├── .gitignore ├── Gemfile ├── Gemfile.lock ├── Puppetfile ├── Puppetfile.lock ├── README.md ├── Vagrantfile └── manifests └── base.pp /.gitignore: -------------------------------------------------------------------------------- 1 | .vagrant 2 | modules/*/* 3 | .librarian 4 | -------------------------------------------------------------------------------- /Gemfile: -------------------------------------------------------------------------------- 1 | source "https://rubygems.org" 2 | 3 | gem "librarian-puppet", :git => "git://github.com/garethr/librarian-puppet.git", :branch => "forge-release-candidates" 4 | -------------------------------------------------------------------------------- /Gemfile.lock: -------------------------------------------------------------------------------- 1 | GIT 2 | remote: git://github.com/garethr/librarian-puppet.git 3 | revision: 0a115222d20915db36f7046d5cb50d61590b4bf9 4 | branch: forge-release-candidates 5 | specs: 6 | librarian-puppet (0.9.7) 7 | json 8 | puppet 9 | thor (~> 0.15) 10 | 11 | GEM 12 | remote: https://rubygems.org/ 13 | specs: 14 | facter (1.6.18) 15 | hiera (1.2.0) 16 | json_pure 17 | json (1.7.7) 18 | json_pure (1.7.7) 19 | puppet (3.1.1) 20 | facter (~> 1.6) 21 | hiera (~> 1.0) 22 | thor (0.18.1) 23 | 24 | PLATFORMS 25 | ruby 26 | 27 | DEPENDENCIES 28 | librarian-puppet! 29 | -------------------------------------------------------------------------------- /Puppetfile: -------------------------------------------------------------------------------- 1 | forge "http://forge.puppetlabs.com" 2 | 3 | mod 'puppetlabs/ruby', :git => 'git://github.com/garethr/puppetlabs-ruby.git' 4 | mod 'puppetlabs/ntp' 5 | mod 'puppetlabs/git' 6 | mod 'puppetlabs/vcsrepo' 7 | mod 'puppetlabs/apt' 8 | mod 'puppetlabs/gcc' 9 | mod 'puppetlabs/concat' 10 | 11 | mod 'ploperations/bundler' 12 | 13 | mod 'saz/locales' 14 | mod 'saz/motd' 15 | mod 'saz/timezone' 16 | 17 | mod 'maestrodev/wget' 18 | 19 | mod 'garethr/wackopicko' 20 | -------------------------------------------------------------------------------- /Puppetfile.lock: -------------------------------------------------------------------------------- 1 | FORGE 2 | remote: http://forge.puppetlabs.com 3 | specs: 4 | garethr/wackopicko (0.0.1) 5 | puppetlabs/apache (>= 0.6.0) 6 | puppetlabs/git (>= 0.0.2) 7 | puppetlabs/mysql (>= 0.6.1) 8 | puppetlabs/stdlib (>= 3.2.0) 9 | puppetlabs/vcsrepo (>= 0.1.1) 10 | saz/php (>= 1.0.4) 11 | maestrodev/wget (1.1.0) 12 | ploperations/bundler (1.0.0) 13 | puppetlabs/apache (0.6.0) 14 | puppetlabs/firewall (>= 0.0.4) 15 | puppetlabs/stdlib (>= 2.2.1) 16 | puppetlabs/apt (1.1.0) 17 | puppetlabs/stdlib (>= 2.2.1) 18 | puppetlabs/concat (1.1.0) 19 | puppetlabs/stdlib (>= 4.0.0) 20 | puppetlabs/firewall (0.2.1) 21 | puppetlabs/gcc (0.0.3) 22 | puppetlabs/git (0.0.2) 23 | puppetlabs/mysql (0.6.1) 24 | puppetlabs/stdlib (>= 2.2.1) 25 | puppetlabs/ntp (0.3.0) 26 | puppetlabs/stdlib (>= 0.1.6) 27 | puppetlabs/stdlib (4.0.2) 28 | puppetlabs/vcsrepo (0.1.1) 29 | saz/locales (2.0.0) 30 | saz/motd (2.0.3) 31 | saz/php (1.0.4) 32 | saz/timezone (1.1.0) 33 | 34 | GIT 35 | remote: git://github.com/garethr/puppetlabs-ruby.git 36 | ref: master 37 | sha: bfcd2c063c69919a98d43635bf15870766e7d070 38 | specs: 39 | puppetlabs/ruby (0.0.2) 40 | 41 | DEPENDENCIES 42 | garethr/wackopicko (>= 0) 43 | maestrodev/wget (>= 0) 44 | ploperations/bundler (>= 0) 45 | puppetlabs/apt (>= 0) 46 | puppetlabs/concat (>= 0) 47 | puppetlabs/gcc (>= 0) 48 | puppetlabs/git (>= 0) 49 | puppetlabs/ntp (>= 0) 50 | puppetlabs/ruby (>= 0) 51 | puppetlabs/vcsrepo (>= 0) 52 | saz/locales (>= 0) 53 | saz/motd (>= 0) 54 | saz/timezone (>= 0) 55 | 56 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Penetration Testing Playground 2 | 3 | There are lots of interesting tools for testing the security of web 4 | applications. Unfortunately many of them are unknown to most developers 5 | and poorly packaged (I don't want a separate distro thanks). This project aims to bring together some familiar developer tools (like Vagrant and Puppet) with as many interesting security tools as I can find. 6 | 7 | Once you have have tools you want somewhere safe to test them out. This 8 | project also contains a vulnerable web application running in a separate 9 | virtual machine which can be used as a test bed. 10 | 11 | ## Usage 12 | 13 | I'm assuming you already have Ruby and Vagrant installed. The we need to 14 | install the dependencies. 15 | 16 | bundle install 17 | bundle exec librarian-puppet install 18 | 19 | This should fill your modules folder with puppet modules from the Puppet 20 | Forge. Next up we can start our virtual machines. 21 | 22 | vagrant up 23 | 24 | This should launch two machines, one called attacker and the other 25 | victim. Attacker gets lots of tools installed and victim gets a 26 | vulnerable web application setup. 27 | 28 | If you want to test some of the tools out then you'll want to ssh into 29 | the attacker virtual machine: 30 | 31 | vagrant ssh attacker 32 | 33 | Many of the tools are not packages and these are simply installed into 34 | /opt. Just cd to the relevant directory and run the tools from there. 35 | 36 | If you want to change anything on the victim virtual machine you can 37 | access that with: 38 | 39 | vagrant ssh victim 40 | 41 | If you only wanted the attacker (or victim) virtual machine then you can 42 | use either: 43 | 44 | vagrant up attacker 45 | vagrant up victim 46 | 47 | ## Tools installed 48 | 49 | * [skipfish](http://code.google.com/p/skipfish/) 50 | * [nmap](http://nmap.org/) 51 | * [nikto](http://www.cirt.net/nikto2) 52 | * [w3af](http://w3af.org/) 53 | * [garmr](https://github.com/mozilla/Garmr) 54 | * [sslyze](https://github.com/iSECPartners/sslyze) 55 | * [wpscanner](https://github.com/metachris/wpscanner) 56 | * [owasp zap](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) 57 | * [arachni](http://arachni-scanner.com/) 58 | * [gauntlt](https://github.com/gauntlt/gauntlt) 59 | * [sqlmap](http://sqlmap.org/) 60 | * [wpscan](http://wpscan.org/) 61 | * [sslscan](http://sourceforge.net/projects/sslscan/) 62 | * [TLSSLed](http://blog.taddong.com/2013/02/tlssled-v13.html) 63 | * [slowhttptest](https://code.google.com/p/slowhttptest/) 64 | * [DIRB](http://dirb.sourceforge.net/) 65 | * [SQLiBF](http://sourceforge.net/projects/sqlibf/) 66 | 67 | If you would like to add something else then please send a pull request 68 | or open an issue. 69 | 70 | ## Disclaimer 71 | 72 | These tools are designed to attack or find vulnerabilities in other 73 | applications. Testing for vulnerabilities is an important part of 74 | building a secure web application, but please don't use this set of tools to 75 | attack other peoples site. It's probably illegal and definitely not very 76 | polite. 77 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # vi: set ft=ruby : 2 | # -*- mode: ruby -*- 3 | 4 | Vagrant.configure('2') do |config| 5 | config.vm.box = "puppet-precise64" 6 | config.vm.box_url = "http://puppet-vagrant-boxes.puppetlabs.com/ubuntu-server-1204-x64.box" 7 | 8 | config.vm.define :victim do |conf| 9 | conf.vm.hostname = 'victim' 10 | conf.vm.network :private_network, ip: "192.168.50.10" 11 | 12 | config.vm.provision :puppet, 13 | :options => ["--debug", "--verbose", "--summarize", "--reports", "store"], 14 | :facter => { "fqdn" => "target" } do |puppet| 15 | puppet.manifests_path = "manifests" 16 | puppet.module_path = "modules" 17 | puppet.manifest_file = "base.pp" 18 | end 19 | end 20 | 21 | config.vm.define :attacker do |conf| 22 | conf.vm.hostname = 'attacker' 23 | conf.vm.network :private_network, ip: "192.168.50.20" 24 | conf.vm.provider :virtualbox do |vm| 25 | vm.customize [ 26 | "modifyvm", :id, 27 | "--memory", 2048, 28 | "--cpus", "2" 29 | ] 30 | end 31 | config.vm.provision :puppet, 32 | :options => ["--debug", "--verbose", "--summarize", "--reports", "store"], 33 | :facter => { "fqdn" => "attacker" } do |puppet| 34 | puppet.manifests_path = "manifests" 35 | puppet.module_path = "modules" 36 | puppet.manifest_file = "base.pp" 37 | end 38 | end 39 | end 40 | -------------------------------------------------------------------------------- /manifests/base.pp: -------------------------------------------------------------------------------- 1 | node 'attacker' { 2 | package {[ 3 | 'libxml2-dev', 4 | 'libxslt1-dev', 5 | 'libcurl4-openssl-dev', 6 | 'libsqlite3-dev', 7 | 'libyaml-dev', 8 | 'zlib1g-dev', 9 | 'vim-nox', 10 | 'curl', 11 | 'ack-grep', 12 | 'lynx', 13 | 'libxslt-dev', 14 | 'python2.7-dev', 15 | 'python-nltk', 16 | 'python-pip', 17 | 'libcurl4-gnutls-dev', 18 | 'libffi-dev', 19 | 'libopenssl-ruby', 20 | ]: 21 | ensure => installed, 22 | } 23 | 24 | include stdlib 25 | include bundler 26 | include locales 27 | include gcc 28 | include git 29 | 30 | class { 'apt': 31 | always_apt_update => true, 32 | #stage => setup, 33 | } 34 | 35 | class { 'ntp': 36 | autoupdate => true, 37 | } 38 | 39 | exec { "apt-update": 40 | command => "/usr/bin/apt-get update" 41 | } 42 | 43 | Exec["apt-update"] -> Package <| |> 44 | 45 | class { 'ruby': 46 | ruby_package => 'ruby1.9.1-full', 47 | rubygems_package => 'rubygems1.9.1', 48 | gems_version => 'latest', 49 | } 50 | 51 | class { 'motd': } 52 | 53 | class { 'timezone': 54 | timezone => 'UTC', 55 | } 56 | 57 | package {[ 58 | 'skipfish', 59 | 'nmap', 60 | 'nikto', 61 | 'sslscan', 62 | ]: 63 | ensure => installed, 64 | } 65 | 66 | vcsrepo { '/opt/wpscan': 67 | ensure => present, 68 | provider => git, 69 | source => 'git://github.com/wpscanteam/wpscan.git', 70 | require => Class['git'], 71 | } 72 | 73 | bundler::install { '/opt/wpscan': 74 | require => Vcsrepo['/opt/wpscan'], 75 | } 76 | 77 | vcsrepo { '/opt/w3af': 78 | ensure => present, 79 | provider => git, 80 | source => 'git://github.com/andresriancho/w3af.git', 81 | require => Class['git'], 82 | } 83 | 84 | vcsrepo { '/opt/garmr': 85 | ensure => present, 86 | provider => git, 87 | source => 'git://github.com/mozilla/Garmr.git', 88 | require => Class['git'], 89 | } 90 | 91 | exec { 'install garmr dependencies': 92 | command => 'python setup.py install', 93 | cwd => '/opt/garmr', 94 | creates => '/opt/garmr/build', 95 | path => '/usr/bin', 96 | require => [ 97 | Vcsrepo['/opt/garmr'], 98 | Package['python2.7-dev'], 99 | ], 100 | } 101 | 102 | vcsrepo { '/opt/sqlmap': 103 | ensure => present, 104 | provider => git, 105 | source => 'https://github.com/sqlmapproject/sqlmap.git', 106 | require => Class['git'], 107 | } 108 | 109 | vcsrepo { '/opt/sslyze': 110 | ensure => present, 111 | provider => git, 112 | source => 'git://github.com/iSECPartners/sslyze.git', 113 | require => Class['git'], 114 | } 115 | 116 | vcsrepo { '/opt/wpscanner': 117 | ensure => present, 118 | provider => git, 119 | source => 'git://github.com/metachris/wpscanner.git', 120 | require => Class['git'], 121 | } 122 | 123 | file { '/opt/src': 124 | ensure => directory, 125 | } 126 | 127 | file { '/opt/tlssled': 128 | ensure => directory, 129 | } 130 | 131 | wget::fetch { 'download TLSSLed': 132 | source => 'http://www.taddong.com/tools/TLSSLed_v1.3.sh', 133 | destination => '/opt/tlssled/TLSSLed.sh', 134 | require => File['/opt/tlssled'], 135 | before => File['/opt/tlssled/TLSSLed.sh'], 136 | } 137 | 138 | file { '/opt/tlssled/TLSSLed.sh': 139 | ensure => present, 140 | mode => '0755', 141 | } 142 | 143 | wget::fetch { 'download owasp zap': 144 | source => 'http://jaist.dl.sourceforge.net/project/zaproxy/2.3.1/ZAP_2.3.1_Linux.tar.gz', 145 | destination => '/opt/src/zap.tar.gz', 146 | require => File['/opt/src'], 147 | before => Exec['untar and move owasp zap'], 148 | } 149 | 150 | exec { 'untar and move owasp zap': 151 | command => '/bin/tar -xvf zap.tar.gz; mv ZAP* /opt/zap', 152 | cwd => '/opt/src', 153 | creates => '/opt/zap', 154 | } 155 | 156 | wget::fetch { 'download slowhttptest': 157 | source => 'https://slowhttptest.googlecode.com/files/slowhttptest-1.5.tar.gz', 158 | destination => '/opt/src/slowhttptest-1.5.tar.gz', 159 | require => File['/opt/src'], 160 | before => Exec['untar slowhttptest'], 161 | } 162 | 163 | exec { 'untar slowhttptest': 164 | command => '/bin/tar -xzvf slowhttptest-1.5.tar.gz;', 165 | cwd => '/opt/src', 166 | creates => '/opt/src/slowhttptest-1.5', 167 | before => Exec['build slowhttptest'], 168 | } 169 | 170 | exec { 'build slowhttptest': 171 | command => 'bash configure; make; make install', 172 | path => ['/usr/bin', '/bin'], 173 | cwd => '/opt/src/slowhttptest-1.5', 174 | require => Class['gcc'], 175 | } 176 | 177 | package {[ 178 | 'arachni', 179 | 'gauntlt', 180 | ]: 181 | ensure => installed, 182 | provider => gem, 183 | } 184 | 185 | package {[ 186 | 'requests', 187 | 'PyGithub', 188 | 'GitPython', 189 | 'pybloomfiltermmap', 190 | 'esmre', 191 | 'nltk', 192 | 'pdfminer', 193 | 'futures', 194 | 'pyOpenSSL', 195 | 'lxml', 196 | 'scapy-real', 197 | 'guess-language', 198 | 'cluster', 199 | 'msgpack-python', 200 | 'python-ntlm', 201 | ]: 202 | ensure => installed, 203 | provider => pip, 204 | require => [ 205 | Package['python2.7-dev'], 206 | Package['python-pip'], 207 | Package['python-nltk'], 208 | ], 209 | } 210 | 211 | exec { 'install phply': 212 | command => 'pip install -e git+git://github.com/ramen/phply.git#egg=phply', 213 | path => '/usr/bin', 214 | creates => '/usr/local/lib/python2.7/dist-packages/phply.egg-link', 215 | cwd => '/opt/src', 216 | require => [ 217 | Class['git'], 218 | File['/opt/src'], 219 | Package['python-pip'], 220 | ], 221 | } 222 | 223 | apt::ppa { 'ppa:xkill/securitytools':} 224 | 225 | package {[ 226 | 'sqlibf', 227 | 'dirb', 228 | ]: 229 | ensure => installed, 230 | require => Apt::Ppa['ppa:xkill/securitytools'], 231 | } 232 | 233 | 234 | host { 'victim': 235 | ensure => present, 236 | ip => '192.168.50.10', 237 | } 238 | 239 | } 240 | 241 | node 'target' { 242 | include wackopicko 243 | include stdlib 244 | include motd 245 | 246 | class { 'apt': 247 | always_apt_update => true, 248 | stage => setup, 249 | } 250 | 251 | host { 'attacker': 252 | ensure => present, 253 | ip => '192.168.50.20', 254 | } 255 | } 256 | --------------------------------------------------------------------------------