1 / 22

Pen Testing with Iron

Pen Testing with Iron. Andrew Wilson Trustwave SpiderLabs. Ubiquitous Hello. Application Security Consultant Ex-Software Developer– Microsoft MVP Long walks on the beach Dancing in the rain. Goals. Why Bother? Introduction to the DLR & CLR Getting Running Examples:

dorie
Download Presentation

Pen Testing with Iron

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Pen Testing with Iron • Andrew Wilson • Trustwave SpiderLabs

  2. Ubiquitous Hello • Application Security Consultant • Ex-Software Developer– Microsoft MVP • Long walks on the beach • Dancing in the rain

  3. Goals • Why Bother? • Introduction to the DLR & CLR • Getting Running • Examples: • Reflection and Disassembly • Leveraging Existing Tools • Driving Applications with Scripts

  4. Why Bother? • Best of Both Worlds • Deeper Reach • Simplification

  5. Python & Ruby: • Make Developers Security Testers Happy! • Awesome at Scripting & Interactive Development (read: rapid prototyping) • Incapable (normally) of interaction with .NET 

  6. .NET Framework Is: • Awesome in library, connectivity, and tooling • Commonly used by companies you test • Sucky at scripting and interactive programming

  7. CLR <3 • Focuses concerns against business problems • Handles: • Memory Management • Metadata • JIT • Common Type System

  8. DLR <3

  9. Expression Trees • Translate code from one language to MSIL • Introduced in .Net 3.5 via Linq

  10. DLR+CLR • Peace Love & Harmony • Bi-Directional support: • DLR – CLR (Ex. Python – CLR) • CLR – DLR (Ex. CLR – Embedded Python)

  11. IronPython • Significantly more mature (circa 2006) • Better support for existing Python applications • Loads apps by being manually added to lib

  12. IronRuby • Needs your support • Just obtained Visual Studio Support • Loads assemblies via igem (instead of gem) install <gem>

  13. Getting Started • You will need: • IronRuby OR IronPython • Language tools are optional • Visual Studio Express OR MonoDevelop • Reflector

  14. Use Cases: • Disassembly / Reflection • Existing Tooling • Driving Applications via Scripts

  15. No Disassemble!

  16. Reflection::noitcelfeR • .NET has reflection– but it sucks • Ruby has reflection– and it rules • Always Cheat, Always win.

  17. Use Existing Tools

  18. Use Existing Tools • Some things aren‘t 100% supported • Workarounds are in progress & inevitable • Gains are still decent & getting better

  19. THE POWER OF GRAYSKULL!!

  20. When Not To Use: • When You Can’t • Testing Web Applications You Can Debug Natively • When Native Tools Are Better

  21. Closing Thoughts • No Free Lunches • Offers Unique Opportunities • Projects In Transition

  22. QA

More Related