User Tools

Site Tools


testrex

TestREx (Testbed for Repeatable Exploits) - Download Guide

If you are interested in the research topics of the Security Group please about testbeds please check the page on Cyber Security Testbeds and Malware Testing.

TestREx is a system for building repeatable exploits. Its main features include the following:

  • Packing and running web applications with their software environments
  • Injecting scripted exploits and monitoring the results of their execution
  • Generating reports with successes/failures of the exploits
  • A corpus of sample applications and exploits is provided for the demonstration purposes

need to reboot/log out when all packages are installedneed to reboot/log out when all packages are installed The corresponding publication is

  • S. Dashevskyi, D. Ricardo dos Santos, F. Massacci, A. Sabetta. TestREx: a Testbed for Repeatable Exploits In: Proc. of Usenix Security CSET 2014, San Diego (CA), USA. PDF

Downloads:

  • The exploitation is protected by a patent application owned by SAP.
  • To obtain the sources please contact us.

Quick installation notes:

Required software and its versions

  • Ubuntu 16.04
  • Open a web browser and type:
      
      http://localhost:49160/wordpress/wp-login.php 
      
       

Automated testing of the Nodegoat application:

  • Run all available (few) exploit scripts against a single instance of the Nodegoat image:
       sudo python run.py --batch nodegoat__ubuntu-node-mongo --noreset --visible --verbose --port 8888
  • Python 2.7.* (should also work with Python 3.4.*)
  • Docker, Selenium and several other packages (can be installed via './scripts/install.sh' script)

REMARK: While TestREx should work on any Linux distribution (tested on Ubuntu 16.04), the 'install,sh' script will work only if the apt package manager is available. Otherwise, all the required software could be installed manually.

  • Copy the sources into a separate folder
  • Run the 'install.sh' file from the TestREx root folder (you might need to reboot once all packages are installed):
       sudo sh ./scripts/install.sh
              
            

* Build the base software images by running:

       sudo python [TestREx_root_folder]/util/build-base-images.py
       

To check whether TestREx works (manual mode):

  • Run a sample Wordpress 3.2 application:
       sudo python run.py --manual wordpress3.2__ubuntu-apache-mysql --port 80
  • Open a web browser and type in the address line:
       http://localhost:49160/wordpress/wp-login.php
  • You should see the Wordpress login page if everything works

To check whether TestREx works (automatic mode):

  • Run all available exploit scripts against a single instance of NodeGoat application:
       sudo python run.py --batch nodegoat__ubuntu-node-mongo --noreset --visible --verbose --port 8888
  • You should observe that several exploits run one by one (the log should be present in the shell, Firefox browser should be started automatically, etc.)

Publications

  • A. Sabetta, L. Compagna, S. Ponta,S. Dashevskyi, D.R. dos Santos, F. Massacci. Multi-context exploit test management. US Patent 20160314302, 2016. https://www.google.com/patents/US20160314302
  • S. Dashevskyi, D.R. dos Santos, F. Massacci, and A. Sabetta. TestREx: a Testbed for Repeatable Exploits, In Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (CSET), 2014. PDF
testrex.txt · Last modified: 2021/01/29 10:58 (external edit)