Ruby for Pentesters(or Pentesting for Rubyists)
Hello all =) Couple weeks ago I had a talk on the very first OWASP Kyiv Chapter meetup and this particular article is an overview of my presentation. Here you can find a brief list of tools, services, some suggestions, and comments, described in the talk. I hope you’ll find something interesting and useful in this article =)
The presentation itself can be found at: slideshare.net/owaspKyiv.
OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” In short words, OWASP is a worldwide non-profit organization that wants to improve the security of software.
The OWASP Chapters program helps to enhance local discussion of application security around the world. Recently, two friends of mine opened Kyiv chapter to populate this subject among Ukrainian developers, researchers, devops, managers, and others :)
If you are interested, feel free to send your talk submissions to firstname.lastname@example.org and email@example.com. They encourage the community to submit talks on a broad variety of application security related topics. Please mail them the title and description of your talk and your brief bio, and they will get back to you soon. I promise!
I’m a Ruby/JS programmer and from my point of view, when it comes to coding scripts for automating your day-to-day security auditing routine, there are no limitations to Ruby compared to other popular among the community languages like Python or PHP.
First of all, Ruby is available on all Macs by default, it can be easily installed on Linux(pre-installed on some of them), it works on Windows(with a little big headache, but works). It is really easy to read, understand and update Ruby code for almost anybody as, in general, code here is written for humans by humans =) Ruby is a very elegant and expressive language.
Ruby can be extended using native C library, existing tools written in C or even bridged to other languages like Java(Ruby itself has several implementations, like JRuby, wich can be easily integrated with the Burp Suit Scanner. JRuby is a 100% Java implementation of Ruby, it’s Ruby for the JVM).
And last, but not least - Ruby community is really huge, open and friendly; you will always be able to find an answer or a solution to almost all issues you may face.
Coming into infosec from Ruby development, it was cool to see such a widely used tools that are written in Ruby! The very next part of this blog post is a short list of such tools:
Ronin is a Ruby platform for vulnerability research and exploit development. It can be used for the rapid development and distribution of code, Exploits, Payloads, Scanners, etc., via Repositories.
Main and the only feature of this tool is to identify websites written using Wordpress - WPScan is a black box WordPress vulnerability scanner. It can scan and enumerate plugins that are installed, provide links to CVEs, shows hints, dangers and a lot of other info.
It’s a patch-level verification for Bundler. bundle-audit checks for vulnerable versions of gems in
Gemfile.lock, prints advisory information and can be useful for testing Ruby-based apps in case you have its source code(or just
Brakeman is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities. As the previous one, it can be useful in case of open-box testing when you have access to the apps’ source. It generates a list of potential(and sometimes real) problems and saves them into an HTML file with a detailed description.
Arachni is a modular Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web apps. It can be used by a team of testers with different roles, test cases, subjects and all the results can be managed by admins.
BeEF is short for The Browser Exploitation Framework - it is a penetration testing tool that focuses on the web browser. “BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.”
World’s most used penetration testing software. Nothing to say there - everybody in infosec knows it, and yes, it is written using Ruby =)
Scripted Pen-Testing, Automatization
It is common to use the message-object protocol in Ruby(actually it is a good practice as in Ruby, nearly everything is an object) where all your objects can contain other objects and respond to messages. You might say that Ruby is a “message oriented” language. So, for example, you can write your own script to fetch the whole website; parse and save web pages into Ruby objects using one of dozens Ruby parses; analyse these objects extending them by other gems or by your own code; open all the interesting pages in a headless browser; put and submit payloads; save screenshots in pdf files with the detailed info about the payload, affected page and steps to reproduce the issues to analyse them manually. All in one script and all in the background. It’s absolutely amazing, is not it?
You may find next gems pretty interesting:
- Oga - XML/HTML parser
- html-pipeline - GitHub HTML processing filters and utilities. This module includes a small framework for defining DOM based content filters and applying them to user provided content.
- Happymapper allows you to parse XML data and convert it quickly and easily into ruby data structures.
- nokogiri - is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support.
- ruby-nmap - a Ruby interface to nmap, the exploration tool and securit/port scanner.
- selenium - is for automating web applications for testing purposes, but is certainly not limited to just that ;)
- Watir - ruby library for automating tests. Watir interacts with a browser the same way people do: clicking links, filling out forms and validating text.
Kali Linux - It has dozens screepts and tools pre-installed, including described above.