Note: this is a guest post by J Wolfgang Goerlich (@jwgoerlich), Captain of the MiSec RuCTFe 2012 team.
Ten. Nine. Eight. We stand in the war room of a data center. Seven. Six. We watch the scoreboard and count down the final few seconds. Five. Four. It was a tough day, but the team really came together at the end. Three. The organizers extended it by ninety minutes. We're tired, hungry, and ready to celebrate. Two. Tomorrow, we can reflect with Dradis. One. Game over.
Let's jump back for a moment. MiSec is a loose knit group of IT security professionals and students. We regularly toss out a capture-the-flag challenge. Whoever is interested attends, and whomever attends becomes the team. The only price for admittance is the passion for learning something new and the dedication to teaching others what you learn.
This was our second time playing the RuCTFe. It is an English CTF organized by the Russian CTF team HackerDom of Ural Federal University. Limited to 150 teams world-wide and played out live for several hours once a year, it is quite the event on the MiSec calendar.
But that is not the only CTF we compete it. We put together ad hoc teams every couple of months for various events. CTFtime has us at the 119th place time in 2011 and 173rd team in 2012. That is out of 1815 CTF teams world-wide. We get a lot of play.
The challenge is coordination and information sharing. With people all over the state participating, and with an ever changing roster of teammates, you never quite know what to expect. The trick is getting people onto the same page during the incredibly fast paced CTF events.
Dradis is the answer. Each time there is a CTF, one of the team members takes point in setting up a new Dradis instance. We organize the folders by challenges. As progress is made and new things are learned, people make notes. Each Dradis instance becomes a snapshot of our team's efforts.
Back in the game, the countdown hits one. We pack up our gear. We clear the war room. The Dradis virtual machine is shutdown, copied, and distributed to the team. Over the coming days, we will review our findings and read other team's write-ups. This will culminate in a debriefing like the one below in about a week. Game over.
We would like to thank the Dradis project maintainers for their efforts and support. CTFs are crazy enough. Adding an ever changing team roster is even crazier. Toss in a mix of people all over the place dialing in at all different times. Insanity. Dradis keeps us sane and has become a fundamental part of MiSec's CTF strategy. Thanks gents.
-J Wolfgang Goerlich
Quick post to let you know that there is extensive coverage of our project in the new Advanced Penetration Testing for Highly-Secure Environments by Lee Allen.
Coverage goes from our very own Introduction to the Dradis Framework section in Chapter 1 to several other bits and pieces throughout the rest of the book. Check it out!
Thanks to Lee and kudos to @luisfer_nandez for letting us now.
Up until now, adding screenshots to your notes has been a bit problematic. You had to go to the Attachments upload the image, click, get the URL, go back to the Notes tab, open the editor and paste the link. This lead to a very upvoted feature request: Add image upload functionality to Note Editor.
Recently we've managed to sort this out and create a much cleaner solution to solve this problem: you can now drag and drop files to the Editor window, upload and copy the resulting attachment URLs to use them in the note's text. Let me show you how:
When invoking the note Editor (either from the add note button or double-clicking on an existing note), apart from the familiar Write and Preview tabs, there will be a third tab: Attachments.
This tab features a drop zone and some controls to manage the upload process. You can drag files from your desktop into the drop zone to stage them for upload:
Have you noticed the preview images you get even before uploading anything?
Anyway, you can upload them one at a time using the controls in each row or all at once using the general controls below the drop zone.
Once they are uploaded a link is provided to each attachment. You can right-click on the link to copy the attachment's URL for use in your notes.
The drag'n'drop feature is dependent on your browser, you will need Firefox 4.0+, Google Chrome or Safari 5.0+.
This feature is already available in the master branch of the Dradis Community and Dradis Professional editions.
I (@etdsoft) was given the opportunity to talk about Dradis Framework's past, present and future on Episode 11 of PaulDotCom Security Weekly en Espanol.
The podcast is in Spanish, but there is a full transcript in English in Security Root's blog:
Thanks to Carlos Perez aka "Darkoperator" (@Carlos_Perez) and the PaulDotCom team for having us in the show!
The present document describes the Best Tools and Utilities from 2011. Divided into categories, carefully separated, based on the VulnerabilityDatabase.com Scoring Criteria.
We are thankful to the @ToolsWatch team and want to send congrats to all the participants!
- Nessus upload plugin is orders of magnitude faster.
- Nikto upload plugin is orders of magnitude faster.
- Nmap upload plugin is orders of magnitude faster.
- VulnDB import plugin (to support VulnDB HQ integration)
- Updated First Time User's Wizard.
- Updated to Rails 3.2
- Cleaner three-column layout
- Smarter Ajax polling and auto-updating
- New version of the Nmap upload plugin
- New version of the Nessus upload plugin
- ./verify.sh now checks that libxml2 is installed
- Bugs fixed: #17, #31, #37, #43, #48