Managing Penetration Testing Data with
Kvasir
Toorcon 15 (San Diego)
@grutz
BACKGROUND

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

2
$ whois grutz
Corporate penetration tester for ~15 years
~10 years internal with Federal Reserve and Pacific Gas & Electri...
DEFINING THE PROBLEM

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

4
Testing is all about collecting data…

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

5
As pentesters we collect a TON of data…

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

6
So you sort them into directories…
…which can be difficult to manage…

Toorcon 15 -- @grutz

Managing PT Data with Kvasir
...
Sharing data across your team
…can have its challenges

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

8
Did you get everything you need?
Great! Now write a report, monkey!

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

9
CURRENT OPTIONS?

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

10
Currently…
•
•
•
•
•
•
•

Metasploit Pro, Cobalt Strike, STRATEGIC, CORE, etc
Nexpose, Nessus, QualysGuard, Saint, Fortiga...
Issues with these tools
•

•

•

•
•

Not designed to manage PT data
•
You have to conform your data to the tool
•
Vulnera...
ENTER KVASIR

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

13
0118 999 881 999 119 725 3

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

14
ACHTUNG!
I am an ADHD coder. Large bits of Kvasir were thought of after working at a
customer’s site and developed with li...
Kvasir’s Cisco Pedigree
•

•
•

•

Recognized long ago that managing
disparate data is essential to effective
testing resu...
Design Philosophy
•
•
•
•
•
•

Take disparate data and cram it into a (mostly) consistent relational
database format.
Focu...
Benefits to using Kvasir
•
•
•

Alcohol infused coding practices
Designed by and for Penetration Testers
OPEN SOURCE! FREE...
High-level Database Design
Hosts
Accounts

Operating
Systems

CPE Data

SNMP

Services

NetBIOS

VulnDB
Exploits

Toorcon ...
Data Directory Structure
All script output is stored under “data”
Local to the web server
Session-logs/ contain ‘script’ f...
Supported Host/Vulnerability Scanners
Right Now
Nexpose
Nmap
Nessus
Metasploit (hosts only)
ShodanHQ

Horizon
QualysGuard
...
Metasploit Pro API Integration
•

•

Kvasir utilizes some MSF Pro-only API
functions:
•
Bruteforce / Exploit
•
Import XML,...
THE KVASIR WORKFLOW

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

23
Installation and setup
https://github.com/KvasirSecurity/Kvasir/wiki/Installation
•

•

Kvasir begins life as a completely...
Importing Support Data
•

•

•

Vulnerability data can be:
• Imported prior to engagement start
• Imported as part of a Vu...
Populating Engagement Data
•
•

•

Vulnerability Scanner Imports
• Import direct from scanners or files
Nmap Scanning Impo...
Valkyries
Tasks who results feed back to Kvasir
Not designed to replace Metasploit /
CANVAS / CORE, etc.
WebShot: Grab ima...
SCREENSHOTS!

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

28
Main Index

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

29
Host List

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

30
Host Detail

Terminal launch – click or hot-key L
Notes submit after enter

Flags are hot-keyed: C, D, F

Hot-key: ^N

Tab...
Services

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

32
Accounts

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

33
Windows Domain Memberships

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

34
Evidence (Screenshots, Docs, etc)

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

35
Password Statistics

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

36
Vulnerability Statistics

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

37
Vulnerability Circles
“In progress”
Diameter calculated by
service counts, CVSS details,
accounts, severity, etc

Toorcon ...
ON THE HORIZON

Toorcon 15 -- @grutz

Managing PT Data with Kvasir

39
Lots to still do…
•
•
•
•
•
•

Consistent vulnerability database (VulnDB?) that maps to vendor tags
(QID, NessusID, Nexpos...
http://github.com/KvasirSecurity/Kvasir

http://kvasirsecurity.github.io/assets/presentations/toorcon-15-kvasir.pdf

THANK...
Upcoming SlideShare
Loading in …5
×

Managing Your Pentest Data with Kvasir: Toorcon 15

7,201 views

Published on

We’ve all done it a few times. Lost that nmap scan, can’t recall what file had that account and password combination, sat in front of a screen for a few days while your co-worker gathered tons of data and didn’t share because he’s a big fat jerk.

Kvasir is a centralized, penetration tester-focused data homogenizing application to help collect, unify and make sense of the important data gathered during tests. It’s a small footprint application designed for quick deployment. It integrates directly with NeXpose and Metasploit (for now).

This application is used daily by Cisco Systems engineers on customer penetration tests. It hasn’t solved the big fat jerk problem but it has helped us work better as a team.

Presented at Toorcon 15, October 20, 2013

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,201
On SlideShare
0
From Embeds
0
Number of Embeds
3,039
Actions
Shares
0
Downloads
37
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Managing Your Pentest Data with Kvasir: Toorcon 15

  1. 1. Managing Penetration Testing Data with Kvasir Toorcon 15 (San Diego) @grutz
  2. 2. BACKGROUND Toorcon 15 -- @grutz Managing PT Data with Kvasir 2
  3. 3. $ whois grutz Corporate penetration tester for ~15 years ~10 years internal with Federal Reserve and Pacific Gas & Electric 5 years consulting to customers for Developed Squirtle, the NTLM Attack tool Smashed up some Huawei/H3C/HP gear Toorcon 15 -- @grutz Managing PT Data with Kvasir 3
  4. 4. DEFINING THE PROBLEM Toorcon 15 -- @grutz Managing PT Data with Kvasir 4
  5. 5. Testing is all about collecting data… Toorcon 15 -- @grutz Managing PT Data with Kvasir 5
  6. 6. As pentesters we collect a TON of data… Toorcon 15 -- @grutz Managing PT Data with Kvasir 6
  7. 7. So you sort them into directories… …which can be difficult to manage… Toorcon 15 -- @grutz Managing PT Data with Kvasir 7
  8. 8. Sharing data across your team …can have its challenges Toorcon 15 -- @grutz Managing PT Data with Kvasir 8
  9. 9. Did you get everything you need? Great! Now write a report, monkey! Toorcon 15 -- @grutz Managing PT Data with Kvasir 9
  10. 10. CURRENT OPTIONS? Toorcon 15 -- @grutz Managing PT Data with Kvasir 10
  11. 11. Currently… • • • • • • • Metasploit Pro, Cobalt Strike, STRATEGIC, CORE, etc Nexpose, Nessus, QualysGuard, Saint, Fortigate, etc ThreadFix, Archer, RiskIO, Secunia VIM, etc Issue / Bug tracking tools (and their wikis) • TRAC, Redmine, Bugzilla, etc Wikis! Spreadsheets! Roll your own! Toorcon 15 -- @grutz Managing PT Data with Kvasir 11
  12. 12. Issues with these tools • • • • • Not designed to manage PT data • You have to conform your data to the tool • Vulnerability Management != Penetration Test Data! Requires enhancements / add-ons • Develop your own add-ons • Maintain support and training Changes are difficult to implement • No access to source code for when things break • High complexity, vendor demands, delays “In the cloud” or “vendor hosted” solutions Spreadsheets??? Really?!?! Toorcon 15 -- @grutz Managing PT Data with Kvasir 12
  13. 13. ENTER KVASIR Toorcon 15 -- @grutz Managing PT Data with Kvasir 13
  14. 14. 0118 999 881 999 119 725 3 Toorcon 15 -- @grutz Managing PT Data with Kvasir 14
  15. 15. ACHTUNG! I am an ADHD coder. Large bits of Kvasir were thought of after working at a customer’s site and developed with little sleep and lots of caffeine and/or alcohol. I am also not a really good UI coder. Toorcon 15 -- @grutz Managing PT Data with Kvasir 15
  16. 16. Kvasir’s Cisco Pedigree • • • • Recognized long ago that managing disparate data is essential to effective testing results Began from our acquisition of “The Wheel Group” back in 1999 Multiple iterations: • AttackAll, AutoSPA, Halo/Banshee, AutoSPAng Close source / proprietary Toorcon 15 -- @grutz Managing PT Data with Kvasir 16
  17. 17. Design Philosophy • • • • • • Take disparate data and cram it into a (mostly) consistent relational database format. Focus on PENETRATION TEST tools and data Be quick Be adaptable Try not to get in the way of the hacking No cross-contamination of customer data Toorcon 15 -- @grutz Managing PT Data with Kvasir 17
  18. 18. Benefits to using Kvasir • • • Alcohol infused coding practices Designed by and for Penetration Testers OPEN SOURCE! FREE!!! Data access through web2py shell == awesome! http://web2py.com/books/default/chapter/29/06/the-databaseabstraction-layer Toorcon 15 -- @grutz Managing PT Data with Kvasir 18
  19. 19. High-level Database Design Hosts Accounts Operating Systems CPE Data SNMP Services NetBIOS VulnDB Exploits Toorcon 15 -- @grutz Evidence References Managing PT Data with Kvasir 19
  20. 20. Data Directory Structure All script output is stored under “data” Local to the web server Session-logs/ contain ‘script’ file output from launched terminals Toorcon 15 -- @grutz Managing PT Data with Kvasir 20
  21. 21. Supported Host/Vulnerability Scanners Right Now Nexpose Nmap Nessus Metasploit (hosts only) ShodanHQ Horizon QualysGuard Metasploit Pro (Webscan) BurpSuite Pro (Report XML) Others? Toorcon 15 -- @grutz Managing PT Data with Kvasir 21
  22. 22. Metasploit Pro API Integration • • Kvasir utilizes some MSF Pro-only API functions: • Bruteforce / Exploit • Import XML, PWDUMP, Screenshots • Sending Accounts / Scan data results TODO: • Sending exploits to Framework API • Direct MSF DB access (who uses ‘pass’ as a field name? MSF!) Toorcon 15 -- @grutz Managing PT Data with Kvasir 22
  23. 23. THE KVASIR WORKFLOW Toorcon 15 -- @grutz Managing PT Data with Kvasir 23
  24. 24. Installation and setup https://github.com/KvasirSecurity/Kvasir/wiki/Installation • • Kvasir begins life as a completely blank slate • You must add users, CPE, Vulndata, Exploits, etc • Mostly automated through parts of the UI For multiple team members on a test: • One central person runs the SQL database • All team members have their own Kvasir instance and point to the SQL DB in settings.database_uri Toorcon 15 -- @grutz Managing PT Data with Kvasir 24
  25. 25. Importing Support Data • • • Vulnerability data can be: • Imported prior to engagement start • Imported as part of a Vulnerability Scan results Exploits XML data imported: • Nexpose’s exploits.xml file • ImmunitySec CANVAS download / file CPE OS Data • Downloaded and parsed from MITRE Toorcon 15 -- @grutz Managing PT Data with Kvasir 25
  26. 26. Populating Engagement Data • • • Vulnerability Scanner Imports • Import direct from scanners or files Nmap Scanning Imports • Import XML output file (-oX) • Kick-off a scan and import the results Bruteforce/Account Tools • THC Hydra • Medusa • Metasploit creds.csv output • PW recovery tool output (John POT, user:password, etc) Toorcon 15 -- @grutz Managing PT Data with Kvasir 26
  27. 27. Valkyries Tasks who results feed back to Kvasir Not designed to replace Metasploit / CANVAS / CORE, etc. WebShot: Grab images of HTTP instance using phantomjs VNCShot: Grab images of open VNC Servers using vncdotool Others planned, just not completed Toorcon 15 -- @grutz Managing PT Data with Kvasir 27
  28. 28. SCREENSHOTS! Toorcon 15 -- @grutz Managing PT Data with Kvasir 28
  29. 29. Main Index Toorcon 15 -- @grutz Managing PT Data with Kvasir 29
  30. 30. Host List Toorcon 15 -- @grutz Managing PT Data with Kvasir 30
  31. 31. Host Detail Terminal launch – click or hot-key L Notes submit after enter Flags are hot-keyed: C, D, F Hot-key: ^N Tabs switch with hot-keys: a, s, v, e, o, t, m, b Toorcon 15 -- @grutz Managing PT Data with Kvasir 31
  32. 32. Services Toorcon 15 -- @grutz Managing PT Data with Kvasir 32
  33. 33. Accounts Toorcon 15 -- @grutz Managing PT Data with Kvasir 33
  34. 34. Windows Domain Memberships Toorcon 15 -- @grutz Managing PT Data with Kvasir 34
  35. 35. Evidence (Screenshots, Docs, etc) Toorcon 15 -- @grutz Managing PT Data with Kvasir 35
  36. 36. Password Statistics Toorcon 15 -- @grutz Managing PT Data with Kvasir 36
  37. 37. Vulnerability Statistics Toorcon 15 -- @grutz Managing PT Data with Kvasir 37
  38. 38. Vulnerability Circles “In progress” Diameter calculated by service counts, CVSS details, accounts, severity, etc Toorcon 15 -- @grutz Managing PT Data with Kvasir 38
  39. 39. ON THE HORIZON Toorcon 15 -- @grutz Managing PT Data with Kvasir 39
  40. 40. Lots to still do… • • • • • • Consistent vulnerability database (VulnDB?) that maps to vendor tags (QID, NessusID, Nexpose ID) Additional vulnerability scanner support Metasploit to release their new MDM structure Maltego Integration Probably an overhaul of the user interface Whatever is in TODO.md that I thought of while sleepless on a 10hr flight back home Toorcon 15 -- @grutz Managing PT Data with Kvasir 40
  41. 41. http://github.com/KvasirSecurity/Kvasir http://kvasirsecurity.github.io/assets/presentations/toorcon-15-kvasir.pdf THANK YOU! Toorcon 15 -- @grutz Managing PT Data with Kvasir 41

×