Projects:Continuous security testing

From 36C3 Wiki
Description I do a lot of things a whole lot, so why not automate these things? What thing? Things like portscans, masscans, vulnscans, bruteforces, sqlmaps, etc...
Language
Has website
Organized by
Persons working on C
Tags Assembly:HSBE, Pentesting, CI, Docker, Angular, Python
Located at assembly Assembly:HSBE
Other projects... ... further results

(Click here to refresh this page.)

I work as a freelance pentester and I see myself doing some things a lot, things like portscans, nikto-scans, etc... These take up alot of waiting time and it's easy to forget a few of these basic checks when starting on a new project, possibly missing crucial information while it was right there in front of your eyes the whole time, you just had to look.

So, I started working on this project which allows me to automate a whole bunch of those tasks. I've tried a few things before and restarted a few times, but this time I think I might have it just right.

The basic idea is the following:

  • A webapplication which allows the user to create "projects"
  • In a project, this user then get's a dashboard where he or she can then do the following
    • Add things like domains, ip-addressess or url's to the scope
    • Run or schedule tests
    • Consult testresults and stats

No big problem right? Until you start thinking it through: how are you going to schedule tasks for repeated execution in a schedule? Suppose you use CRON for this, then what code should CRON execute at the given interval? This is no trivial problem to solve I've experienced. First of course I just coded everything right into my app using threading, which was not a very smart idea and landed in a dead end. Next, I looked into using a manager/worker setup using Celery. This seemed to be working, it was for sure the right paradigm to follow, but the execution was very buggy and I couldn't get the Celery manager and workers to do exactly what I wanted. So there I was, having a great idea, knowing that it can be done, but lacking the technical knowledge to complete the challenge. So I let the project rest for some months, while trying to figure out a solution for the distribution of work to worker-instances.

The solution came to me some months ago when I started looking into the workings of Docker and learned how to containerize applications. This was the solution to my problem! I could put each of the applications that I often use during pentests into seperate container images and then just run those as containers and pass parameters to them.

So basically that's my project:

  • A webapp build in Angular that serves as Front-end to
  • An API that allows for the orchestration of various pentesting tools using docker containers

Currently I'm still working on version 0 so I haven't got any code out in the open yet, but I'll probably open it up at Congress.