Using Dradis to Organize and Share Information with Your Team

Probably one of the first things you find out when you transition from “This is fun. Let’s learn some stuff about ethical hacking,” to breaking into doing it professionally is that it’s imperative to keep track of everything. Clients are going to want a little more information than “Oh look I broke in! I’m so cool!” They are going to want an in-depth report (a whole new skill to learn). Thus keeping records of what you did as you do it becomes a vital part of the job. Additionally, whether working on a pentest, playing red at a cyber defense competition, or pretty much any other large project, chances are you will find yourself working on a team. In school after working on team based projects, “Communication among team members is vital to the success of the project,” was always at the top of my list of lessons learned. That’s where the Dradis Framework comes in to play.

The Dradis Framework is an open source tool aimed at penetration testers developed in ruby. As stated in a previous post Dradis is all set up and ready to go on Backtrack 4, though the Dradis team recently released a new version with some exciting new features, so it might be time for persistent changes on your pentest box if you haven’t already and to upgrade. If you aren’t using Backtrack 4, do not despair. Dradis runs on several versions of Linux, Windows, and Mac. Additionally the Dradis team provides excellent support for getting the framework setup. With a few prerequisites, you’ll be ready to get started conducting well organized pentests.

Dradis allows you to easily import the results from common tools such as nmap and Nessus. The newest version has added plugins for importing results for the Burp scanner and Nikto. Another useful feature is the ability to add notes to any node with comments for the rest of your team like, “I tried Metasploit module X against this, but no cigar.” This helps to cut down on overlap among team members if everyone notes what they’ve done, and what they think looks interesting but hasn’t gotten around to fully exploring.

I have found Dradis to be especially useful playing red team during cyber defense exercises. It’s a fast paced, high stressed scenario, often with multiple target networks that you need to hit as equally as possible. Also, you are often the team is made up of people you aren’t used to working with, so the rapport built through working together every day isn’t there. A centralized place where everyone can see what has been done, and what still needs to be done again reduces overlap and wasted time. So if organizing your pentests is getting you down, Dradis might just be the solution you’ve been looking for.