Differences

This shows you the differences between two versions of the page.

--- testrex [2017/06/22 01:07] – [Cyber-Security Testbeds Research] fabio.massacci@unitn.it
+++ testrex [2021/01/29 10:58] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+===== TestREx (Testbed for Repeatable Exploits) - Download Guide ====
-====== Cyber-Security Testbeds Research ======
+If you are interested in the [[research_activities|research topics]] of the [[start|Security Group]] please about testbeds please check the **[[malware_analysis|page on Cyber Security Testbeds and Malware Testing]]**.
-Among the [[research_activities|research topics]]  of the [[start|Security Group]] we try to build testbeds for repeatable application security experiments.
+TestREx is a system for building repeatable exploits. Its main features include the following:
-  * TestREx, a Testbed for automating the Testing of Exploits
-  * Malware Lab, a set-up for experimenting with Exploit Kits
-===== TestREx (Testbed for Repeatable Exploits) - Download Instructions =====
-TestREx is a system for building repeatable exploits main features include the following:
   * Packing and running web applications with their software environments
   * Injecting scripted exploits and monitoring the results of their execution
   * Generating reports with successes/failures of the exploits
   * A corpus of sample applications and exploits is provided for the demonstration purposes
+need to reboot/log out when all packages are installedneed to reboot/log out when all packages are installed
 The corresponding publication is
   * S. Dashevskyi, D. Ricardo dos Santos, F. Massacci, A. Sabetta. TestREx: a Testbed for Repeatable Exploits In: //Proc. of Usenix Security CSET 2014//, San Diego (CA), USA. {{https://www.usenix.org/system/files/conference/cset14/cset14-paper-dashevskyi.pdf|PDF}}
@@ Line 25: / Line 20: @@
 Required software and its versions
   * Ubuntu 16.04
+  * Open a web browser and type:
+        http://localhost:49160/wordpress/wp-login.php
+Automated testing of the Nodegoat application:
+  * Run all available (few) exploit scripts against a single instance of the Nodegoat image:
+         sudo python run.py --batch nodegoat__ubuntu-node-mongo --noreset --visible --verbose --port 8888
   * Python 2.7.* (should also work with Python 3.4.*)
   * Docker, Selenium and several other packages (can be installed via './scripts/install.sh' script)
@@ Line 32: / Line 42: @@
   * Copy the sources into a separate folder
-  * Run the 'install.sh' file from the TestREx root folder:
+  * Run the 'install.sh' file from the TestREx root folder (you might need to reboot once all packages are installed):
          sudo sh ./scripts/install.sh
-  * You might need to reboot/log out when all packages are installed
+* Build the base software images by running:
-  * Build the base software images by running:
@@ Line 45: / Line 53: @@
-To check whether TestREx works:
+=== To check whether TestREx works (manual mode): ===
+  * Run a sample Wordpress 3.2 application:
-  * Manual testing of the Wordpress 3.2 (manual testing)
          sudo python run.py --manual wordpress3.2__ubuntu-apache-mysql --port 80
-  * Open a web browser and type:
+  * Open a web browser and type in the address line:
-        http://localhost:49160/wordpress/wp-login.php
-Automated testing of the Nodegoat application:
-  * Run all available (few) exploit scripts against a single instance of the Nodegoat image:
+         http://localhost:49160/wordpress/wp-login.php
+  * You should see the Wordpress login page if everything works
+=== To check whether TestREx works (automatic mode): ===
+  * Run all available exploit scripts against a single instance of NodeGoat application:
          sudo python run.py --batch nodegoat__ubuntu-node-mongo --noreset --visible --verbose --port 8888
+  * You should observe that several exploits run one by one (the log should be present in the shell, Firefox browser should be started automatically, etc.)
+===== Publications =====
+  * A. Sabetta, L. Compagna, S. Ponta,S. Dashevskyi, D.R. dos Santos, F. Massacci. **Multi-context exploit test management**. US Patent 20160314302, 2016. [[https://www.google.com/patents/US20160314302]]
+  * S. Dashevskyi, D.R. dos Santos, F. Massacci, and A. Sabetta. **TestREx: a Testbed for Repeatable Exploits**, In //Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (CSET)//, 2014. {{:research_activities:vulnerability-analysis:cset14-testrex.pdf|PDF}}