Nmap Reporting Compared - the beta version of the publication. Network Mapping Issue

Due to the upcoming issue concerning Network Mapping, we have posted the article in beta version. We are keen to know what adjustments you would advice us and the author to apply to the publication.

Visit the comments section and share with us your thoughts on the subject.

Nmap Reporting Compared

Nmap is a great network scanner and a precious tool for hackers and Pen testers. It saves time and it allows us to discover very precious information in a layer approach. It's fast and its results allow us to fine tune our attacks. It's also powerful and flexible by allowing us to use custom and community made scripts to test for vulnerabilities.

 

Much could be said about all we can do with Nmap and these have been theme for so many books. You, as I, probably have been using Nmap for a long time. We, duo to time issues, even use intrusive scanning, as long as the client is aware, sometimes just to test the IT Security Team response. So I won't get into the details on how to use, customize or make it work in your favor.

I read once in an on line forum, someone asking how one could become a Pen tester. There was a fellow Pen tester that asked him what his motivation was. The answer was something like: it's awesome going around and hack systems and get paid for doing that. The Pen tester decided to clarify by saying: “if you like to hack systems for one week, under pressure and then spend another 3 weeks dealing with reports and meetings with the client, then this is the right job for you”. Needless to say there was no response back.

 

The truth is that Pen Testing involves more than crazy hacks and exploiting client systems. It's about documenting everything we do in such a way that is really helpful for the client. At the end of the day, the client paid for an exhaustive report on what was done and what was found and even on how can he patch it.

I always wonder what would make my life easier for the report part. So I decided to write this article on, in my opinion, what is the best reporting tool for Nmap. There's a lot of information provided by Nmap and there are some programs out there that state that can take care of that. That's what you and I are going to find out together.

We need to set parameters for evaluating every solution. We also need to choose some options to test. If the first point can be discussed and everyone will have an idea, I'll try to keep it objective, so, you, the reader might get a fairly partial evaluation. The second point is easier, since I'll be just picking up one of the famous and one that we might consider still in Beta but that promises a lot. And it's still free (not sure for how long, since Cisco isn't quite famous for their free things).

First things first, what are we generating? As mentioned before, this is about Nmap and the best way to manage and report results. I've chosen 3 simple tests. We'll be running these tests from a Kali Linux VM against a Metasploitable 2 VM. This way we make sure that we get some hard core data. The 3 tests we are going to run, goes from a simple test to a full vulnerability scan. At this point, and because we are penetration testers and not hackers, we won't worry about being a “noisy” test. So the tests we are going to perform:

 

  • nmap <target>
  • nmap -sS -sV <target>
  • nmap -A -T4 <target>

 

If you take close attention to the tests, we are actually going from simple, to some information, to full information. Isn't these what we decided to test? What's the best way to manage information generated by Nmap? You and I want to know what's the next tool to collect, process and report to the client.

And what are we testing? We want to see how easy it will be to manage Nmap results and produce better, faster reports. We'll be testing Dradis framework and the new Cisco Kvasir. We'll be comparing 6 categories, giving scores on each of them (1 and 2):

 

  1. Menus and Usability
  2. Nmap Usability and Information Management
  3. Compatibility with other tools
  4. Reports
  5. General appreciation

I'll be using my trusted Kali Linux distro, since most of the tools I require are already there. Also, if you check any Kali Linux (or Backtrack for that matter) book you'll see that Dradis is mentioned as the tool for the job. Kvasir is still the outsider since it's pretty new.

We start by doing our 3 simple Nmap tests and, as you can see, a lot of information has been generated. Now before you get excited (at least I normally do with such results) let me tell you why we are generating so many results. As mention before, I'm using a VM developed by Rapid 7 called Metasploited 2. Many of you might have seen it, some might be seeing it for the first time. The truth is, this VM was developed for Pen Testing and it has more than one way to hack into it. So it's just the perfect host to get such information. In real life, you might be dealing with entire networks, getting various results from various hosts, making it more difficult to manage and share the information around the all team.

nmap1

nmap2

nmap3

With our reports generated to a .xml file, we'll now get those results up to our test applications. So stick around and let’s go through all the important facts. We'll be starting with Dradis and then hop off to Kvasir.

nmap4

nmap5

 

Menus and Usability

Dradis

nmap6

With one of the cleanest look you might find, Dradis appears with a very simple format. My first impression was: “How hard can it be ?”. The Web GUI style application shows a clean screen with few menus but very organized. The import file points the user for what kind of system we are dealing with – we basically import files from other applications, such as Nmap into it.

It's very easy to start even with no experience on it. I immediately started generating Nmap’s information and importing it to Dradis. A good thing was that Dradis was able to automatically setup a branch for our host. We can easily drag and drop the host to another branch or just rename the existing one. On the negative side it auto created a branch called Uploaded files that's just empty and I have no idea why is it there.

Kvasir

nmap7
I won't say that Kvasir is complicated, but the enormous amount of available menus will point you to a lot of capabilities. The clean look with main menus at the top and a Home dashboard really makes us wonder - “How far can I take this baby?”.

nmap8

My eyes really got stuck to the dashboard and when I started to try and get some data populated, it was very simple to get started – import at the top menu leaves really no doubts on what you need to do. One very cool feature I noticed was the ability to run Nmap from inside the application itself.

You know what, lets power up our Metasploitable 2 VM and give it a try. So, we go to Import / Nmap Scan and Import. I love the way Cisco team left us some notes on the right side. They even have incorporated scan profiles... how easy can you make it?

nmap9

The page view is very organized, and you can actually add notes and status for the host. It's just perfect for Nmap. Overall, Kvasir wins this round, getting 2 points and Dradis just 1 point.

Tool integration

In this category we are going to explore tools existing inside the application. Things that can make our work easier and faster. As we all know, penetration testing is all about the time available to get the job (reports included) done.

Dradis

Well, I really don't know what to tell you... Dradis simple doesn't have tools... or better yet, almost doesn't have tools. You can add some notes and attachments, but that's it. The way I see it, the guys behind Dradis wanted to keep it simple and clean. So Dradis does what's supposed to do – collect and share data.

The good news is that you can integrate other tools findings to it, things like Openvas and Metasploit results, among other well-known tools. So Dradis doesn't have tools but allows you to integrate with a lot of the most used tools. And for me, that makes it an excellent choice. You keep it clean but still useful using external tools. You get all the information in one place.

nmap10

Kvasir

Kvasir, on the other hand, has a lot of available tools. It took me a while, as I guess it will take you, to go through all the tools and I won't have the “lines” I need to describe them all. Let’s just say I found some pretty neat tools on it.

The first tool that got my attention was the integrated Ipv4 and Ipv6 calculator – that was a charm (I know, I'm lazy). But that's not all. There's a section where you can manage more than one source of database exploits, there's a wiki. And the list goes on. Believe me, you'll need time to check and get everything going.

The only thing I find not that positive, is the number of external tools you can integrate to – still a little bit limited compared with Dradis.

For that reason, this one is a draw. True, Kvasir has more built in tools but Dradis allow us to import results from much more external tools than Kvasir. Until Kvasir gets there, I'm giving both 2 points.

nmap11

Usability

I agree that this theme could be very problematic. Basically what works for me might not work for you. I'm a CLI type of guy and you probably are a GUI type of person. Nevertheless, I'll try to give a view on my thoughts when going around both applications.

Dradis

Dradis usability is just perfect. What you see is what you get and in no time at all you'll have it up and running. No sub menus, very intuitive and easy to use, Dradis and its clear look make it easier for any kind of user to make it work for the all-time. Just imagine the time you save by putting up a tool that doesn't require more than 5 minutes to start to use it.

Kvasir

Kvasir power relies on all the tools and possibilities you have in one such amazing tool. We can gather huge amount of information and over one roof (did I mention the amazing initial dashboard ?!?), but because of that I believe there is a learning curve you need to consider when putting it up for a team of people. You might need to take a look at their wiki, and with time build your own wiki inside Kvasir. Only then I believe you can make it work for you and your team.

Therefore, Dradis wins this one, just because it's clean layout make it more usable at the begging. 2 Points for Dradis. Nevertheless, with time, customization and learning and training period you might find Kvasir easier to use. For now, Kvasir gets 1 point.

Reports

We got to where we want to. Reports done for us. You know that's not really going to happen? But, still, we can dream and maybe get a hand from our friends Dradis and Kvasir.

Dradis

Dradis promised a lot. As you can see from the illustration, there are many options to choose from, when it comes to exporting the data. Nevertheless, this was pre-installed in my Kali Linux and I was unable to export, except for the all project in .xml. Only if I had the time to debug...

nmap12

Kvasir

I am amazed. The out-of-the-box capabilities are just amazing, and by just clicking some links you can get a full .xlsx report, ready to be attached to your own report. And this is time saving.

nmap13

Because I couldn't do any report with Dradis, I'll have to give it a 0. Although, this might have been because of the default Kali installation. On the other hand Kvasir gets a 2, for the amazing reports (it's the amazing dashboard, believe me) it automatically generates.

Global analyses

With a global score of 7, Kvasir is the clear winner. Dradis gets a fair 5 but still is very simple in nature. I would advise Dradis for whom is starting now in Penetration Testing and Kvasir when you want a global solution for your team. Also, keep in mind that Kvasir is still in beta stage and being part of the Cisco Universe might make it a stalled or paid project in the future.

You can find the full issue on our website and pre-order it.

PenTest Team appreciates any opinion!
Thank you!

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013