Hello friends, today in this article we are going to familiarize
you with one of the most vital tool of Kali that everybody needs in today’s
era.
Eliminating bugs or finding any issue, is use to cover by
everyone in their journey of pentesting. But apart from this one should also
want to indulge own self into a task that need to perform in wide range i.e.
“report writing”.
Writing a good report is an essential ability,
almost an art, for penetration testers, and as for all the skills, can be enhanced
through practice. There are many tools that helps for report writing but in
this tutorial we are going to use “Dradis”.
Table of
content
·
Introduction to report writing
·
What is Dradis
·
Working with Dradis
·
Conclusion
Report Writing
Penetration testing report is the core deliverable in any
security valuation action. In this, the final deliverable is the report which
shows the service provided, the methodology used, findings/results and the
recommendation. This can be achieved by the use of many tools that Kali
supports.
Similarly we are going to cover one of such tool in this
tutorial i.e. “Dradis”.
What is Dradis?
The Dradis framework is an open source collaboration and
reporting platform for IT security experts. It is a platform independent tool
developed in Ruby. In other word we can also say that It is a tool that helps for
putting information together at one place.It also tends us the ability to
organize all the information at one place. It allows us not only to import but
also export output from the various tools that it supports.
Dradis is comprises with list of tool like: "Burp
scanner, Nessus, NeXpose, Nikto, Nmap, and many more that are pretty common in
doing penetration testing or ethical hacking.
Working with Dradis
In the next few steps, we will learn how to use Dradis.
For begin this journey first we need to find Dradis. This can be done by two
method.
First Method:
In this method we will just write dradis on Kali terminal
and this will take you to its active status. Once this will be completed then it
will take you to to its browser for login.
Dradis is a self-contained web application. Hence, it
will automatically open in the browser. The URL is
https://127.0.0.1:3000.
dradis
Second Method:
For attaining this method you need to Launch the Kali-Linux
tool after that Click on “Applications”, go to “Reporting Tools” and click on
“Dradis”.
Next step is to create a server password to access the
application. Then enter the credentials which we configured for server
We are logged into the Dradis framework
successfully. Now as in below screenshot you can see it’s showing three main
operations that can be help in any report writing i.e. “all issues,
methodologies, trash, nodes” so, we will use all these operations as per
requirement of task in.
All issues: In
this we have many options like we can add any issue manually, upload output,
import result from library. These option also can help to import result of any
tool in dradis.
Methodologies:
When it comes to penetration testing methodologies
you can basically narrow the field down to three. These are:
·
Open Source Security Testing Methodology Manual
(OSSTMM)
·
Penetration Testing Execution Standard (PTES)
·
National Institute of Standards and Technology
While all three are good methodologies but PTES and NIST
800-115 provide a bit more flexibility during penetration tests. Also, the
methodologies more closely align with what’s taught in security course
curriculum such as SANS. So whenever we need to add any methodology then we can
use this option as reference.
Now, we will start on working with dradis. For begin this
first we will create a new node by clicking on “nodes” tab after that click on
the newly created node and then click the “add subnode” option to add
sub-branch under a newly created node. Follow the same process to create
multiple node and sub node as per your requirement.
We can create a tree as per our convenience. In the below
screenshot, I have created two main node i.e. “Exploit” and “Host IP” which is
sub-divided into metasploit, scanning and nmap. As shown below.
Upload File
After successful completion of creating no. of nodes and
sub-nodes now our next step is to upload output of file with the help of tool.
For this first we need to select name of tool which we
have used. In this we have used nmap so I will choose this option by using drop
down button of “choose tool”.
After this we will search for the file that need to
upload and then click to open button at the top of screen.
Once the process of uploading the will completed then you
can see its output result in its output console as shown in below image.
To view the file, double-click the uploaded image and a new
tab will be open in the browser to display the uploaded screenshot.
Similarly, we can upload scan results of other tools like
Nessus, Burp, Nikto, Owasp ZAP, etc.
To view entire details of your result you can plugin.output
option as shown below. In the below image its showing the result of nmap scan
which I have saved in my file “scan.xml”
Creating notes
If you want to add description about what you have done in
each nodes and sub-nodes then it can simply done by following below steps:
·
Select node
·
Click on notes
·
Click on add notes
·
Write description in space that is provided
·
Click on create note to confirm it.
In below image I have mentioned “IP” of my host machine as
my note description. Similarly you can create note for any of node or sub-node
to briefly describe your report. After
creating your notes you can further edit, delete, and rename it as per desire.
You can also add any of attachment, screenshot or image by simply drag and drop
to attachment field.
This article focused on main objective of using “Dradis” for
creating any report rest all the options like “adding Issues, Methodologies”
can be further use by user as per requirements.
0 comments:
Post a Comment