Monthly Archives: June 2016

ReportCompiler – Working with Vulnerability Data

Hello all,

I am an odd penetration tester. I actually *enjoy* making reports. I like explaining things to customer and making anything with my name on it as useful as possible. I shoot for the most detailed and tailored recommendations that I can muster. I am also big on making the smallest list of vulnerabilities possible. If two things are solved by one recommendation? Then it 100% must be one thing. I aim to get to the root cause to reduce the burden on customers when reacting to my reports.

To get toward my goal I have made a raft of tools to help me gather evidence, collate and interact with it, and ultimately kick into a report. The sooner it gets into Word the sooner I can go nuts with formatting everything appropriately.

With this I have solved a lot of the hassle for people wanting to interact with the output from Vulnerability scanners.

ReportCompiler is useful for people who simply get handed the output from various scanners (say those engaged in VA cycles) and who want to make a spreadsheet. Through those who want a better Nessus viewer (and be honest the web interface pisses you off!), to those who want to actually automate their reporting and who are willing to do some work for it.

The GUI is, I am told, reasonably intuitive. If in doubt right-click on shit and eventually you might find what you were looking for. You get a different context menu on the vulnerability tree, and the affected hosts list in particular and its worth seeing those options.

Caveat; This is bleeding edge. It has no undo/redo for actions on the vulnerability tree, or affected hosts list, it does not autosave. Trusting it to do these things will ruin your day.

Caveat 2; While you can edit text there is no spell check and there is no support for advanced formatting. I would only use this to make a list of vulnerabilities with a risk rating, a generic description, and provide references. Word is a far superior editor so be aware of the limitations.

Caveat 3; I know the features it is missing. I have a road map, but that map has no timescales!

What does it Import

Currently it includes the following importers:

  • Nessus (.nessus files only using v2.0 of their XML)
  • SureCheck (.xml file only)
  • Burp Scanner (you probably have never found the export option for how though, this is not the file -> save. You right click on the issues save the XML and select Base64 encode request/response).

It has a reasonably flexible architecture for importing which means if I have a need to import something I basically implement it pretty quickly. In the past I have written parsers for many more security tools but this is what I have in the open source realm. A decent start.

What does it Output?

It outputs to either of the formats listed below:

  • ReportCompiler XML – the “file -> save as” option will drop a save file so you can keep your current details for later.
    • Note: you should use CTRL + S to save files as you go because this is not going to autosave a damn thing for you.
    • I periodically save as to create a new file to not put all my eggs in one basket.
    • It is not made as a text editor for vulnerabilities so I just tend to sort out risk scores and line things up for proper editing in word.
  • Excel XLS – the “export -> xls” option will drop a spreadsheet that can be used to debrief clients pretty well. Devoid of any additional content you will look like a total amateur if you attempt to sell that as a report.

It purposefully doesn’t make word documents. That would be a commercial advantage and I literally will never make this open source version make your reports for you. Sorry bro, you will have to manipulate the XML file into whatever template you have.

I will make a tutorial on how to do that, but it will take a bit of time to assemble.

You are free to fork the source code repository and make it do whatever you want. All that I ask is that importing routines for standard tools are fed back to the main open source repo by a pull request.

Brief Overview of what it does

The killer (but not exhaustive) features are basically the following:

  • Merge – Select more than one vulnerability and right click to merge. You will understand what this does and eventually it will solve most of your problems. From reducing multiple overlapping issues into one but keeping the affected hosts accurate, to simply conflating two issues and keeping the affected hosts from both but the text write up from another. This is the goto feature for lots of stuff.
  • Personal Vulnerabilities – Write your own versions of vulnerabilities and then save them for later. You can marry up one personal vuln to many issues from vulnerability scanners and then have them “auto merge”, or you could add yours to your tree and manually merge. The result would be you converting multiple cruft vulns into one well worded and ready to fire issue.
    • Classic example would be writing one “Insecure SSL Certificate” finding which is mapped to the 5 or so Nessus plugins. Great I get it that the certificate is invalid, but since the solution is “buy a valid cert”, I really don’t need to tell my customer 5 times do I?
  • Output to XML – A pretty simple XML format is used as the save file. Once you are done with manipulating your list of vulns you can save it for later. If you do a bit of legwork you can integrate this XML file into your reporting format for production.
  • Grep for vulns – There is a tree filter to which you can supply Java regular expressions to group vulns together. This is very good when it comes to finding issues you might want to delete entirely or merge together.

There are many more features in there. Some are bleeding edge and the joy is not telling you where those mines are. If I haven’t listed it above? Chances are it’s fun but probably a use at your own risk kind of thing.

Happy reporting.

 

Word-Tips for Pentesters

Over this summer I have delivered a speech entitled in my head “how to Word” a number of times. It covers some stuff which helps get you from someone who wrote a CV in Word once to someone who is more able to spit out 100 page documents in 5 days.

Likely to be a thing I add to over time. The blog post is really to shamelessly link people to the pinned page:

https://cornerpirate.com/word-tips/

When I am interviewing people for a job I use the line about how “Pentesting is 50% technical and 50% consulting”. Not much point in being able to do technical gymnastics if you cannot document it, explain things right, or deliver those notes on time to customers.

Hence part of onboarding with me is how to word.

Happy hunting and writing.