Ruby for Pentesters(or Pentesting for Rubyists)

Hello all =) Couple weeks ago I had a talk on the very first OWASP Kyiv Chapter meetup and this particular article is an overview of my presentation. Here you can find a brief list of tools, services, some suggestions, and comments, described in the talk. I hope you’ll find something interesting and useful in this article =)

The presentation itself can be found at: slideshare.net/owaspKyiv.

MacDown logo

OWASP?

OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” In short words, OWASP is a worldwide non-profit organization that wants to improve the security of software.

OWASP Kyiv?

The OWASP Chapters program helps to enhance local discussion of application security around the world. Recently, two friends of mine opened Kyiv chapter to populate this subject among Ukrainian developers, researchers, devops, managers, and others :)

If you are interested, feel free to send your talk submissions to vlad.styran@owasp.org and ihor.bliumental@owasp.org. They encourage the community to submit talks on a broad variety of application security related topics. Please mail them the title and description of your talk and your brief bio, and they will get back to you soon. I promise!

Why Ruby?

I’m a Ruby/JS programmer and from my point of view, when it comes to coding scripts for automating your day-to-day security auditing routine, there are no limitations to Ruby compared to other popular among the community languages like Python or PHP.

First of all, Ruby is available on all Macs by default, it can be easily installed on Linux(pre-installed on some of them), it works on Windows(with a little big headache, but works). It is really easy to read, understand and update code written in Ruby for almost anybody as, in general, the code here is written for humans by humans =) Ruby is a very elegant and expressive language.

Ruby can be extended using native C library, existing tools written in C or even bridged to other languages like Java(Ruby itself has several implementations, like JRuby, wich can be easily integrated with Burp Scanner, for example. JRuby is a 100% Java implementation of Ruby, it’s Ruby for the JVM).

And last, but not least - Ruby community is a really huge, open and friendly; you will always be able to find an answer or a solution to almost all issues you may face.


Tools overview.

Coming into infosec from Ruby development, it was cool to see such a widely used tool that’s written in Ruby and the very next part of this blog post is a short list of such tools:

1. Ronin

Website: http://ronin-ruby.github.io/

GitHub: https://github.com/ronin-ruby/

Ronin is a Ruby platform for vulnerability research and exploit development. It can be used for the rapid development and distribution of code, Exploits, Payloads, Scanners, etc., via Repositories.

Ronin - platform for pentesters

2. WPScan

Website: https://wpscan.org/

GitHub: https://github.com/wpscanteam/wpscan

Main and the only feature of this tool is to identify websites written using Wordpress - WPScan is a black box WordPress vulnerability scanner. It can scan and enumerate plugins that are installed, provide links to CVEs, shows hints, dangers and a lot of other info.

WPScan WordPress vulnerability scanner

WPScan WordPress vulnerability scanner results

3. WhatWeb

Website: https://www.morningstarsecurity.com/research/whatweb

GitHub: https://github.com/urbanadventurer/WhatWeb

WhatWeb recognizes web technologies including CMS, blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. It has about 2K plugins, each to recognize something different. It also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.

WhatWeb scanner results

4. bundle-audit

GitHub: https://github.com/rubysec/bundler-audit

It’s a patch-level verification for Bundler. bundle-audit checks for vulnerable versions of gems in Gemfile.lock, prints advisory information and can be useful for testing Ruby-based apps in case you have its source code(or just Gemfile.lock)

bundle-audit scanner results

5. Brakeman

Website: http://brakemanscanner.org/

GitHub: https://github.com/presidentbeef/brakeman

Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities. As the previous one, it can be useful in case of open-box testing when you have access to the apps’ source. It generates a list of potential(and sometimes real) problems and saves them into an HTML file with a detailed description.

Brakeman scanner results

6. Arachni

Website: http://www.arachni-scanner.com/

Arachni is a modular Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web apps. It can be used by a team of testers with different roles, test cases, subjects and all the results can be managed by admins.

Arachni framework Arachni scanner results

7. BeEF

Website: http://beefproject.com/

GitHub: https://github.com/beefproject/beef

BeEF is short for The Browser Exploitation Framework - it is a penetration testing tool that focuses on the web browser. “BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.”

BeEF framework main page BeEF framework example

8. Metasploit

Website: https://www.metasploit.com/

World’s most used penetration testing software. Nothing to say there - everybody in infosec knows it, and yes, it is written using Ruby =)

Metasploit,


Scripted Pen-Testing, Automatization

It is common to use the message-object protocol in Ruby(actually it is a good practice as in Ruby, nearly everything is an object) where all your objects can contain other objects and respond to messages. You might say that Ruby is a “message oriented” language. So, for example, you can write your own script to fetch the whole website; parse and save web pages into Ruby objects using one of dozens Ruby parses; analyse these objects extending them by other gems or by your own code; open all the interesting pages in a headless browser; put and submit payloads; save screenshots in pdf files with the detailed info about the payload, affected page and steps to reproduce to analyse them manually. All in one script and all in the background. It’s absolutely amazing, is not it?

You may find next gems pretty interesting:

  • Oga - XML/HTML parser
  • html-pipeline - GitHub HTML processing filters and utilities. This module includes a small framework for defining DOM based content filters and applying them to user provided content.
  • Happymapper allows you to parse XML data and convert it quickly and easily into ruby data structures.
  • nokogiri - is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support.
  • ruby-nmap - a Ruby interface to nmap, the exploration tool and securit/port scanner.
  • selenium - is for automating web applications for testing purposes, but is certainly not limited to just that ;)
  • Watir - ruby library for automating tests. Watir interacts with a browser the same way people do: clicking links, filling out forms and validating text.

ruby-nmap example


Recomendations

Keep having a good day!


comments powered by Disqus