User Tools

Site Tools


testrex

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

testrex [2017/06/22 08:29]
stanislav.dashevskyi@unitn.it [TestREx (Testbed for Repeatable Exploits) - Download Guide]
testrex [2021/01/29 10:58]
Line 1: Line 1:
-===== TestREx (Testbed for Repeatable Exploits) - Download Guide ==== 
  
-If you are interested in the [[research_activities|research topics]] of the [[start|Security Group]] please about testbeds please check the **[[malware_analysis|page on Cyber Security Testbeds and Malware Testing]]**. 
- 
-TestREx is a system for building repeatable exploits. Its main features include the following: ​ 
-  * Packing and running web applications with their software environments 
-  * Injecting scripted exploits and monitoring the results of their execution 
-  * Generating reports with successes/​failures of the exploits 
-  * A corpus of sample applications and exploits is provided for the demonstration purposes 
-need to reboot/log out when all packages are installedneed to reboot/log out when all packages are installed 
-The corresponding publication is  
-  * S. Dashevskyi, D. Ricardo dos Santos, F. Massacci, A. Sabetta. TestREx: a Testbed for Repeatable Exploits In: //Proc. of Usenix Security CSET 2014//, San Diego (CA), USA. {{https://​www.usenix.org/​system/​files/​conference/​cset14/​cset14-paper-dashevskyi.pdf|PDF}} 
- 
-=== Downloads: === 
-  * The exploitation is protected by a [[https://​patents.google.com/​patent/​US20160314302A1|patent application]] owned by SAP. 
-  * To obtain the sources please contact us. 
- 
-=== Quick installation notes: === 
- 
-Required software and its versions 
- 
-  * Ubuntu 16.04          
-  * Open a web browser and type: 
- 
-        ​ 
-        http://​localhost:​49160/​wordpress/​wp-login.php ​ 
-        ​ 
-          
-Automated testing of the Nodegoat application:​ 
- 
-  * Run all available (few) exploit scripts against a single instance of the Nodegoat image: 
- 
- 
-         sudo python run.py --batch nodegoat__ubuntu-node-mongo --noreset --visible --verbose --port 8888 
- 
- 
- 
-  * Python 2.7.* (should also work with Python 3.4.*) 
-  * Docker, Selenium and several other packages (can be installed via '​./​scripts/​install.sh'​ script) 
- 
-REMARK: While TestREx should work on any Linux distribution (tested on Ubuntu 16.04), the '​install,​sh'​ script will work only if the **apt** package manager is available. Otherwise, all the required software could be installed manually. 
- 
-  * Copy the sources into a separate folder 
-  * Run the '​install.sh'​ file from the TestREx root folder (you might need to reboot once all packages are installed): 
- 
-         sudo sh ./​scripts/​install.sh 
-                ​ 
-              ​ 
-* Build the base software images by running: 
- 
- 
-         sudo python [TestREx_root_folder]/​util/​build-base-images.py 
-          
- 
-=== To check whether TestREx works (manual mode): === 
- 
-  * Run a sample Wordpress 3.2 application:​ 
- 
-         sudo python run.py --manual wordpress3.2__ubuntu-apache-mysql --port 80 
- 
-  * Open a web browser and type in the address line: 
- 
-         ​http://​localhost:​49160/​wordpress/​wp-login.php 
- 
-  * You should see the Wordpress login page if everything works 
- 
- 
-=== To check whether TestREx works (automatic mode): === 
- 
-  * Run all available exploit scripts against a single instance of NodeGoat application:​ 
- 
-         sudo python run.py --batch nodegoat__ubuntu-node-mongo --noreset --visible --verbose --port 8888 
- 
-  * You should observe that several exploits run one by one (the log should be present in the shell, Firefox browser should be started automatically,​ etc.)                ​ 
-===== Publications ===== 
- 
-  * A. Sabetta, L. Compagna, S. Ponta,S. Dashevskyi, D.R. dos Santos, F. Massacci. **Multi-context exploit test management**. US Patent 20160314302,​ 2016. [[https://​www.google.com/​patents/​US20160314302]] 
-  * S. Dashevskyi, D.R. dos Santos, F. Massacci, and A. Sabetta. **TestREx: a Testbed for Repeatable Exploits**, In //​Proceedings of the 7th USENIX conference on Cyber Security Experimentation and Test (CSET)//, 2014. {{:​research_activities:​vulnerability-analysis:​cset14-testrex.pdf|PDF}} 
-            
testrex.txt ยท Last modified: 2021/01/29 10:58 (external edit)