Advanced Ethical Hacking - Dradis Results Tracking Tutorial

2.1 Acquiring Dradis

We're going to install Dradis Framework. And of course, to begin we're just going to go pick up the Dradis Framework. And while we're going there I'll explain what the purpose of doing that is. The Dradis Framework is Actually an organizational tool for putting information together in one place. So as we're going through a penetration test and doing ethical hacking, there are a number of tools that we'll be using and of course, all of these different tools will provide output. In addition to that, we'll be doing a lot of Manual testing. And we'll want to make notes of the different things that we find. And be able to keep those organized somewhere. So Dradis actually provides us the ability to organize all of this information in one place. And we can not only import The output from the various tools. So you can see here it supports Burp scanner, Nessus, NeXpose, Nikto, Nmap, OpenVas, OSVDB, Retina, SureCheck. And a number of other tools that are pretty common in doing penetration testing or ethical hacking. So We've got this Dradis framework, and it gives us the ability to import all of the data from all of these. And as it says here, it provides a centralized repository of information. So we know that what we have done and what we need to do. And along the way, of course, we can keep notes In terms of what we've done and where we're going and the things that we actually want to focus in on. Some of these tools can provide a lot of information, and so, it's really helpful to have one place to have one place to keep that information so that we can To be able to reference things easily. And having one place to put all of this data gives us the ability to cross reference information as well. So I'm here at the Dradis framework website. And you can see on the right-hand side there's a download link. And we're just going to download The installer for Windows in this case. Now, Dradis is based on Ruby, and so, it's easy to install this on Linux in addition to Windows. So, we're just going to download Dradis here. And then we'll do the install afterwards. Again to be clear why we're doing this as we go through the different scenarios here and look at the different tools, we're going to be generating a lot of output and we really want one place To keep that output so that we can look at it quickly and easily. We don't have to go digging through different directories perhaps. Or different interfaces, in order to find the information. So Nessus for example, or Nexpose. Both have web interfaces. And you can go there and look up the information. For the scans that you have done with those particular tools. But that's not really that convenient because now I've gotta go to Nessus. And then I've gotta go check Nmap. And then I've gotta go check Burp suite. And I've gotta go look in a lot of different places for information. Dradis gives us the ability To put all the information in one place and of course it can parse the output from a lot of these different tools and put it into this frame work in a coherent way so we can better organize it and see what's actually going on. So the frame work her is just about completed and we're going to Move forward in another lesson here. And actually do the install.

2.2 Installing Dradis

So at this point we have downloaded Dradis and we need to do the installation. You can see there is a number of dependencies that they call out you need to have a Ruby interpreter, SQLite3 libraries and then the Bundler gem. Now once we have downloaded and we have unzipped it we can actually take a look here. At the framework and what we've got. So this is what's actually in the package that you download once you have untarred and unzipped it. And the first thing that you need to do is you need to do a reset. And the reset is going to do a little bit of clean up but it's also going to make sure That your dependencies are satisfied. And make sure that all of the Ruby plug-ins that are needed for Dradis to work are actually in place. So in this case, the dependencies are all there. And we've got everything installed. So at this point, we're doing a checking for database migration, saving the backup And now we're deleting attachments cleaning the database and all of that stuff. So ones all of the dependencies are in place then all you really need to do is You can just start the Dradis server here. And you would do that using start.sh. So again, we're running this under Linux. And Linux is really where Dradis is the most comfortable. There isn't a Windows package for this any longer. So you're run it under Linux and we're We're just going to run the start shell script and it's actually going to start up we're beyond rails you can see that it's booting up Web wreck and we're doing rails three dot two dot zero we've generated the certificates so that we can do HTTPS and now we've actually got the applications started up And here's the URL where we would access it. So just the IP address and then the port is 3,004. So this is actually all of the certificate information right here that was generated when we started up Dradis. And now all we've gotta do is bring up Dradis inside of a web browser And then we can actually get going with all of the work that we're going to do with installing notes and importing data into Dradus from the various tools that we're going to be using.

2.3 Using Dradis

Now that we've got Dradis installed, we can actually start it up. So the first thing I need to is go and find Dradis here in the A list of programs. And you can see there's a start server. And what that's going to do is it's going to launch ruby on rails and load up the application. So once the application is running, we can go to the website for the application which of course is stored here on the local host 127.0.0.1. And the port that they have chosen is port 3004. So we're going to connect to port 3004 and we're going to log in. Now, it's actually logged me in. I've created The log in previously and before that would would actually ask you to create a server password which is shared across all of the users. So the first thing we see here is a dradis framework branch right here, or a folder, and inside of that is actually some documentation, so Here is the documentation, it's whats new. And we can go to getting help and it will load up the Getting Help page here. You can see inside this pane here is actually the list of notes that are inside this particular branch So let's actually add a branch here, and we're going to call it. Internal testing. And what I want to do here Is I actually want to Import some information. So I'm going to Import from File. And I'm going to use the new Importer. And so that's going to bring up the importer. I can select which type of file I'm going to upload. In this case I'm actually going to import a Nikto file just to have something in the database here. So I'm going to go to my downloads and I'm going to Open up this file. It's actually going to do the importing for me. It says it's done, so we can go back to the framework page, and now we've got the information that was loaded in from. So, you start to see that it creates this new branch here. And we've got the information that was generated from that Nikto XML file. And then we've got all of the results that Nikto was able to find. So it's a pretty simple web interface here. And We've got a number of folders or branches, as they call them here. You can see, we can add branch. And then over here, inside the branch, you can set categories and add notes, and over here, we've got a configuration button so we can change different configurations. And this has to do with the different plugins that are available as well as just some basic information about Dradis and how it's actually running. And we're not actually going to change anything here so we're going to close this out and go back to Dradis. And going to begin Adding some notes and doing categories in the next couple of lessons.

2.4 Adding Notes

At this point, we've got Dradis installed and I want to take a look at adding some notes into Dradis. And the first thing I actually want to do here is I actually want to create a branch and the branch is where I'm going to Put some notes into so I select my branch here and now I can add a note, and notes are pretty simple just I'm going to say something like To Do Later and now I can add in like a list for example, I want to do some scanning within map Testing with Nessus and Nexpose and exploiting with Metasploit So now we can take a look at the preview, and this is what the note will actually look like. So, I can save that there. And now I've got a note here, and if I just click on it, I've got To Do Later. Now, I've got Some additional notes that I could add, I could say for example messes follow up. And I could have a number of things that I actually wanted to follow up on. So you can see the notes are actually pretty useful here. And of course I can have multiple branches. And I could say like new branch here. And then when I go to the new branch I could add some more notes. So I've got a way to actually really Put the data or information that I've got into an order that actually makes some sense for me. I could even add additional branches by just doing an add child here. So now I've got Child node and I could say, say Nessus for example. So now I've got something under here and I could add a note into there. And say Nessus follow ups. And so I've got all my data organized. I've got a nice little tree structure over here. I've got notes where I want them over here. You can see all of the notes that we created earlier. They were on the top level. And now I've got another one underneath it. Now the one thing that I'm actually missing here is doing categories. And so we'll take a look at doing the different categories coming up next.

2.5 Categorizing Information

We've been creating some notes and now actually want to do some categories to have some places to categorize information in a way that may make a little bit more sense to me. So I've got a number of categories here. I've got a default category Some HTML export ready and so on. I've got scan results and output, and now I could actually add a category here. And let's just say I'm going to call it My Notes. So, now, what I've got is a note here. And I can actually assign these different notes to different categories even after they've been created. So I've got Nessus follow up note here. If I right click on it I get the assign to and I could actually put that under my notes. Now, you can see the category shows up there and here I've actually got a couple of Different notes. And let's do this. Let's assign this one to Nessus output. And now you can see I've got two categories here. So I've got the category Nessus output and I've got one note under there. And I've got my default category here. And actually let me create another category. And I'm going to call that category To do. So since this is a to do note I am going to assign it as a to do category, so you can see we've got now in addition to just having notes and having a whole list of all of the notes here, I can actually break them into categories. And I could add another note here and say another note. And at some point I'm actually going to put this into one of the categories. Stories here and I'm actually going to put it in the To Do just to show what we can do here. I'm going to put it in To Do and now at some point, if you had a lot of different notes and you wanted to just look at the notes in a particular category, you can see, I can actually just collapse the To Do category Branch here, and if I were to collapse this one, you'd have the note just disappear. So in terms of visual organization, I can collapse different things to make them Appear smaller on the screen here, so that I'm only looking at maybe the one category that I want to look at and I'm not getting distracted by all of the other notes. So if I had a lot of different categories and a lot of different notes, I may want to collapse a lot of the information so that I am only looking at what I really want to look at. So you can see I've got a lot of capability here in Dradis to do some organization, put a lot of data in, keep track of what I'm doing, have it in different categories and it makes a really nice organizational tool For the type of work that we're doing here, because there is really a lot of management that's involved in doing these ethical hacking engagements or penetration tests. Because there's a lot to keep track of from the different applications and the difference services that we're looking at, the different ports that may be open. You may have a wide variety of hosts that are available. I may want to keep track of all of the hosts that I found in addition to just the subset of hosts that I'm scanning. So I may want to have a category for hosts that were scanned or hosts that were found and put different notes inside of there. And then have a different category for the hosts that were tested and Put the notes about what I'm actually doing inside of that particular category. So I've got a lot of options here in terms of how I want to organize it. And you can see I've got the flexibility to really organize it in the way that makes the most sense to me.

  • Disclaimer
  • PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc.

We use cookies on this site for functional and analytical purposes. By using the site, you agree to be cookied and to our Terms of Use. Find out more

Request more information

For individuals
For business
Name*
Email*
Phone Number*
Your Message (Optional)

By proceeding, you agree to our Terms of Use and Privacy Policy

We are looking into your query.
Our consultants will get in touch with you soon.

A Simplilearn representative will get back to you in one business day.

First Name*
Last Name*
Email*
Phone Number*
Company*
Job Title*

By proceeding, you agree to our Terms of Use and Privacy Policy