Wednesday, September 25, 2013

Kvasir By Cisco - Web-Based Open Source Penetration Testing Tool

Kvasir : ( Penetration Test Data Management )

            is a web2py application and can be installed for each customer or task. This design keeps data separated and from you accidentally attacking or reviewing other customers. 

             This tool was developed primarily for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team. While not every method used by the SPA team may directly relate we hope that this tool is something that can be molded and adapted to fit almost any working scenario.

                Kvasir is a vulnerability / penetration testing data management system designed to help mitigate the issues found when performing team-based assessments. Kvasir does this by homogenizing data sources into a pre-defined structure. Currently the following sources are supported:
 
Kvasir is here to help you with. Here's what you'll need to get started:
  • The latest version of web2py (http://www.web2py.com/)
  • A database (PostgreSQL known to work)
  • A network vulnerability scanner (Nexpose/Nmap supported)
  • Additional python libraries




                                Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.

                               Multiple testers can work together on the same data allowing them to share important collected information. There’s nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn’t find anything “important” so it was never fully documented.
 

Supported Data Sources:


 At current release, Kvasir directly supports the following tools:

There are obviously some gaps here but these are the primary tools we use. Support for scanners such as Nessus, QualysGuard, SAINT, and others are in various stages of development already, just not completed at this time.

Snapshot :

                               Initial screen of Kvasir shows two bar graphs detailing the distribution of vulnerabilities based on severity level count and host/severity count as well as additional statistical data:




                          Kvasir’s Host Listing page displays details such as services, vulnerability counts, operating systems, assigned groups, and engineers:.

                          
                              Kvasir supports importing exploit data from Nexpose (Exploit Database and Metasploit) and CANVAS. Link to exploits from vulnerabilities and CVE assignments are made so you can get an immediate glance at what hosts/services have exploitable vulnerabilities:


                           Host detail page provides an immediate overview of valuable information such as services, vulnerability mapping, user accounts, and notes, all shared between testing engineers:





                      
                              Of course as you collect user accounts and passwords it’s nice to be able to correlate them to hosts, services, hashes and hash types, and sources:




Source code / Download is available now at https://github.com/KvasirSecurity/Kvasir


Thanks ,

RRN Technologies Team.