pen testing with iron
DESCRIPTION
Pen Testing with Iron. Andrew Wilson Trustwave SpiderLabs. Ubiquitous Hello. Application Security Consultant Ex-Software Developer– Microsoft MVP Long walks on the beach Dancing in the rain. Goals. Why Bother? Introduction to the DLR & CLR Getting Running Examples: - PowerPoint PPT PresentationTRANSCRIPT
Pen Testing with Iron
Andrew WilsonTrustwave SpiderLabs
Ubiquitous Hello
•Application Security Consultant
•Ex-Software Developer– Microsoft MVP
•Long walks on the beach
•Dancing in the rain
Goals•Why Bother?
•Introduction to the DLR & CLR
•Getting Running
•Examples:
•Reflection and Disassembly
•Leveraging Existing Tools
•Driving Applications with Scripts
Why Bother?•Best of Both Worlds
•Deeper Reach
•Simplification
Python & Ruby:
.NET Framework Is:•Awesome in library, connectivity, and
tooling
•Commonly used by companies you test
•Sucky at scripting and interactive programming
CLR <3•Focuses concerns against business
problems
•Handles:
• Memory Management
• Metadata
• JIT
• Common Type System
DLR <3
Expression Trees
•Translate code from one language to MSIL
•Introduced in .Net 3.5 via Linq
DLR+CLR
•Peace Love & Harmony
•Bi-Directional support:
•DLR – CLR (Ex. Python – CLR)
•CLR – DLR (Ex. CLR – Embedded Python)
IronPython•Significantly more mature (circa 2006)
•Better support for existing Python applications
•Loads apps by being manually added to lib
IronRuby•Needs your support
•Just obtained Visual Studio Support
•Loads assemblies via igem (instead of gem) install <gem>
Getting Started
•You will need:
•IronRuby OR IronPython
•Language tools are optional
•Visual Studio Express OR MonoDevelop
•Reflector
Use Cases:
•Disassembly / Reflection
•Existing Tooling
•Driving Applications via Scripts
No Disassemble!
Reflection::noitcelfeR
•.NET has reflection– but it sucks
•Ruby has reflection– and it rules
•Always Cheat, Always win.
Use Existing Tools
Use Existing Tools•Some things aren‘t 100% supported
•Workarounds are in progress & inevitable
•Gains are still decent & getting better
THE POWER OF GRAYSKULL!!
When Not To Use:
•When You Can’t
•Testing Web Applications You Can Debug Natively
•When Native Tools Are Better
Closing Thoughts
•No Free Lunches
•Offers Unique Opportunities
•Projects In Transition
QA