attack found
|
55
|
+
"""
|
56
|
+
|
57
|
+
Scenario: No attack file specified
|
58
|
+
When I run `gauntlt attack --name nmap`
|
59
|
+
Then it should fail with:
|
60
|
+
"""
|
61
|
+
Must specify name and attack-file
|
62
|
+
"""
|
@@ -0,0 +1,25 @@
|
|
1
|
+
Feature: Cookies attack
|
2
|
+
|
3
|
+
Scenario: Launch cookies attack
|
4
|
+
Given an attack "cookies" exists
|
5
|
+
And a file named "cookies.attack" with:
|
6
|
+
"""
|
7
|
+
Feature: Evaluate received cookies against expected.
|
8
|
+
|
9
|
+
Background:
|
10
|
+
Given "curl" is installed
|
11
|
+
And the target hostname is "google.com"
|
12
|
+
|
13
|
+
Scenario: Verify server is returning the cookies expected
|
14
|
+
When I launch a "cookies" attack
|
15
|
+
Then the following cookies should be received:
|
16
|
+
| name | secure | _rest |
|
17
|
+
| PREF | false | {} |
|
18
|
+
| NID | false | {'HttpOnly': None} |
|
19
|
+
"""
|
20
|
+
When I run `gauntlt attack --name cookies --attack-file cookies.attack`
|
21
|
+
Then it should pass
|
22
|
+
And the output should contain:
|
23
|
+
"""
|
24
|
+
4 steps (4 passed)
|
25
|
+
"""
|
@@ -0,0 +1,23 @@
|
|
1
|
+
Feature: curl attack
|
2
|
+
Background:
|
3
|
+
Given an attack "curl" exists
|
4
|
+
|
5
|
+
Scenario: curl attack
|
6
|
+
Given a file named "curl.attack" with:
|
7
|
+
"""
|
8
|
+
Feature: Launch curl attack
|
9
|
+
|
10
|
+
Background:
|
11
|
+
Given "curl" is installed
|
12
|
+
And the target hostname is "google.com"
|
13
|
+
|
14
|
+
Scenario: Verify a 301 is received from a curl
|
15
|
+
When I launch a "curl" attack
|
16
|
+
Then the response code should be "301"
|
17
|
+
"""
|
18
|
+
When I run `gauntlt attack --name curl --attack-file curl.attack`
|
19
|
+
Then it should pass
|
20
|
+
And the output should contain:
|
21
|
+
"""
|
22
|
+
4 steps (4 passed)
|
23
|
+
"""
|
@@ -0,0 +1,33 @@
|
|
1
|
+
Feature: http_methods attack
|
2
|
+
Background:
|
3
|
+
Given an attack "http_methods" exists
|
4
|
+
|
5
|
+
Scenario: http methods
|
6
|
+
Given a file named "http_methods.attack" with:
|
7
|
+
"""
|
8
|
+
Feature: Evaluate responses to various HTTP methods.
|
9
|
+
|
10
|
+
Background:
|
11
|
+
Given "curl" is installed
|
12
|
+
And the target hostname is "google.com"
|
13
|
+
|
14
|
+
Scenario Outline: Verify server responds correctly to various HTTP methods
|
15
|
+
When I launch a "curl" attack with:
|
16
|
+
\"\"\"
|
17
|
+
curl -i -X <method> <hostname>
|
18
|
+
\"\"\"
|
19
|
+
Then the output should contain "<response>"
|
20
|
+
Examples:
|
21
|
+
| method | response |
|
22
|
+
| delete | Error 405 (Method Not Allowed) |
|
23
|
+
| patch | Error 405 (Method Not Allowed) |
|
24
|
+
| trace | Error 405 (Method Not Allowed) |
|
25
|
+
| track | Error 405 (Method Not Allowed) |
|
26
|
+
| bogus | Error 405 (Method Not Allowed) |
|
27
|
+
"""
|
28
|
+
When I run `gauntlt attack --name http_methods --attack-file http_methods.attack`
|
29
|
+
Then it should pass
|
30
|
+
And the output should contain:
|
31
|
+
"""
|
32
|
+
5 scenarios (5 passed)
|
33
|
+
"""
|
@@ -0,0 +1,40 @@
|
|
1
|
+
Feature: nmap attack
|
2
|
+
@slow
|
3
|
+
Scenario: Launch nmap attack
|
4
|
+
Given an attack "nmap" exists
|
5
|
+
And a file named "nmap.attack" with:
|
6
|
+
"""
|
7
|
+
Feature: nmap attacks
|
8
|
+
|
9
|
+
Background:
|
10
|
+
Given "nmap" is installed
|
11
|
+
And the target hostname is "google.com"
|
12
|
+
|
13
|
+
Scenario: Verify server is available on standard web ports
|
14
|
+
When I launch an "nmap" attack with:
|
15
|
+
\"\"\"
|
16
|
+
nmap -p 80,443 <hostname>
|
17
|
+
\"\"\"
|
18
|
+
Then the output should contain:
|
19
|
+
\"\"\"
|
20
|
+
80/tcp open http
|
21
|
+
443/tcp open https
|
22
|
+
\"\"\"
|
23
|
+
|
24
|
+
@slow
|
25
|
+
Scenario: Detect OS
|
26
|
+
When I launch an "nmap" attack with:
|
27
|
+
\"\"\"
|
28
|
+
nmap -sV -p80 -PN <hostname>
|
29
|
+
\"\"\"
|
30
|
+
Then the output should contain:
|
31
|
+
\"\"\"
|
32
|
+
Service Info: OS: Linux
|
33
|
+
\"\"\"
|
34
|
+
"""
|
35
|
+
When I run `gauntlt attack --name nmap --attack-file nmap.attack`
|
36
|
+
Then it should pass
|
37
|
+
And the output should contain:
|
38
|
+
"""
|
39
|
+
8 steps (8 passed)
|
40
|
+
"""
|
@@ -0,0 +1,17 @@
|
|
1
|
+
Feature: sqlmap attack
|
2
|
+
|
3
|
+
Scenario:
|
4
|
+
Given an attack "sqlmap" exists
|
5
|
+
And a file named "sqlmap.attack" with:
|
6
|
+
"""
|
7
|
+
Feature: Run sqlmap against a target
|
8
|
+
|
9
|
+
Background:
|
10
|
+
Given "sqlmap" is installed
|
11
|
+
"""
|
12
|
+
When I run `gauntlt attack --name sqlmap --attack-file sqlmap.attack`
|
13
|
+
Then it should pass
|
14
|
+
And the output should contain:
|
15
|
+
"""
|
16
|
+
1 step (1 passed)
|
17
|
+
"""
|
@@ -0,0 +1,36 @@
|
|
1
|
+
Feature: sslyze attack
|
2
|
+
|
3
|
+
Scenario:
|
4
|
+
Given an attack "sslyze" exists
|
5
|
+
And a file named "sslyze.attack" with:
|
6
|
+
"""
|
7
|
+
Feature: Run sslyze against a target
|
8
|
+
|
9
|
+
Background:
|
10
|
+
Given "sslyze" is installed
|
11
|
+
And the target hostname is "google.com"
|
12
|
+
|
13
|
+
Scenario: Ensure no anonymous certificates
|
14
|
+
When I launch an "sslyze" attack with:
|
15
|
+
\"\"\"
|
16
|
+
python <sslyze_path> <hostname>:443
|
17
|
+
\"\"\"
|
18
|
+
Then the output should not contain:
|
19
|
+
\"\"\"
|
20
|
+
Anon
|
21
|
+
\"\"\"
|
22
|
+
|
23
|
+
# Scenario: Make sure that the certificate key size is at least 2048
|
24
|
+
# Given the target hostname is "google.com"
|
25
|
+
# When I launch an "sslyze" attack with:
|
26
|
+
# \"\"\"
|
27
|
+
# python <sslyze_path> <hostname>:443
|
28
|
+
# \"\"\"
|
29
|
+
# Then the key size should be at least 2048
|
30
|
+
"""
|
31
|
+
When I run `gauntlt attack --name sslyze --attack-file sslyze.attack`
|
32
|
+
Then it should pass
|
33
|
+
And the output should contain:
|
34
|
+
"""
|
35
|
+
4 steps (4 passed)
|
36
|
+
"""
|