Yearly Archives: 2011

New in Dradis Pro v1.1

These are some of the new features in Dradis Professional edition:

New layout

  • Three-columns to maximize the amount of useful information on screen
  • Better context menus: add special node types and reassign notes easily

Advanced XSLT reporting

Dradis Pro now generates an intermediate XML file containing all your notes. This will contain both the raw Text and the custom fields you created for each note:

  
    
      
      
        Value1
        Value2
        [...]
      
    
    [...]
  

Then a XML transformation can be applied to this document to generate a report.

You can see a couple of XSLT files in ./vendor/plugins/advanced_word_export/templates/:

  • basic.xslt: is a very basic transform that just creates a new XML document from the data in the Dradis XML.
  • simple_report.xslt: is a transform that generates a WordXML document.

Create custom fields in your notes:

And use them in your reports, in any way you need:

So with 1.1, if you’re so inclined, you can create your own XSLT transforms to produce your reports in no time. Word is just one example. Any XML-based format is generated just as easily.

Of course if you don’t have an in-house XSLT-wizard at Security Roots we will be more than happy to help and create custom XSLT for your organization in no time! Report customization was always part of our professional services offering.

Other changes

  • An independent version module! Finally an easy way to know what version of Pro are you running.
  • Improved table styling inside notes
  • Rails 3.0.10
  • Bug fixing (read-only records, sign up process, project edit form…)

Announcing Dradis Professional Edition

Note: this is a cross-post and can be found in the Dradis blog too.

Today I am pleased to announce Dradis Framework Professional Edition. Back in 2007 when I started the Dradis Framework project I could have not anticipated the success that it would had. Four years, 3,000 commits, 19,000 downloads and 19 releases later we are still making a difference for hundreds of security professionals (and aficionados) out there.

Dradis was announced in the 1st edition of MWRICON after many hours of late-night coding. Today we have three full committers, a small number of trusted partial committers and dozens of contributors. Dradis 2.0 was a big thing, and when Dradis was featured in the Offensive Security‘s Metasploit Unleashed it was even bigger and Russ McRee’s coverage for the toolsmith column of ISSA’s magazine and our own chapter in Grey Hat Hacking and being included in BackTrack since BT4 and the talks at DC4420 and DEFCON 17 and so many other articles and references.

It was encouraging that some people believed in the project from the beginning. I am grateful that my current employer (NGS Secure which was still called NGSSoftware when I joined) and my previous one (MWR InfoSecurity) let me carry on working on Dradis as my side project and even gave me time to continue improving the tool.

We have gone a long way… it was only matter of time that organizations whose consultants were already using Dradis approached me to get some help to further tailor Dradis to their needs. Some times this consisted on helping them with small tweaks they were making to the code, others it consisted in developing for them full-blown custom plugins to interconnect Dradis to their other systems or to produce reports in their particular format. That is why I started Security Roots Ltd in 2010.

Dradis was started by a security consultant, with the security consultant’s needs and goals in mind (share information with the other teammates, portable, platform-independent, etc.). These are a subset of the needs and goals of the organization to which these consultants belong. The Technical Director of a security company understands the benefits of consultants using Dradis, but he needs more. He wants all his teams to work with Dradis in a standardized way. He wants everyone in the team to be able to use the latest version of Dradis without having to bother about upgrading and dependencies. He wants to be able to see how the different teams are doing, quickly check each team’s findings, maybe even extract some metrics or generate interim reports for clients with the critical issues already captured by the teams.

Enter Dradis Framework Professional Edition, a virtual appliance that leverages the advanced features of Dradis and extends it to enable multiple teams to work concurrently:

  • It provides a centralized information repository:
    • Information is always available: during the project and afterwards.
    • Quickly inspect the project history or review the projects for a given user.
    • Ideal for teams that work across multiple time zones.
  • Hassle-free deployment: power up the virtual appliance and you and your team can start working and sharing information.
  • The virtual appliance is easy to update and backup.
  • Bundled with Vuln::DB, import issues to your Dradis projects from the central issue database.

I am thrilled about the prospect of making consultants’ lives ever easier, helping organizations to work more effectively and to make sure their clients receive the best value for money. Let the consultants focus on what they are good at and what they enjoy most: breaking things while we minimize the hassle associated with the back-end tasks required to coordinate their efforts.

This is a great opportunity to make a difference. Let’s make the most of it.

Daniel
Lead developer

Windows cannot find ‘blunder’ error on Dradis 2.7.1

Update May/26: An updated installer has been published that fixes the issue described below and is available through the download page.

The Dradis 2.7.1 Windows package (dradis-v2.7.1-setup.exe) that we released yesterday contains a typo in in one of the batch files: server.bat.

If you try to run the file directly or through the Start menu start server icon, you will get an error message:

Windows cannot find ‘blundler’. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

In order to fix this open the file in an editor (go to the Start menu icon, right click > Edit) and adjust it to:


@echo off

::If the script doesn't work, uncomment and adjust the following:
set PATH=c:\Ruby187\bin;%PATH%
set RAILS_ENV=production
set BASE=%~dp0
cd %BASE%\server\

start "Dradis Framework Server (Ctrl+C to terminate)" bundle exec rails server webrick

Thanks to Doug Ipperciel for bringing this to our attention.

5 comments:

  1. Unknown said,its not working on my windows 8 version
    ON 16 DECEMBER 2012 AT 15:38
  2. Unknown said,my message says

    bundle
    windows cannot find ‘bundle’.Make sure you typed the name correctly and then try againON 16 DECEMBER 2012 AT 15:41
  3. Unknown said,hey got it to work thanks my bad i install it on xp very simple then 7 then 8 pretty goodON 16 DECEMBER 2012 AT 17:20
  4. Anonymous said,not working on v 2.9 yetON 26 SEPTEMBER 2015 AT 04:36
  5. Unknown said,It works. Thank you for sharing. If you have problems with dll files, look there http://fix4dll.com/mfc110u_dll. I had a problem with it, do not run the program’s. After fixes dll files, everything worked. Good luck.ON 2 JUNE 2016 AT 15:40

Upgrading from Dradis 2.7.0 to 2.7.1

This week we are releasing Dradis Framework 2.7.1 which closes several bugs and brings a new note editor.

If you’re new to Dradis or upgrading from an older (2.6.x, 2.5.x…) release, go ahead and download the full package from the downloads page.

However, if you already have a working install of Dradis 2.7.0 maybe you don’t want to run the Windows installer again, or wait until your distro prepares an updated version of the package (did you know that BackTrack 5 shipped with Dradis 2.7.0?). Here is how to get the latest 2.7.1 code up and running.

Go to your install location:

In Windows:

c:\> cd %APPDATA%\dradis-2.7


In BackTrack:

# cd /pentest/misc/dradis


Backup the old server folder:

# mv server 2.7.0-server


Now you have a decision to make: upgrade to 2.7.1 or clone the Dradis repository so you can upgrade to 2.7.1 but also to any forthcoming releases (recommended)

Upgrading to 2.7.1

Download and uncompress the tarball for Dradis server 2.7.1 from GitHub:

https://github.com/dradis/dradisframework/tarball/REL-2.7.1

Uncompress in the drads-2.7 folder renaming the extracted directory to just server.

Using git repository for easy upgrading

From the current folder, clone Dradis git repository and point it to the latest release:


# git clone https://github.com/dradis/dradisframework.git server
# cd server
# git checkout -b REL-2.7.1 REL-2.7.1
# cd ..

Reset the environment and run the server


# ./reset.sh
# ./start.sh

If everything goes according to plan, you can now access Dradis on https://localhost:3004/ and in the top-right corner the version number will be 2.7.1.

Open-source project released: passdb

On Wednesday we released passdb a Ruby gem to search CIRT.net’s default password database.

We have decided to host our gem’s source code in GitHub (which we will be using in the future to host all our open-source contributions). Find the repository, documentation and install instructions in:

https://github.com/securityroots/passdb

Future plans for the library include adding an option to submit new entries, so the guys at CIRT.net can keep their database updated with the latest additions.

Feel free to fork and submit pull requests. If you find the library useful or have suggestions for improvements, we will love to hear about them.

Running Dradis Framework (2.7) in BackTrack4 R2

Following the series of articles on how to get the Dradis Framework running in different operating system, this time is the turn of BackTrack 4 R2.

Note this is almost a re-post of my Running Dradis Framework in BackTrack 4 R2 but updated to 2.7 (instead of 2.6.1).



First, get a download link for the latest Dradis from http://dradisframework.org/downloads.html and get it:

# wget http://downloads.sourceforge.net/dradis/dradis-v2.7.0.tar.bz2

Extract it:

# tar -xvvjf dradis-v2.7.0.tar.bz2


Next we need to update the version of RubyGems installed in BT4:

# gem -v
1.3.1
# gem update --system
[...]
# gem -v
1.7.2


And install the Bundler gem:

# gem install bundler


There is only one missing prerequisite to ensure everything runs smoothly, the development bindings of the libxslt package. You can get them with:


# apt-get install libxslt-dev


Now we are ready to get things going:

# cd dradis-2.7

# ./reset.sh
Your Gemfile's dependencies could not be satisfied
Install missing gems with `bundle install`
Some Ruby gems are missing, do you want to install them now? [y] y

Ok then, I am going to run bundle install for you, then you should run this script again.

Fetching source index for http://rubygems.org/
Installing rake (0.8.7)
Installing RedCloth (4.2.5) with native extensions
Installing abstract (1.0.0)
[...]
Your bundle is complete! Use `bundle show [gemname]` to see where a bundled gem is installed.


After all the dependencies are installed, we are ready to initialize the database and start the server. However, there is just one thing that have to be changed in the startup scripts.

Edit the last line of reset.sh to look like this:

bundle exec thor dradis:reset

Now we are ready, run the reset script again to generate the database:

# ./reset.sh

And start the server with:

# ./start.sh

Everything should be up and running in: https://127.0.0.1:3004/