A very crucial step in the penetration testing process is communicating the results of the penetration test carried out and recommendations to improve the security level of the target IT environment and the business at large. The report from the penetration test is used to make informed decisions about the business by stakeholders. It is therefore important that the document summarizes all the activities carried, findings and recommendations in a way that is understandable by stakeholders. In this article, we will discuss five tools on Kali Linux which can help you document the activities carried, the results and the report of a penetration testing project.

Why carry out penetration testing?

Pentesting is a systematic process that utilizes specialized tools and applies ethical hacking techniques to accurately access the IT environment risks. Professional pentesters or security professionals will evaluate the IT environment to identify potential vulnerabilities and other security weaknesses using techniques similar to malicious individuals. Some of the benefits of carrying a penetration test include:

It is an effective approach for governments or organizations to assess the security of their IT environment. It enables a proactive security approach. It provides an accurate representation of the organization’s IT environment at any given time. It highlights existing security weaknesses and vulnerabilities in configurations and IT environments which can lead to data breaches, malicious infiltration and more. It assesses and validates the security measures and mechanisms already implemented. It helps organizations to meet legal, regulatory and compliance requirements ( e.g., ISO27001). It evaluates the effectiveness of security policies and procedures.

Top 5 tools for reporting

1. Dradis

Dradis is a Ruby-based open-source framework used for collaboration and reporting during a penetration test or security assessment. It provides a centralized repository of information that enables you to keep track of activities already carried and activities yet to be completed. It can be used to facilitate information sharing amongst team members, organize output files, screenshots, commands used and scan reports from various tools and help create professional security assessment reports. Some of its features include:

Can be used to track the activities of the team throughout an assessment. Supports multi-user access. Can be integrated with security assessment tools such as Qualys, Nessus, Burp Suite, Nmap, Acunetix, Nikto, OpenVAS and more. User-friendly and easy to use. Ability to customize checklists. Works with various security compliance standards, assessment frameworks and methodologies such as HIPPA compliance audit tool, OWASP testing guide, PTES technical guidelines and OSCP report. Can be integrated with ticketing and project management tools such as Jira and ServiceNow. Three editions: community (free), assess ($79 per user per month) and remediate ($149 per user per month). Supports multiple testers accessing the same project file.

2. Magic Tree

Magic Tree is a data management and reporting tool. It is called Magic Tree because it was designed to assist with the boring part of penetration testing. Report generation and all the data are stored in a tree and node structure. It was designed to aid data consolidation querying, external command execution and report generation. Some of its features include:

Can run Nmap scan directly from the application. Can handle data set from thousands of active hosts (loading files and generating reports will take some time). Organizes data in a tree structure (used for representing the data gathered during a penetration test). Data can be added to the tree structure from two methods (importing XML files generated on tools or entering the data manually). Can be used to generate a report using customizable templates. Allows data from security tools such as Nessus, OpenVAS, Burp and Nikto can be imported into the application. Allows the querying of collected data and feeding the data to shell commands. Allows users to run shell commands from the application while capturing the command output.

3. Metagoofil

Metagoofil is an information-gathering tool that utilizes the Google search engine to extract metadata from public documents (pdf, doc, docx, xls, xlsx, ppt and pptx) belonging to the target company. It can be used to efficiently harvest open-source intelligence about a target company based on the documents posted or stored on the target’s website. Some of its features include:

Can be used to get valid usernames, people names, for using later in brute force password attacks on services such as virtual private network (VPN), file transfer protocol (FTP) and web applications. Can be used to extract file paths of documents including shared resource names, server names and more. Can be used to extract email addresses from Adobe PDF and Microsoft Word document content.

4. Faraday IDE

Faraday IDE is a multiuser penetration test IDE designed for distributing, indexing and analyzing the data generated during a security audit. The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.” Some of its features include:

Can be integrated with various security tools such as OpenVAS, Nessus, Acunetix, Qualys, Shodan, Burp Suite and more. Supports multi-user access. Can run Nmap scan directly from the application. Consolidates all the findings and data generated during the security audit into an accessible dashboard. Organizes data into various workspaces (where each workspace contains the activities of the team and data generated/collected during the penetration test). Allows users to run shell commands from the application while capturing the command output. Manages the list of findings and vulnerabilities identified during the penetration test. Three editions: community (free), professional ($250 per month) and corporate. Manages credentials gathered during the penetration test.

5. Serpico

Serpico (“SimplE RePort wrIting and CollaboratiOn”) is a penetration testing report generation and collaboration tool targeted at creating information security reports. Some of its features include:

Allows users to easily generate a report using templates Allows users to leverage already identified findings (reduces the need to write findings from scratch). Supports multi-user access. Allows users to import scan results from Nessus or Burp Suite. Can be integrated with Metasploit to display hosts, services and vulnerabilities from the Metasploit database within Serpico. Allows users to upload screenshots into the database which can then be tagged to particular findings. Can be easily customizable.

Conducting pentesting with Kali Linux tools

In this article, we looked at the importance of carrying out a penetration test, the top five tools used in penetration testing, their key features, use cases and similarities. All the tools mentioned above can be used in managing project activities, team collaboration and penetration testing reports.  

Sources:

Dradis Framework Features, Dradis Framework Faraday Github, Faraday Kali Linux 2018: Assuring Security by Penetration Testing – 4th Edition, Shiva V.N Parasram What is Magic Tree, Magic Tree The number one pentesting tool you’re not using, Shell Intel Kali reporting tools, InfoSec Resources