• Home »
  • Insights »
  • How to Use Leo to Organize Information Gathered During a Penetration Test
How to Use Leo to Organize Information Gathered During a Penetration Test

How to Use Leo to Organize Information Gathered During a Penetration Test

In the world of security we often do whats known as penetration tests on our networks.  Sometimes professionals are hired and sometimes we try to do it ourselves as IT administrators. One thing which is often hard in either situation is actually organizing the data in a meaning full and easy to read format. In this post I will show you how to do this.

I will be using whats known as  Leo. It is a powerful python program which is generally used for organizing code projects however it suits our purpose as penetration testers quite nicely. Leo can be installed on any platform which supports Python. I will be using it on a Linux system for this article. When we first open up Leo we are presented with a GUI based tool which resembles a IDE used for writing code. The data in this file is organized in a tree view and makes it very easy to retrieve data at various times during a penetration test. Leo could be used in literally hundreds of different scenarios but this is how I use it.

Here is what Leo looks like when first opened:

Leo Appearance

I will conduct a brief test on my own small network of servers internally in order to illustrate how Leo is used. The first thing I need is a nmap scan. To begin with I am just going to scan for open tcp and udp ports. I will enumerate them further later but for now I just want a list to start with.


As you can see I have various machines with various ports open. In a penetration test this is    crucial information so I need to record it and then go back and revisit each port individually later. So to begin with in my Leo file I want to create a node for each IP address.  To create a new node we go to the toolbar > outline >  insert node.  Once the new node appears, we can give it a new name. So heres what mine looks like so far.


As you can see I created a name for my test as the first node. This can be whatever identifier you would like to give as the parent. This may not seem like such big deal but when you are dealing with multiple domains and hundreds of IP address’s you will be thankful you used this system. The next step is to start creating childs. This can be done two ways.

The first is to select insert child from the outline menu on the toolbar and which ever node you have highlighted becomes the parent. There is a keyboard short cut which is ctlr-r. To use this highlight the node you want to become a child and press ctlr-r and the node above it becomes its parent. Here is how I am looking now.


Ok so now that we are looking a little better we want to concentrate on some of these IP’s. I am going to quickly create some of the useful childs that I normally use so you can see what it looks like. Now that you know how to create nodes and childs, the sky is the limit. You can go as deep as you need to into the tree. Ill first go back to my nmap scan and add the tcp ports. I will also run nmap again with the -sU argument to check for udp ports as well.


Now we see how this method can be very effective for mapping out a network for the purpose of a penetration test. As you can see I created a child for each internal IP which was called open ports. Then I pasted the results of my nmap scan into the text box on the bottom. A blue icon appears on the node to signify that there is data inside.

Now I would move on to the next part of my recon operation which would be to figure out what services are running on all these open ports and which versions they are. I will quickly show a few ways to recon and record this information.

A all around swiss army knife for recon is net cat. we can use this to do some bannar grabbing and see what sort or webserver we are dealing with.


Now there is some useful info, so I will make a child of open ports called “port 80” and add that information to it as well. There are many ways of gathering intel on your target and I will not go into them all but I will show you what a Leo file looks like after a few more recon tests.


As you can see I have started to add information I find to the various fields. This method of documenting a pentest have prove extremely valuable on many occasions.  Some other things we could add are the results of nessus scans, links to exploit code or any other things which help you as the tester in the test.

This has only been a brief introduction to Leo and some of the stuff it can do. I highly encourage you to investigate some of the features more fully.