Pen Testing with Iron

Andrew WilsonTrustwave SpiderLabs

Ubiquitous Hello

•Application Security Consultant

•Ex-Software Developer– Microsoft MVP

•Long walks on the beach

•Dancing in the rain

Goals•Why Bother?

•Introduction to the DLR & CLR

•Getting Running

•Examples:

•Reflection and Disassembly

•Leveraging Existing Tools

•Driving Applications with Scripts

Why Bother?•Best of Both Worlds

•Deeper Reach

•Simplification

Python & Ruby:

.NET Framework Is:•Awesome in library, connectivity, and

tooling

•Commonly used by companies you test

•Sucky at scripting and interactive programming

CLR <3•Focuses concerns against business

problems

•Handles:

• Memory Management

• Metadata

• JIT

• Common Type System

DLR <3

Expression Trees

•Translate code from one language to MSIL

•Introduced in .Net 3.5 via Linq

DLR+CLR

•Peace Love & Harmony

•Bi-Directional support:

•DLR – CLR (Ex. Python – CLR)

•CLR – DLR (Ex. CLR – Embedded Python)

IronPython•Significantly more mature (circa 2006)

•Better support for existing Python applications

•Loads apps by being manually added to lib

IronRuby•Needs your support

•Just obtained Visual Studio Support

•Loads assemblies via igem (instead of gem) install <gem>

Getting Started

•You will need:

•IronRuby OR IronPython

•Language tools are optional

•Visual Studio Express OR MonoDevelop

•Reflector

Use Cases:

•Disassembly / Reflection

•Existing Tooling

•Driving Applications via Scripts

No Disassemble!

Reflection::noitcelfeR

•.NET has reflection– but it sucks

•Ruby has reflection– and it rules

•Always Cheat, Always win.

Use Existing Tools

Use Existing Tools•Some things aren‘t 100% supported

•Workarounds are in progress & inevitable

•Gains are still decent & getting better

THE POWER OF GRAYSKULL!!

When Not To Use:

•When You Can’t

•Testing Web Applications You Can Debug Natively

•When Native Tools Are Better

Closing Thoughts

•No Free Lunches

•Offers Unique Opportunities

•Projects In Transition

QA