Matasano Chargen - Latest Comments in The path to PenTestConsole

Re: The path to PenTestConsole

iketz002 — Sat, 20 Jun 2009 00:34:14 -0000

Nice blog again.. I really enjoy reading your blog.. Very useful.. hope you will post another useful ideas..

Re: The path to PenTestConsole

chmeee — Tue, 15 Apr 2008 10:19:17 -0000

Is this meant to be similar to w3af http://w3af.sourceforge.net/?
I haven't used it yet and I prefer ruby over python, but seems to be very similar to what you are proposing.

Re: The path to PenTestConsole

jcran — Tue, 08 Apr 2008 00:04:16 -0000

Mike,

I'm also interested in the development of your web app testing console (WACT?). We're spending a great deal of time with similar problems (and generally resorting to one-offs and already-written tools). A set of libraries for things like brute forcing urls / forms, fuzzing, injection, etc. would be extremely useful.

Can you keep me in the loop too?

Re: The path to PenTestConsole

anonymous — Wed, 02 Apr 2008 11:02:34 -0000

No april fools day post ????? were's your sense of humor ??? not k00l

Re: The path to PenTestConsole

sigsegv — Wed, 02 Apr 2008 08:55:06 -0000

Mike: No, marketing does not always need to imply that one is selling something. It can be self-promotion of a product, which is what this is. Yes, I *do* think it's cool, but I'd rather read about the features in either a release log, or a post with a link to a tarball at the bottom so I can read the code afterwards. :)

Thomas: I was merely voicing my opinion that I feel your technical posts are more interesting than this type of thing. What ever happened to your promise for "this old vulnerability: SSH CRC compensator" along with several others? ;)

Re: The path to PenTestConsole

Tiller Beauchamp — Tue, 01 Apr 2008 11:35:38 -0000

Mike: I really like the idea working from within irb and being able to automate certain webapp pentesting tasks. I have some ideas of things I would like to see/contribute. Please put me on your tarball list.

Re: The path to PenTestConsole

Thomas Ptacek — Mon, 31 Mar 2008 12:19:49 -0000

sigsegv: I'm offended not that you think we'd use the blog for marketing, but that you think that if we wanted to market something, it'd be PenTestConsole. =)

Re: The path to PenTestConsole

Mike Tracy — Mon, 31 Mar 2008 11:52:29 -0000

Marketing propaganda? That implies we'd actually waste our time selling something like this which is obviously not the case.

Re: The path to PenTestConsole

sigsegv — Mon, 31 Mar 2008 08:09:07 -0000

What ever happened to the old Matasano of a few months ago, when people posted interesting things worth reading, and not marketing propaganda?

Re: The path to PenTestConsole

send9 — Sat, 29 Mar 2008 03:13:32 -0000

Andre: "There are also additional ways to test or inspect code inside of an IDE or before integration (and not just unit testing) that I tend to talk about a lot. The problem with tools such as Core Impact and PenTestConsole is that they are built to test too late in the lifecycle."

That is certainly true, but I think context is important here. Many pen-test customers will not use static analysis or whatever else to analyze the code they put out on their sites. A pen-tester's job is to test 'late in the lifecycle' (i.e black box testing) if a real attack is to be simulated -- and this is where frameworks like these become useful.

Re: The path to PenTestConsole

Andre Gironda — Fri, 28 Mar 2008 15:48:07 -0000

@ Hernan:

If you like Selenium, then you'll probably like Canoo WebTest more, which is also not strictly for security testing. There is another project called WebDriver which has come a long way recently that is also worth a look as an alternative to Selenium.

I also suggest a test case submission framework such as FitNesse (with HtmlFixture). These can be used during the requirements phase to build the test cases (while xmlbasedsrs can be used to build ab|use case scenarios, diagrams, et al). If you don't have a lot of experience with test cases, I suggest building at least a Test Case Outline (TCO) for use in scripted testing that can be combined with exploratory testing (which builds a test charter).

There are also additional ways to test or inspect code inside of an IDE or before integration (and not just unit testing) that I tend to talk about a lot. The problem with tools such as Core Impact and PenTestConsole is that they are built to test too late in the lifecycle. Although PenTestConsole appears to be lightweight enough (in a similar way as UTScapy) to be used as a functional testing tool (either before, during, of after integration).

Core Impact is more focused on network penetration-testing, while PenTestConsole is focused on software penetration-testing. In my mind, Core Impact would also be a poor choice for acceptance testing, especially at it's lack of proper fit and enormously expensive cost.

Re: The path to PenTestConsole

Jeremy Rauch — Fri, 28 Mar 2008 13:29:17 -0000

My suggestion for a name for the console was WWMD? (What would Mike do?). Obviously, what Mike would do is not listen to me. :(

Re: The path to PenTestConsole

Hernan Ochoa — Fri, 28 Mar 2008 13:26:18 -0000

Hi Mike!!,

Check out selenium (http://selenium.openqa.org/), among others. scriptable from python and other languages (java, .net, etc). is not strictly for security testing though.

Anyways, I'm not convinced yet, not that it matters :) and you haven't presented the tool yet, so I'll shut up and wait. :)

Thanks, bye!!!

Re: The path to PenTestConsole

Mike Tracy — Fri, 28 Mar 2008 13:13:38 -0000

Vitaly: Thanks for the support and I think you might get where I'm
coming from... stay tuned!

Hernan: I agree "PenTestConsole" is a horrific name.
WebAppPenTestConsole! No. Not really. I really need a name.

Things will hopefully become clearer as I get through the series. The
idea behind this that might be considered original (or at least
innovative) is having a command line interface (shell) to perform common webapp pentesting tasks as well as a scripting framework for automating them.

My purpose isn't really comparable to metasploit et al. What I'm working
on is useful to me. It's an interesting learning experience to write
and my experiences (and the code) might be helpful to others trying to solve a similar problem.

Re: The path to PenTestConsole

Hernan Ochoa — Fri, 28 Mar 2008 11:28:32 -0000

Hi Vitaly!,

The name 'pentestconsole' is kind of bad,I think we both agree on that. So I recommend to change the name because I think it kills any innovation the name was trying to suggest :). I apologize also because I originally commented on this post because it was very strange to me to see the idea of a 'pentestconsole' as something new, my bad.

The idea of putting together a bunch of different tools to create a 'framework' or a 'toolkit' so that you can go to the same 'app' to do your testing, can't be considered original, come on! :).

Then, specifically, creating a 'framework' to do 'testing' (web app or whatever app) using a 'scripting language' is NOT original, come on part 2! :).

Saying that because of the little time you have to do pentests/'any other thing' having things 'automated' or having scripts, or having frameworks to help you is helpful is also nothing new, come on part 3.

CORE IMPACT already allows you to do that (with the console and everything), metasploit too, and i'm sure Canvas does the same thing.
You can open a python/irb console whenever you want, and do your stuff..

if you use paros, burp, etc, you can script stuff/create plugins, etc.

For a more 'humble' project, you can check out my 'uhooker' and 'proxy_hooker' (http://oss.coresecurity.com/projects/uhooker.ht...),
you can hook 'stuff' and script everything from python.

CORE IMPACT in its latest version is beginning to add web app testing, and since everything is backed by python, almost any functionality can be scripted.. so there you go.. the same goes for almost any other pentesting framework like canvas, metasploit, etc.

So, I think there's no big innovation here in principle, anyways having said that, I think that after changing the name :) this is a very good project because it could facilitate what you can already do with burp, paros and other tools, add new very useful features,and it could clearly do a better job at helping you do webapps pentests than canvas,impact,metasploit,burp,paros and other tools are doing now.

SO, to make my point clear, I LIKE the project :),
and I'd like to see it, i'm just saying that I think some of the ideas proposed are not an innovation, but still can be VERY useful.

Thanks!,
bye!

Bye!

Re: The path to PenTestConsole

Seth — Thu, 27 Mar 2008 23:13:54 -0000

If this thread is collecting "interested party" email addresses, count me in!

Re: The path to PenTestConsole

send9 — Thu, 27 Mar 2008 19:49:54 -0000

Hernan: If I understand his intentions correctly from the post, it seems to me that 'PenTestConsole' is a Ruby framework specifically for web app testing -- not building exploits in general.

I would think building web app testing tools on top of a framework more meant for memory corruption and similar attacks would be cumbersome and overkill. Perhaps the name 'PenTestConsole' is a misnomer, but I think the idea might be more original than you think. Then again, I have not seen/used the product, and have almost no experience with CORE (Metasploit on the other hand...)

Re: The path to PenTestConsole

Hernan Ochoa — Thu, 27 Mar 2008 18:13:07 -0000

Hi Mike!,

I believe what you are referring to as a 'PentestConsole' is metasploit or CORE IMPACT (disclaimer: I work for Core :)). That's why they are called 'pentesting frameworks'. So your idea is good, but it has been done already. Of course, everything needs improvement, but something is already there.

Both have an scripting language you can use to manipulate existing modules, combining functionality, both have different tools you can use during your pentest, etc.

For example, CORE IMPACT is not only about exploits, you have other tools, like the SMB/RPC library, modules to inject code, you can install an agent and run a python console and run your scripts on the remote machine to do whatever you want, etc.

So I think there's no need to 'create' a new framework (well, define 'need' :), I know), I think the best thing to do is for anyone to write modules for metasploit (because it is a free product, for now) or for CORE IMPACT if you are willing to pay for it. That's what we do.

Of course, creating a new framework might be totally worth it, I'm just saying that the idea of a 'pentestconsole' is already here.

Bye!

Re: The path to PenTestConsole

Lee Hinman — Thu, 27 Mar 2008 17:11:46 -0000

Mike: In that case, I'd like to sign up as an "interested party" if possible :)

Re: The path to PenTestConsole

Andre Gironda — Thu, 27 Mar 2008 17:08:27 -0000

mike: i think your readers might take the word, "all" a bit too literally, hence my clarification.

Re: The path to PenTestConsole

Mike Tracy — Thu, 27 Mar 2008 16:43:07 -0000

chris: I need to learn better how to disambiguate. I happen to be wearing one of their t-shirts right this second.

Re: The path to PenTestConsole

Mike Tracy — Thu, 27 Mar 2008 16:37:39 -0000

dre and lee: I am currently in the process of cleaning things up a bit then sending it out to interested parties. It's still deeply in development so ymmv.

dre: I think you might be taking my use of the word 'all' a bit to literally. Whitebox testing is a different animal entirely. I don't get to see source code on the vast majority of engagements I work on. PenTestConsole is designed to help with black and really dark shades of graybox testing.

Re: The path to PenTestConsole

cgs — Thu, 27 Mar 2008 16:25:53 -0000

Ferreting out how your tool works?

Hasn't Internet Security Subverter already been written?

Re: The path to PenTestConsole

Andre Gironda — Thu, 27 Mar 2008 15:56:37 -0000

I would really like to give you feedback on your presentation and/or source code if you want to shoot them over to me. Additional comments below.

as much as I would love to spend time pontificating about methodology, technology and software development practices (Niaaaagra Falls), I have work to do and that’s the reason for PenTestConsole

I highly recommend the book, Automated Defect Prevention. Especially if you like pretty graphs and Fishbone diagrams. This book also surprisingly mentions OWASP...

I need to be able to find all the bread and butter issues (XSS check ...)

It's usually not possible to find all of the XSS without using white box methods (i.e. unit testing or code inspection).

Re: The path to PenTestConsole

Lee Hinman — Thu, 27 Mar 2008 15:56:27 -0000

Hi Mike,
Is your pentesting framework going to be available for general consumption? I'm extremely interested in a framework like this, as I prefer Ruby over all of the other scripting languages for my security work.

That being said, I'm looking forward to future posts about the framework :)