One of the biggest problems when conducting penetration tests and vulnerability assessments is the organization of all the information obtained on the test. I used to use a program called Leo to organize my information because it had a tree like interface and you well able to create a well mapped out report of all your information. A new tool was released last year which has expanded on this same method and added some other very cool features. Dradis is an open source framework to enable effective information sharing during penetration testing exercises. It provides a centralized repository of information to keep track of what has been done so far, and what is still ahead. Dradis is thus an ideal tool to help in the process of security assesments.
Dradis allows you to easily import the results from common tools such as nmap and Nessus. Dradis is built on top of the Rails framework, this goes a long way towards extending and connecting with your own tools. The newest version has added plugins for importing results for the Burp scanner and Nikto. Another useful feature is the ability to add notes to any node with comments for the rest of your team.This is especially useful to prevent many people involved in a pentest from attempting the same tasks as others already have. In the following article I will show some basics of how to get up and running with Dradis.
There are two aspects to the Dradis framework. There is a client version and a server version. I will be showing how to use the server version in this article.
Open the Information Gathering section of the Backtrack Menu and start the Dradis server:
The first time you start the server you will be prompted to set a log in and password:
This is where we start a new project for a pentest. We can give every one on the team a logon and they can log on to the Dradis server and record the results of their pentest from any where. We can also alow specific log ons to specific projects. Dradis can handle multiple pentests projects at one time.
Once the initial set up is completed you can log on to the server in the normal username/password way:
Once we log on we will see the interface for Dradis:
I have started a sample pentest called ACME bank. The great thing about the framework is that you create nodes and then each node can have child nodes. There can be as many nodes and child nodes as you want. The coolest thing about the nodes is that you can name them whatever you want so that the Dradis frame work can be manipulated to conform to your team or companies current pentest methodology. I am used to the way I used to do it in Leo which is creating a node for the test, then creating child nodes for each IP and the creating child nodes for each port. Each node can hold information about each test preformed. A second way to organize your test may be by tool and creating a child node for each tool documenting the results.
Here is the begining of my ACME bank test with a few internal IP’s:
Adding the nodes is as simple as right clicking and selecting add node or selecting add child while hovering over the node you want to be the parent. In this way we can create a map of a pentest which is very easy to read. Once again you can organize a test in any way which suites you, this is just my way.
Once you get a few nodes you can add a peliminary namp scan to the notes section of the main node:
My methodology is to run a initial scan for hosts and open ports and then I run a detailed scan with 2-3 tools each on every port so the way I document is by creating a child node for each port and then a child node for each tool I used on that port. Dradis is also capable of uploading scan files straight from Nessus or Nmap and even tools like Burp Suite. I personally prefer to arrange my data myself but in a large assessment his can get out of control quickly so uploading output tools from tools can be helpful.
Here is a sample of starting some child nodes of ports:
This is just a simple example of getting started with Dradis. There are lots of different options available. Some of the other cool features include creating custom pentest templates which reflect the testing methodology of your company.
Another cool feature is that Dradis makes it fairly simple to create custom plugins to parse almost any kind of output file from an tool. There is a section of the Dradis forums where users have submitted some custom plugins here.
Dradis is a very promising tool with lots of options for information sharing. I have stopped using my beloved Leo in favor of Dradis due to its ease, simplicity and customizable options.