gauntlt 0.0.7 → 0.0.8

data/.gitignore

@@ -25,4 +25,5 @@ doc
 Gemfile.lock
 .rvmrc
 .rbenv*
-*.gem
+*.gem
+.rspec

data/.travis.yml

@@ -1,9 +1,15 @@
 language: ruby
 rvm:
   - 1.9.3
+  - jruby-head
 before_install:
   - git submodule update --init --recursive
 before_script:
   - sudo apt-get install nmap
   - export SSLYZE_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sslyze/sslyze.py"
-  - export SQLMAP_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sqlmap/sqlmap.py"
+  - export SQLMAP_PATH="/home/vagrant/builds/thegauntlet/gauntlt/vendor/sqlmap/sqlmap.py"
+
+
+matrix:
+  allow_failures:
+    - rvm: jruby-head

data/Gemfile

@@ -2,4 +2,4 @@ source :rubygems
 
 gemspec
 
-gem 'debugger'
+gem 'debugger', :platform => :mri

data/README.md

@@ -10,7 +10,7 @@ Have questions?  Ask us anything on the [gauntlt google group](http://bit.ly/gau
 
 ## GET STARTED
 
-Before you start, please note that gauntlt is tested regularly against ruby 1.9.3. We don't test againt older versions of ruby. Keep in mind that you run gauntlt separately from the application it targets, so it does not matter whether the targeted application uses ruby.
+You will need ruby version `1.9.3` to run gauntlt, but you can run gauntlt against applications built with any language or platform.
 
 1. Install the gem
 
@@ -37,24 +37,30 @@ Before you start, please note that gauntlt is tested regularly against ruby 1.9.
 
 3. Run gauntlt to launch the attack defined above
 
-        $ gauntlt attack -n nmap -a nmap.attack
-        # general format:
-        #  $ gauntlt attack --name <attack_name> --attack-file <path>
+        $ gauntlt
+        # equivalent to gauntlt ./**/*.attack
+        # by default, gauntlt will search in the current folder
+        # and its subfolders for files with the .attack extension
+        #
+        # you can also specify one or more paths yourself:
+        $ gauntlt my_attacks/*.attack some_other.file
 
 
-      For more attack examples, refer to features/attacks.
+      For more attack examples, refer to the [examples](https://github.com/thegauntlet/gauntlt/tree/master/examples).
 
 4. Other commands
 
         # list defined attacks
-        $ gauntlt attack --list
+        $ gauntlt --list
 
         # get help
-        $ gauntlt help
+        $ gauntlt --help
 
 
 ## For developers
 
+NOTE: We currently use `ruby 1.9.3` and `JRuby 1.7.0-preview2` for development and testing.
+
 1. Clone the git repo and get the submodules
 
         $ git clone --recursive git://github.com/thegauntlet/gauntlt.git
@@ -77,7 +83,7 @@ Before you start, please note that gauntlt is tested regularly against ruby 1.9.
 
 5. Launch attacks with bin/gauntlt
 
-        $ bin/gauntlt attack -n nmap -a my_attack_file.attack
+        $ bin/gauntlt attack
 
 5. Refer to the features directory for usage examples and please write cucumber features for any new functionality you wish to submit.
 

data/bin/gauntlt

@@ -1,56 +1,38 @@
 #!/usr/bin/env ruby
 require 'rubygems'
+require 'trollop'
+
 $:.push File.expand_path("../../lib", __FILE__) unless $:.include?( File.expand_path("../../lib", __FILE__) )
 require 'gauntlt'
 
-require 'trollop'
+opts = Trollop::options do
+  version Gauntlt::VERSION
+  banner <<-EOS
+gauntlt is a ruggedization framework
+
+Usage:
+       gauntlt <path>+ [--tags TAG_EXPRESSION]
 
-SUB_COMMANDS = %w(
-  attack
-)
+Options:
+EOS
+
+  opt :tags, "Only execute specified tags",
+      :type => String,
+      :multi => true
+
+  opt :list, "List defined attacks"
+end
 
-global_opts = Trollop::options do
-  banner "usage: gauntlt attack [<args>]"
-  stop_on SUB_COMMANDS
+opts[:path] = if ARGV.empty?
+  "./**/*.attack"
+else
+  ARGV.join(" ")
 end
 
-cmd = ARGV.shift # get the subcommand
-
-cmd_opts = case cmd
-  when "attack" # parse delete options
-    Trollop::options do
-      banner "usage: gauntlt attack -n [attack-name] -a [attack-file]"
-
-      opt :name,
-          "attack name",
-          :short => '-n',
-          :type  => String
-
-      opt :"attack-file",
-          "attack file",
-          :short => "-a",
-          :type  => String
-
-      opt :list,
-          "list defined attacks",
-          :short => "-l"
-
-    end
-  when nil
-    puts "Try --help for help"
-  else
-    Trollop::die "unknown subcommand #{cmd.inspect}"
-  end
-
-if cmd == "attack"
-  if cmd_opts[:'attack-file_given'] && cmd_opts[:name]
-    puts Gauntlt.attack(cmd_opts[:name], :attack_file => cmd_opts[:'attack-file'])
-  else
-    puts "Available attacks:"
-    puts ""
-    puts Gauntlt.attacks.map{|a| "  #{a}"}.join("\n")
-    puts ""
-    puts "  try: gauntlt attack -n nmap"
-    Trollop.die "must specify name and attack-file" unless cmd_opts[:list_given]
-  end
+if opts[:list]
+  attack_list = Gauntlt.attacks.map{|s| "  #{s}"}.join("\n")
+  puts "Defined attacks: #{}"
+  puts attack_list
+else
+  Gauntlt.attack( opts[:path], opts[:tags].join(',') )
 end

data/examples/curl/cookies.attack

@@ -0,0 +1,12 @@
+Feature: Evaluate received cookies against expected.
+
+Background:
+  Given "curl" is installed
+  And the target hostname is "google.com"
+
+Scenario: Verify server is returning the cookies expected
+  When I launch a "cookies" attack
+  Then the following cookies should be received:
+    | name | secure | _rest              |
+    | PREF | false  | {}                 |
+    | NID  | false  | {'HttpOnly': None} |

data/examples/curl/simple.attack

@@ -0,0 +1,9 @@
+Feature: Launch curl attack
+
+Background:
+  Given "curl" is installed
+  And the target hostname is "google.com"
+
+Scenario: Verify a 301 is received from a curl
+  When I launch a "curl" attack
+  Then the response code should be "301"

data/examples/curl/verbs.attack

@@ -0,0 +1,19 @@
+Feature: Evaluate responses to various HTTP methods.
+
+Background:
+  Given "curl" is installed
+  And the target hostname is "google.com"
+
+Scenario Outline: Verify server responds correctly to various HTTP methods
+  When I launch a "curl" attack with:
+    """
+    curl -i -X <method> <hostname>
+    """
+  Then the output should contain "<response>"
+  Examples:
+    | method | response                       |
+    | delete | Error 405 (Method Not Allowed) |
+    | patch  | Error 405 (Method Not Allowed) |
+    | trace  | Error 405 (Method Not Allowed) |
+    | track  | Error 405 (Method Not Allowed) |
+    | bogus  | Error 405 (Method Not Allowed) |

data/examples/nmap/os_detection.attack

@@ -0,0 +1,16 @@
+Feature: OS detection
+
+  Background:
+    Given "nmap" is installed
+    And the target hostname is "google.com"
+
+  @slow
+  Scenario: Detect OS
+    When I launch an "nmap" attack with:
+      """
+      nmap -sV -p80 -PN <hostname>
+      """
+    Then the output should contain:
+      """
+      Service Info: OS: Linux
+      """

data/examples/nmap/simple.attack

@@ -0,0 +1,16 @@
+Feature: simple nmap attack (sanity check)
+
+  Background:
+    Given "nmap" is installed
+    And the target hostname is "google.com"
+
+  Scenario: Verify server is available on standard web ports
+    When I launch an "nmap" attack with:
+      """
+      nmap -p 80,443 <hostname>
+      """
+    Then the output should contain:
+      """
+      80/tcp  open  http
+      443/tcp open  https
+      """

data/examples/nmap/tcp_ping_ports.attack

@@ -0,0 +1,16 @@
+Feature: nmap attacks for example.com
+  Background:
+    Given "nmap" is installed
+    And the target hostname is "google.com"
+    And the target tcp_ping_ports are "22,25,80,443"
+
+  @slow
+  Scenario: Using tcp syn ping scan and the nmap fast flag
+    When I launch an "nmap" attack with:
+      """
+      nmap -F -PS<tcp_ping_ports> <hostname>
+      """
+    Then the output should contain:
+      """
+      80/tcp
+      """

data/examples/nmap/xml_output.attack

@@ -0,0 +1,18 @@
+Feature: XML output
+
+  Background:
+    Given "nmap" is installed
+    And the target hostname is "google.com"
+
+  Scenario: Output to XML
+    When I launch an "nmap" attack with:
+      """
+      nmap -p 80,443 -oX foo.xml <hostname>
+      """
+    And the file "foo.xml" should contain XML:
+      | css                                                          |
+      | ports port[protocol="tcp"][portid="80"] state[state="open"]  |
+      | ports port[protocol="tcp"][portid="443"] state[state="open"] |
+    And the file "foo.xml" should not contain XML:
+      | css                                                          |
+      | ports port[protocol="tcp"][portid="123"] state[state="open"] |

data/examples/sslyze/sslyze.attack

@@ -0,0 +1,23 @@
+Feature: Run sslyze against a target
+
+Background:
+  Given "sslyze" is installed
+  And the target hostname is "google.com"
+
+Scenario: Ensure no anonymous certificates
+  When I launch an "sslyze" attack with:
+    """
+      python <sslyze_path> <hostname>:443
+    """
+  Then the output should not contain:
+    """
+    Anon
+    """
+
+# Scenario: Make sure that the certificate key size is at least 2048
+#   Given the target hostname is "google.com"
+#   When I launch an "sslyze" attack with:
+#     """
+#       python <sslyze_path> <hostname>:443
+#     """
+#   Then the key size should be at least 2048

data/features/attack.feature

@@ -6,13 +6,14 @@ Feature: Verify the attack behaviour is correct
 
   Scenario: List available attack steps
     Given an attack "nmap" exists
-    When I run `gauntlt attack --list`
+    When I run `gauntlt --list`
     Then it should pass with:
       """
       nmap
       """
 
-  Scenario: Run attack for existing tests
+  @slow
+  Scenario: Run attack
     Given an attack "nmap" exists
     And a file named "nmap.attack" with:
     """
@@ -30,8 +31,25 @@ Feature: Verify the attack behaviour is correct
           443/tcp open  https
           \"\"\"
     """
-    When I run `gauntlt attack --name nmap --attack-file nmap.attack`
-    Then it should pass
+    When I run `gauntlt`
+    Then it should pass with:
+    """
+    4 steps (4 passed)
+    """
+
+  Scenario: Run attack with custom filename
+    Given an attack "nmap" exists
+    And a file named "my.awesome.attack.file" with:
+    """
+    Feature: my nmap attacks
+      Scenario: nmap attack works
+        Given "nmap" is installed
+    """
+    When I run `gauntlt my.awesome.attack.file`
+    Then it should pass with:
+    """
+    1 step (1 passed)
+    """
 
   Scenario: Run attack with undefined steps
     Given an attack "nmap" exists
@@ -41,30 +59,23 @@ Feature: Verify the attack behaviour is correct
       Scenario: Fail on undefined step definition
         Given "thisattackwouldneverexist" is installed
     """
-    When I run `gauntlt attack --name nmap --attack-file nmap.attack`
+    When I run `gauntlt`
     Then it should fail with:
     """
     Bad or undefined attack!
     """
 
 
-  Scenario: No attack name specified
-    When I run `gauntlt attack --attack-file thisattackwouldneverexist`
+  Scenario: No attack files in default path
+    When I run `gauntlt`
     Then it should fail with:
     """
-    must specify name and attack-file
+    No files found in path
     """
 
-  Scenario: Bad attack file specified
-    When I run `gauntlt attack --name nmap --attack-file thisattackwouldneverexist`
+  Scenario: No attack files in specified path
+    When I run `gauntlt apaththatdoesnotexist`
     Then it should fail with:
     """
-    No 'thisattackwouldneverexist' attack found
-    """
-
-  Scenario: No attack file specified
-    When I run `gauntlt attack --name nmap`
-    Then it should fail with:
-    """
-    must specify name and attack-file
-    """
+    No files found in path: apaththatdoesnotexist
+    """

data/features/attacks/curl.feature

@@ -1,23 +1,31 @@
-Feature: curl attack
+Feature: HTTP attacks
   Background:
     Given an attack "curl" exists
+    And I copy the attack files from the "examples/curl" folder
+    And the following attack files exist:
+      | filename       |
+      | simple.attack  |
+      | cookies.attack |
+      | verbs.attack   |
 
-  Scenario: curl attack
-    Given a file named "curl.attack" with:
+  Scenario: simple curl attack
+    When I run `gauntlt simple.attack`
+    Then it should pass with:
       """
-      Feature: Launch curl attack
-
-      Background:
-        Given "curl" is installed
-        And the target hostname is "google.com"
-
-      Scenario: Verify a 301 is received from a curl
-        When I launch a "curl" attack
-        Then the response code should be "301"
+      4 steps (4 passed)
       """
-    When I run `gauntlt attack --name curl --attack-file curl.attack`
-    Then it should pass
-    And the output should contain:
+
+  Scenario: cookies attack
+    When I run `gauntlt cookies.attack`
+    Then it should pass with:
       """
       4 steps (4 passed)
+      """
+
+  @slow
+  Scenario: http method verbs
+    When I run `gauntlt verbs.attack`
+    Then it should pass with:
+      """
+      5 scenarios (5 passed)
       """

data/features/attacks/nmap.feature

@@ -1,116 +1,39 @@
+@slow
 Feature: nmap attack
   Background:
     Given an attack "nmap" exists
-    And a file named "simple_nmap.attack" with:
-    """
-    Feature: simple nmap attack (sanity check)
-
-      Background:
-        Given "nmap" is installed
-        And the target hostname is "google.com"
-
-      Scenario: Verify server is available on standard web ports
-        When I launch an "nmap" attack with:
-          \"\"\"
-          nmap -p 80,443 <hostname>
-          \"\"\"
-        Then the output should contain:
-          \"\"\"
-          80/tcp  open  http
-          443/tcp open  https
-          \"\"\"
-    """
-    And a file named "os_detection_nmap.attack" with:
-    """
-    Feature: OS detection
-
-      Background:
-        Given "nmap" is installed
-        And the target hostname is "google.com"
-
-      @slow
-      Scenario: Detect OS
-        When I launch an "nmap" attack with:
-          \"\"\"
-          nmap -sV -p80 -PN <hostname>
-          \"\"\"
-        Then the output should contain:
-          \"\"\"
-          Service Info: OS: Linux
-          \"\"\"
-    """
-    And a file named "tcp_ping_ports_nmap.attack" with:
-    """
-    Feature: nmap attacks for example.com
-      Background:
-        Given "nmap" is installed
-        And the target hostname is "google.com"
-        And the target tcp_ping_ports are "22,25,80,443"
-
-      @slow
-      Scenario: Using tcp syn ping scan and the nmap fast flag
-        When I launch an "nmap" attack with:
-          \"\"\"
-          nmap -F -PS<tcp_ping_ports> <hostname>
-          \"\"\"
-        Then the output should contain:
-          \"\"\"
-          80/tcp
-          \"\"\"
-
-     """
-    And a file named "xml_output_nmap.attack" with:
-      """
-      Feature: simple nmap attack (sanity check)
-
-        Background:
-          Given "nmap" is installed
-          And the target hostname is "google.com"
-
-        Scenario: Output to XML
-          When I launch an "nmap" attack with:
-            \"\"\"
-            nmap -p 80,443 -oX foo.xml <hostname>
-            \"\"\"
-          And the file "foo.xml" should contain XML:
-            | css                                                          |
-            | ports port[protocol="tcp"][portid="80"] state[state="open"]  |
-            | ports port[protocol="tcp"][portid="443"] state[state="open"] |
-          And the file "foo.xml" should not contain XML:
-            | css                                                          |
-            | ports port[protocol="tcp"][portid="123"] state[state="open"] |
-      """
-
+    And I copy the attack files from the "examples/nmap" folder
+    And the following attack files exist:
+    | filename              |
+    | simple.attack         |
+    | os_detection.attack   |
+    | tcp_ping_ports.attack |
+    | xml_output.attack     |
 
   Scenario: Simple nmap attack
-    When I run `gauntlt attack --name nmap --attack-file simple_nmap.attack`
-    Then it should pass
-    And the output should contain:
+    When I run `gauntlt simple.attack`
+    Then it should pass with:
       """
       4 steps (4 passed)
       """
 
-  @slow
   Scenario: OS detection nmap attack
-    When I run `gauntlt attack -n nmap -a os_detection_nmap.attack`
-    Then it should pass
-    And the output should contain:
+    When I run `gauntlt os_detection.attack`
+    Then it should pass with:
       """
       4 steps (4 passed)
       """
 
   Scenario: Testing the tcp_ping_ports
-    When I run `gauntlt attack -n nmap -a tcp_ping_ports_nmap.attack`
-    Then it should pass
-    And the output should contain:
+    When I run `gauntlt tcp_ping_ports.attack`
+    Then it should pass with:
       """
       5 steps (5 passed)
       """
 
   Scenario: Handle XML output file
-    When I run `gauntlt attack -n nmap -a xml_output_nmap.attack`
-    Then it should pass
-    And the output should contain:
+    When I run `gauntlt attack xml_output.attack`
+    Then it should pass with:
       """
       5 steps (5 passed)
       """