220 likes | 328 Views
Pen Testing with Iron. Andrew Wilson Trustwave SpiderLabs. Ubiquitous Hello. Application Security Consultant Ex-Software Developer– Microsoft MVP Long walks on the beach Dancing in the rain. Goals. Why Bother? Introduction to the DLR & CLR Getting Running Examples:
E N D
Pen Testing with Iron • Andrew Wilson • Trustwave SpiderLabs
Ubiquitous Hello • Application Security Consultant • Ex-Software Developer– Microsoft MVP • Long walks on the beach • Dancing in the rain
Goals • Why Bother? • Introduction to the DLR & CLR • Getting Running • Examples: • Reflection and Disassembly • Leveraging Existing Tools • Driving Applications with Scripts
Why Bother? • Best of Both Worlds • Deeper Reach • Simplification
Python & Ruby: • Make Developers Security Testers Happy! • Awesome at Scripting & Interactive Development (read: rapid prototyping) • Incapable (normally) of interaction with .NET
.NET Framework Is: • Awesome in library, connectivity, and tooling • Commonly used by companies you test • Sucky at scripting and interactive programming
CLR <3 • Focuses concerns against business problems • Handles: • Memory Management • Metadata • JIT • Common Type System
Expression Trees • Translate code from one language to MSIL • Introduced in .Net 3.5 via Linq
DLR+CLR • Peace Love & Harmony • Bi-Directional support: • DLR – CLR (Ex. Python – CLR) • CLR – DLR (Ex. CLR – Embedded Python)
IronPython • Significantly more mature (circa 2006) • Better support for existing Python applications • Loads apps by being manually added to lib
IronRuby • Needs your support • Just obtained Visual Studio Support • Loads assemblies via igem (instead of gem) install <gem>
Getting Started • You will need: • IronRuby OR IronPython • Language tools are optional • Visual Studio Express OR MonoDevelop • Reflector
Use Cases: • Disassembly / Reflection • Existing Tooling • Driving Applications via Scripts
Reflection::noitcelfeR • .NET has reflection– but it sucks • Ruby has reflection– and it rules • Always Cheat, Always win.
Use Existing Tools • Some things aren‘t 100% supported • Workarounds are in progress & inevitable • Gains are still decent & getting better
When Not To Use: • When You Can’t • Testing Web Applications You Can Debug Natively • When Native Tools Are Better
Closing Thoughts • No Free Lunches • Offers Unique Opportunities • Projects In Transition