Cisco Logo


Security

Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments, or SPA for short, and I’ve been pen testing for just about as long. I’ll let you in on a little secret about penetration testing: it gets messy!

During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. We then have to collect and document our results within the one or two weeks we are on site and prepare a report.

How can anyone keep track of all this data, let alone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit?

The answer is to build a data management application that works for you. The first iterations the SPA team created were a mixture of shell, awk, sed, tcl, perl, expect, python and whatever else engineers felt comfortable programming in. If you remember the Cisco Secure Scanner product (aka NetSonar) then our early tools were this with extra goodies.

Welcome to the 21st Century

As time moved on our tools became unfriendly to larger data sets, inter-team interaction, and support of new data types were difficult. The number of issues detected by vulnerability scanners started to increase and while we have always been able to support very large environments, the edges were starting to bulge.

We don’t believe this scenario is unique to us. We also don’t believe current publicly available solutions really help. Most teams we’ve talked with have used a variant of issue tracking software (TRAC, Redmine) or just let Metasploit Pro handle everything.

We think this isn’t good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testing. It’s not perfect but it’s grown up a lot and will improve.

What’s Kvasir?

Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.

Multiple testers can work together on the same data allowing them to share important collected information. There’s nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn’t find anything “important” so it was never fully documented.

Supported Data Sources

At current release, Kvasir directly supports the following tools:

There are obviously some gaps here but these are the primary tools we use. Support for scanners such as Nessus, QualysGuard, SAINT, and others are in various stages of development already, just not completed at this time.

Nexpose and Metasploit Pro Integration

Since the SPA team generally uses Rapid7′s Nexpose and Metasploit Pro Kvasir integrates the use of these tools via their API. We purposefully did not incorporate some features but may have future plans for others.

The importation of Nexpose site reports is fully automated. Just pick a site and let Kvasir generate the XML report, download, and parse it! After parsing, the scan file can be imported into a Metasploit Pro instance.

For Metasploit Pro results you must first generate an XML report but after that is done Kvasir will download and parse it automatically. Kvasir also supports the db_creds output and will automatically import pwdump and screenshots through the Metasploit Pro API.

Metasploit Pro’s automatic Bruteforce and Exploit features can be called directly from Kvasir. Simply select your list of target addresses, click a few buttons, and go take a rest! You’ve earned it!

From Vulnerability to Exploit

So you have a host with a list of vulnerabilities, but what is exploitable? Exploit frameworks such as Metasploit Pro and CANVAS as well as the Exploit Database archive from Offensive Security are mapped to vulnerability and CVE entries granting the user an immediate view of potential exploitation methods. CORE Impact’s list of exploits is being researched for inclusion.

Screenshots!

The initial screen of Kvasir shows two bar graphs detailing the distribution of vulnerabilities based on severity level count and host/severity count as well as additional statistical data:

Kvasir_screen_shot_1-1024x720

A tag-cloud based on high-level severities (level 8 and above) is included which may help pinpoint the highest risk vulnerabilities. This is based solely on vulnerability count.

Kvasir’s Host Listing page displays details such as services, vulnerability counts, operating systems, assigned groups, and engineers:

Kvasir_screen_shot_2-1024x417

Kvasir supports importing exploit data from Nexpose (Exploit Database and Metasploit) and CANVAS. Link to exploits from vulnerabilities and CVE assignments are made so you can get an immediate glance at what hosts/services have exploitable vulnerabilities:

Kvasir_screen_shot_3-1024x571

The host detail page provides an immediate overview of valuable information such as services, vulnerability mapping, user accounts, and notes, all shared between testing engineers:

Kvasir_screen_shot_4-1024x486

Of course as you collect user accounts and passwords it’s nice to be able to correlate them to hosts, services, hashes and hash types, and sources:

Kvasir_screen_shot_5-1024x542

 

Kvasir_screen_shot_6-1024x542

Features not shown:

Show Me the Code!

The source code is available now at https://github.com/KvasirSecurity/Kvasir. Fork, Install, Review, Contribute!

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

23 Comments.


  1. I found this , as a layman, informative and useful

       0 likes

  2. Nice to see the next generation of “AutoSPA” ;-)

       0 likes

  3. Long live AutoSPA!

       0 likes

  4. Dear Kurt Grutzmacher,
    thank you for putting this on GitHub, but please reconsider your “mugshot”, I am sure you are a nice guy ..

       0 likes

  5. So along the same lines of Denim Groups — ThreadFix Open Source Software Vulnerability Management Tool.. just different and similar tools supported.

       0 likes

    • Exactly: https://code.google.com/p/threadfix/

      It would be perhaps better if the 2 project combine time and resources to create 1 good project/tool instead of 2 projects who still have to work on supporting most of the known vulnerability scanners.
      (I see that Threadfix got most of them already covered – not OpenVAS yet)

      Anyhow, good news that there is a big vendor or someone of a big vendor also looking into this.

         0 likes

  6. Great job Kurt! It is very cool to see the new generation of tools y’all are using.

       0 likes

  7. Great work!! Good luck.

       0 likes

  8. Really nice tool, not production ready as threadfix, that we already use, but nice to have a choice! We also sent you some bug reports on https://github.com/KvasirSecurity/Kvasir/issues

    Francesco “ascii” Ongaro
    http://www.isgroup.biz / http://www.easyaudit.org

       0 likes

    • Kurt Grutzmacher
      Kurt Grutzmacher

      To be honest I see ThreadFix and Kvasir working towards different overall purposes. There are things we can learn from each other, no doubt, but if you’re looking for a comprehensive Vulnerability Management tool by all means Kvasir may not be the right tool at this time.

      If you want a quick and adaptive penetration data management tool, that’s what Kvasir is all about.

         0 likes

  9. I look forward to seeing it in action!

       0 likes

  10. hi sir.. i ;ve downloaded and configured kvasir to run … but i cannot integrate my metasploit framework … please can you release a usermanual to install !!

       0 likes

  11. Great job and good luck :) :)

       0 likes

  12. Looks great but the installation instructions are confusing;

    Different here https://github.com/KvasirSecurity/Kvasir

    to here https://github.com/KvasirSecurity/Kvasir/wiki/Installation

    and even on the wiki installation page they tell you to clone from https://github.com/CiscoSystems/kvasir.git Kvasir and https://github.com/KvasirSecurity/kvasir.git

    So clearer instructions (or a VM) would be nice

    Other than that keep up the good work and thanks for sharing

       0 likes

    • Kurt Grutzmacher
      Kurt Grutzmacher

      Thanks for catching the error, I’ve corrected the wiki entry.

      After I shore up the Nessus support I’ll focus on a more screenshot-heavy installation wiki as well as other documentation.

         0 likes

  13. Great job, thanks for the sharing of this article.

       0 likes

  14. When i try to access the wiki link, it redirects me to /kvasir/default/wiki/_create/index and just shows a “401 UNAUTHORIZED” page. Do you have any suggestions on how I can this functionality working?

       0 likes

  15. Very Interesting!

       0 likes

  16. Great work Kurt!!!

       0 likes

  17. Really nice.

    I used this on a pentest recently and it’s been very useful. I have a few issues that I’d like to submit code to improve – but do you have a rough roadmap for where you are taking the tool – eg user comments?

    I want to make sure I’m not coding something that you are already working on :)

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. Return to Home