Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments, or SPA for short, and I’ve been pen testing for just about as long. I’ll let you in on a little secret about penetration testing: it gets messy!
During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. We then have to collect and document our results within the one or two weeks we are on site and prepare a report.
How can anyone keep track of all this data, let alone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit?
The answer is to build a data management application that works for you. The first iterations the SPA team created were a mixture of shell, awk, sed, tcl, perl, expect, python and whatever else engineers felt comfortable programming in. If you remember the Cisco Secure Scanner product (aka NetSonar) then our early tools were this with extra goodies.
Welcome to the 21st Century
As time moved on our tools became unfriendly to larger data sets, inter-team interaction, and support of new data types were difficult. The number of issues detected by vulnerability scanners started to increase and while we have always been able to support very large environments, the edges were starting to bulge.
We don’t believe this scenario is unique to us. We also don’t believe current publicly available solutions really help. Most teams we’ve talked with have used a variant of issue tracking software (TRAC, Redmine) or just let Metasploit Pro handle everything.
We think this isn’t good enough which is why we are releasing our tool, Kvasir, as open source for you to analyze, integrate, update, or ignore. We like the tool a lot and we think it fills a missing key part of penetration testing. It’s not perfect but it’s grown up a lot and will improve.
Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.
Multiple testers can work together on the same data allowing them to share important collected information. There’s nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn’t find anything “important” so it was never fully documented.
Supported Data Sources
At current release, Kvasir directly supports the following tools:
- Rapid7 Nexpose Vulnerability Scanner
- Nmap Security Scanner
- Metasploit Pro (limited support for Express/Framework data)
- ImmunitySec CANVAS
- Foofus Medusa
- John The Ripper
- …and more!
There are obviously some gaps here but these are the primary tools we use. Support for scanners such as Nessus, QualysGuard, SAINT, and others are in various stages of development already, just not completed at this time.
Nexpose and Metasploit Pro Integration
Since the SPA team generally uses Rapid7’s Nexpose and Metasploit Pro Kvasir integrates the use of these tools via their API. We purposefully did not incorporate some features but may have future plans for others.
The importation of Nexpose site reports is fully automated. Just pick a site and let Kvasir generate the XML report, download, and parse it! After parsing, the scan file can be imported into a Metasploit Pro instance.
For Metasploit Pro results you must first generate an XML report but after that is done Kvasir will download and parse it automatically. Kvasir also supports the db_creds output and will automatically import pwdump and screenshots through the Metasploit Pro API.
Metasploit Pro’s automatic Bruteforce and Exploit features can be called directly from Kvasir. Simply select your list of target addresses, click a few buttons, and go take a rest! You’ve earned it!
From Vulnerability to Exploit
So you have a host with a list of vulnerabilities, but what is exploitable? Exploit frameworks such as Metasploit Pro and CANVAS as well as the Exploit Database archive from Offensive Security are mapped to vulnerability and CVE entries granting the user an immediate view of potential exploitation methods. CORE Impact’s list of exploits is being researched for inclusion.
The initial screen of Kvasir shows two bar graphs detailing the distribution of vulnerabilities based on severity level count and host/severity count as well as additional statistical data:
A tag-cloud based on high-level severities (level 8 and above) is included which may help pinpoint the highest risk vulnerabilities. This is based solely on vulnerability count.
Kvasir’s Host Listing page displays details such as services, vulnerability counts, operating systems, assigned groups, and engineers:
Kvasir supports importing exploit data from Nexpose (Exploit Database and Metasploit) and CANVAS. Link to exploits from vulnerabilities and CVE assignments are made so you can get an immediate glance at what hosts/services have exploitable vulnerabilities:
The host detail page provides an immediate overview of valuable information such as services, vulnerability mapping, user accounts, and notes, all shared between testing engineers:
Of course as you collect user accounts and passwords it’s nice to be able to correlate them to hosts, services, hashes and hash types, and sources:
Features not shown:
- Windows Domain information management
- Evidence management (screenshots, documents, password files)
- XML and Microsoft XLSX export of data
- Detailed vulnerability, service and password statistics
- Use of Common Platform Enumeration for Operating Systems
- Vulnerability Circles (development in-progress) for a graphical view of exploitable risks
- Third-party credential management (John the Ripper .pot files, hydra and medusa output files, and other structured file imports)
- Long-running scheduler tasks
- Terminal launching for elite haxx0ring and audit trails
Show Me the Code!
The source code is available now at https://github.com/KvasirSecurity/Kvasir. Fork, Install, Review, Contribute!