Dradis is a system designed for effectively sharing information among penetration testers. It uses a client-server architecture and multiple interfaces to allow information from tests to be organized, shared in real-time, and included in reports to save time and improve quality. The goals were to create an easy to use and flexible system that promotes effective knowledge sharing whether used by individuals or teams doing on-site testing.
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
dradis Framework: Overview
1. dradis
Dradis
Daniel Martín Gómez
etd[-at-]nomejortu.com
september '07
1
2. Agenda
➔ Scenario: where are we?
➔ System design
➔ Architecture
➔ Implementation
➔ Demo
➔ What's next?
3. scenario: where are we?
➔ Penetration testing is about information
✔ port scan
✔ vuln. scan
Information Discovery
✔ web app scan
✔ ...
✔ metasploit
Exploiting ✔ milw0rm
✔ ...
✔ reporterator
Reporting ✔ word
✔ pdf tools
✔ ...
3
4. scenario: where are we?
➔ Penetration testing is about information
➔ And what about information sharing?
✔ Each tester writes a “notes” file
✔ Some testers add the stuff straight to reporterator
Problems with this approach:
✔ Exploiting oportunities may be lost
✔ Overlapping
✔ Lack of standarization in the “notes”
✔ Synchronization problems when using reporterator
4
5. scenario: where are we?
➔ Penetration testing is about information
➔ And what about information sharing?
✔ Each tester writes a “notes” file
✔ Some testers add the stuff straight to reporterator
Problems with this approach:
✔ Exploiting oportunities may be lost
✔ Overlapping while testing
✔ Lack of standarization in the “notes”
✔ Synchronization problems when using reporterator
Does this sound anywhere near Quality or Efficiency?
5
7. Agenda
➔ Scenario: where are we?
➔ System design
8. system design
➔ Goals and chalenges
✔ create a system to effectively share information
8
9. system design
➔ Goals and chalenges
✔ create a system to effectively share information
✔ easy to use, easy to be adopted
9
10. system design
➔ Goals and chalenges
✔ create a system to effectively share information
✔ easy to use, easy to be adopted
✔ flexibility => growth ; good design
10
11. system design
➔ Goals and chalenges
● create a system to effectively share information
● easy to use, easy to be adopted
● flexibility => growth ; good design
✔ small and portable, so it can be used on site
11
12. system design
● Goals and chalenges
● create a system to effectively share information
● easy to use, easy to be adopted
● flexibility => growth ; good design
● small and portable, so it can be used on site
➔ Benefits
➔ information is orginezed
12
13. system design
● Goals and chalenges
● create a system to effectively share information
● easy to use, easy to be adopted
● flexibility => growth ; good design
● small and portable, so it can be used on site
➔ Benefits
➔ information is orginezed
➔ saves time: while testing and while reporting
13
14. system design
● Goals and chalenges
● create a system to effectively share information
● easy to use, easy to be adopted
● flexibility => growth ; good design
● small and portable, so it can be used on site
➔ Benefits
➔ information is orginezed
➔ saves time: while testing and while reporting
➔ effective knowledge sharing
14
15. system design
➔ Goals and chalenges
✔ create a system to effectively share information
✔ easy to use, easy to be adopted
✔ not too restrictive
✔ flexibility => growth ; good design
✔ small and portable, so it can be used on site
➔ Benefits
➔ information is orginezed
➔ saves time: while testing and while reporting
➔ effective knowledge sharing
➔ it is also good for one man testing
15
16. Agenda
➔ Scenario: where are we?
➔ System design
➔ Architecture
17. architecture
DRADIS
➔ Client / Server architecture
➔ Coded in Ruby
➔ Multiple interfaces
➔ Different user profiles
17