orchestrating security testing with golismero
DESCRIPTION
Orchestrating Security Testing With Golismero. Mike Landeck. Speaker Bio. Mike Landeck. - PowerPoint PPT PresentationTRANSCRIPT
AppSec USA 2014
Denver, ColoradoOrchestrating Security Testing
With GolismeroMike Landeck
2
Speaker Bio
Mike LandeckMike Landeck led the security implementation and then operationalized the Country’s largest Medicaid Management Information System as the Director of Information Security for Xerox’ State Healthcare and then managed the security program implantation of Colorado’s Health Insurance Exchange as a consulting manager for CGI.
Mike currently consults at one of the World’s largest technology companies on improving security in the software development lifecycle as a Product Security Strategy Consultant.
Mike is a frequent conference speaker and workshop presenter appearing at conferences throughout the United States focusing on topics of software security testing and security program management
3
Disclaimer
I do not speak on behalf of my employer. The information and perspectives I present are personal and do not represent those of my employer.
4
Golismero Project Teamwww.golismero.com
Mario VilasCore developer
Raúl RequeroFrontend developer
Daniel GarcíaBackend developer
Golismero
5
Agenda1. Very Brief Business Context2. Golismero for Senior Users3. Golismero for complete and total rookies
Agenda
6
Top three reason I hear organizations cite for not using more automated assessment tools:• Don’t know how to use• Don’t know which tools to use• Too much time to vet results
Business Context
7
Business Context
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Request Analysis Configuration Execution Vetting/Audit Report
Web Vulnerability
HostVulnerability
NetworkVulnerability
ApplicationVulnerability
Typical Automated Security Assessments
8
Single Request
Single Analysis Single Config Single
Execution Single Vetting Single Report
Business Context
1. Nikto2. Nmap3. Openvas4. Spiderfoot5. Sslscan6. Sqlmap7. Xsser8. Dns_Malware9. Geoip10.Punkspider11.Shodan12.Plecost
13. Default Error Page14. Directory Listing15. Exploit-DB16. Fingerprint Web17. Brute Directories18. Brute Dns19. Brute Extensions20. Brute Permutations21. Brute Predictables22. Brute Prefixes23. Brute Suffixes
9
Simple Demo- Default Settings
Golismero Demo
Golismero scan <host>
Action Test Target
10
File Location: /usr/share/golismero/golismero.conf[openvas]host = localhost#[testing/scan/openvas]user = adminpassword = <your password>#[shodan:Configuration]apikey = <your shodan key>
Golismero Config File
11
Golismero Advanced
golismero scan <host>
-db <name for scan> -o <user defined name of output file> --cookie <name=value> --user-agent <user defined value>-pu <user name>-pp <password>
Golismero Demo
12
Report Formats:• Determined by the extension– I.e.: .html, .txt and .rst
Reporting on Previous Scans:golismero report <fileName.ext> -db <scanName.db>
Golismero Reporting
13
Step 1: Download VMWare PlayerStep 2: Download pre-configured kali
imageStep 3: Open ImageStep 4: Click the button to start wizard
Golismero for Complete Rookies
Links and help for all this at:http://SoftwareSecurityAssurance.com/AppSecUSA2014
14
Demo: Go from zero experience to running golismero!
Setting up a Test System
15
There is not enough time in a one hour workshop to walk through the installation process, however there are literally hundreds of Kali installation demo’s on YouTube.– This one is comprehensive (and narrated!) https://
www.youtube.com/watch?v=k5mNnkG0FVk
Installing Kali
16
Questions
17
Topic Link
Golismero Web Site www.golismero.com
Slides and supporting material
http://SoftwareSecurityAssurance.com/AppSecUSA2014
OpenVAS Help http://goo.gl/im2FLe
Basic Linux commands for Kali users
http://kali4hackers.blogspot.com/2013/06/some-basic-commands-for-kali-linux.html
Kali Installation (video)
https://www.youtube.com/watch?v=k5mNnkG0FVk
Download Kali http://www.kali.org/downloads/
Download VM Player https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/6_0
Shodan Registration http://www.shodanhq.com/account/register
Useful Links
18
End –h now