Data management is half the battle for penetration testing, especially when you're auditing large networks. As a penetration tester with Cisco's Advanced Services, I've created a new open source tool called Kvasir that integrates with Metasploit Pro, Nexpose, and a bunch of other tools I use regularly to aggregate and manage the data I need. In this blog post, I'd like to give you a quick intro what Kvasir does - and to invite you to use it with Metasploit Pro.
Cisco's Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments or SPA for short, and I've been pen testing for just about as long. During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses and others. We then have to collect and document our results within the one or two weeks we are on-site and prepare a report.
How can anyone keep track of all this data, let a lone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you're writing the report but you weren't the one who did the exploit?
The answer is to build a data management application that works for you. The first iterations the SPA team created were a mixture of shell, awk, sed, tcl, perl, expect, python and whatever else engineers felt comfortable programming in. If you remember the Cisco Secure Scanner product (aka NetSonar) then our early tools were this with extra goodies.
Welcome to the 21st Century
As time moved on our tools became unfriendly to larger data sets, inter-team interaction, and support of new data types were difficult. The number of issues detected by vulnerability scanners started to increase and while we have always been able to support very large environments the edges were starting to bulge.
We don't believe this scenario is unique to us. We also don't believe current publicly available solutions really help. Most teams we've talked with have used a variant of issue tracking software (TRAC, Redmine) or just let Metasploit Pro handle everything.
We think this isn't good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testing. It's not perfect but it's grown up a lot and will improve.
Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.
Multiple testers can work together on the same data allowing them to share important collected information. There's nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn't find anything “important” so it was never fully documented.
Supported Data Sources
At current release Kvasir directly supports the following tools:
- Rapid7 Nexpose Vulnerability Scanner
- Rapid7 Metasploit Pro (limited support for Express/Framework data)
- Nmap Security Scanner
- Foofus Medusa
- John The Ripper
- …and more!
Nexpose and Metasploit Pro Integration
Since the SPA team generally uses Rapid7's Nexpose and Metasploit Pro, Kvasir integrates with these tools via API. We purposefully did not incorporate some features but may have future plans for others.
The importation of Nexpose site reports is fully automated. Just pick a site and let Kvasir generate the XML report, download and parse it! After parsing, the scan file can be imported into a Metasploit Pro instance.
For Metasploit Pro results you must first generate an XML report but after that is done Kvasir will download and parse it automatically. Kvasir also supports the db_creds output and will automatically import pwdump and screenshots through the Metasploit Pro API.
Metasploit Pro's automatic Bruteforce and Exploit features can be called directly from Kvasir. Just select your list of target IP Addresses and go!
From Vulnerability to Exploit
So you have a host with a list of vulnerabilities, but what is exploitable? Metasploit Pro as well as other exploit frameworks and databases are mapped to vulnerability and CVE entries granting the user an immediate view of potential exploitation methods.
The initial screen of Kvasir shows two bar graphs detailing the distribution of vulnerabilities based on severity level count and host/severity count as well as additional statistical data:
A tag-cloud based on high-level severities (level 8 and above) is included which may help pinpoint the highest risk vulnerabilities. This is based solely on vulnerability count.
Kvasir's Host Listing page displays details such as services, vulnerability counts, operating systems, assigned groups and engineers:
Kvasir supports importing exploit data from Nexpose (Exploit Database and Metasploit) and other tools. Link to exploits from vulnerabilities and CVE assignments are made so you can get an immediate glance at what hosts/services have exploitable vulnerabilities.
The host detail page provides an immediate overview of valuable information such as services, vulnerability mapping, user accounts, and notes, all shared between testing engineers:
Of course as you collect user accounts and passwords it's nice to be able to correlate them to hosts, services, hashes and hash types, and sources.