Dradis Framework

Drag'n'drop attachment uploads

2012-05-20T18:51:00.002+01:00

Up until now, adding screenshots to your notes has been a bit problematic. You had to go to the Attachments upload the image, click, get the URL, go back to the Notes tab, open the editor and paste the link. This lead to a very upvoted feature request: Add image upload functionality to Note Editor.

Recently we've managed to sort this out and create a much cleaner solution to solve this problem: you can now drag and drop files to the Editor window, upload and copy the resulting attachment URLs to use them in the note's text. Let me show you how:

When invoking the note Editor (either from the add note button or double-clicking on an existing note), apart from the familiar Write and Preview tabs, there will be a third tab: Attachments.

This tab features a drop zone and some controls to manage the upload process. You can drag files from your desktop into the drop zone to stage them for upload:

Have you noticed the preview images you get even before uploading anything?

Anyway, you can upload them one at a time using the controls in each row or all at once using the general controls below the drop zone.

Once they are uploaded a link is provided to each attachment. You can right-click on the link to copy the attachment's URL for use in your notes.

The drag'n'drop feature is dependent on your browser, you will need Firefox 4.0+, Google Chrome or Safari 5.0+.

This feature is already available in the master branch of the Dradis Community and Dradis Professional editions.

Dradis Framework is the star in PaulDotCom en Espanol Episode 11

2012-03-14T18:01:00.000Z

I (@etdsoft) was given the opportunity to talk about Dradis Framework's past, present and future on Episode 11 of PaulDotCom Security Weekly en Espanol.

The podcast is in Spanish, but there is a full transcript in English in Security Root's blog:

http://blog.securityroots.com/2012/03/pauldotcom-en-espanol-interviews.html

Thanks to Carlos Perez aka "Darkoperator" (@Carlos_Perez) and the PaulDotCom team for having us in the show!

Dradis Framework chosen winner in the Best Tools Report 2011

2012-02-09T18:27:00.000Z

Today we got some amazing news, Dradis Framework was chosen the winner in the Security Assessment/Datamining category of the Best Tools Report 2011 by ToolsWatch Service

From the document:

The present document describes the Best Tools and Utilities from 2011. Divided into categories, carefully separated, based on the VulnerabilityDatabase.com Scoring Criteria.

We are thankful to the @ToolsWatch team and want to send congrats to all the participants!

Good day!

Dradis 2.9 released!

2012-02-01T15:44:00.000Z

New plugins

Retina Network Security Scanner upload plugin.
Zed Attack Proxy upload plugin.

Updated plugins

Nessus upload plugin is orders of magnitude faster.
Nikto upload plugin is orders of magnitude faster.
Nmap upload plugin is orders of magnitude faster.
VulnDB import plugin (to support VulnDB HQ integration)

Internals

Updated First Time User's Wizard.
Updated to Rails 3.2

download now

Dradis 2.8 released!

2011-10-10T14:33:00.000+01:00

Cleaner three-column layout
Smarter Ajax polling and auto-updating
New version of the Nmap upload plugin
New version of the Nessus upload plugin
./verify.sh now checks that libxml2 is installed
Bugs fixed: #17, #31, #37, #43, #48

download now

New in Dradis 2.8: three-column layout

2011-09-23T18:56:00.000+01:00

In Dradis 2.8 we will have a brand new three-column layout.

We have already discussed that the current Dradis interface can get cluttered at times (Tidy up your note list). In Dradis 2.8 we are introducing a cleaner layout with less text in the note list and more space for the note's content. Here are some screenshots:

New in Dradis 2.8: smart refresh

2011-09-22T16:20:00.000+01:00

One of the best features that we have been working on for the next release of Dradis will be an improved Ajax refresh feature.

We have prepared a small screencast to show it. Two different browsers are shown side by side. Notes and nodes added in one browser are replicated in the other.

Dradis 2.8 smart Ajax refresh por etdsoft

It is already in our GitHub repository so you are free to git pull and give it a shot. We will be very interested in hearing what you have to say.

Dradis Framework Guides

2011-08-03T06:42:00.000+01:00

We have a new documentation site:

http://guides.dradisframework.org

Checkout the guides we have so far or contribute a new guide. Get involved!

Dradis 2.7.2 released!

2011-08-02T04:42:00.000+01:00

This bug-fixing release which includes:

Several closed issues: #5, #9, #13, #14, #15, #16, #19, #20.
Improved startup scripts
Update Rails to 3.0.9

And all the goodness introduced in 2.7.1:

A cleaner, leaner note editor
Improved command line API with Thor (thor -T to view all commands)
New Configuration Manager to handle all plugin config settings
New Upload Manager that runs uploads in the background and updates the interface through Ajax
New plugins:
- Metasploit import
- NeXpose (.xml) upload
- OpenVAS (.xml) upload
- SureCheck (.sc) upload
- w3af (.xml) upload
- Web Exploitation Framework (wXf) upload
Updated plugins:
- Nessus plugin supports .nessus v2
- Vuln::DB import updated to support the latest release
Bugs fixed: #3, #4, #6, #7, #8, #10, #2888332, #2973256

download now

Announcing Dradis Professional Edition

2011-07-19T06:58:00.000+01:00

Note: this is a cross-post and can be found in the Security Roots blog too.

Today I am pleased to announce Dradis Framework Professional Edition. Back in 2007 when I started the Dradis Framework project I could have not anticipated the success that it would had. Four years, 3,000 commits, 19,000 downloads and 19 releases later we are still making a difference for hundreds of security professionals (and aficionados) out there.

Dradis was announced in the 1^st edition of MWRICON after many hours of late-night coding. Today we have three full committers, a small number of trusted partial committers and dozens of contributors. Dradis 2.0 was a big thing, and when Dradis was featured in the Offensive Security's Metasploit Unleashed it was even bigger and Russ McRee's coverage for the toolsmith column of ISSA's magazine and our own chapter in Grey Hat Hacking and being included in BackTrack since BT4 and the talks at DC4420 and DEFCON 17 and so many other articles and references.

It was encouraging that some people believed in the project from the beginning. I am grateful that my current employer (NGS Secure which was still called NGSSoftware when I joined) and my previous one (MWR InfoSecurity) let me carry on working on Dradis as my side project and even gave me time to continue improving the tool.

We have gone a long way... it was only matter of time that organizations whose consultants were already using Dradis approached me to get some help to further tailor Dradis to their needs. Some times this consisted on helping them with small tweaks they were making to the code, others it consisted in developing for them full-blown custom plugins to interconnect Dradis to their other systems or to produce reports in their particular format. That is why I started Security Roots Ltd in 2010.

Dradis was started by a security consultant, with the security consultant's needs and goals in mind (share information with the other teammates, portable, platform-independent, etc.). These are a subset of the needs and goals of the organization to which these consultants belong. The Technical Director of a security company understands the benefits of consultants using Dradis, but he needs more. He wants all his teams to work with Dradis in a standardized way. He wants everyone in the team to be able to use the latest version of Dradis without having to bother about upgrading and dependencies. He wants to be able to see how the different teams are doing, quickly check each team's findings, maybe even extract some metrics or generate interim reports for clients with the critical issues already captured by the teams.

Enter Dradis Framework Professional Edition, a virtual appliance that leverages the advanced features of Dradis and extends it to enable multiple teams to work concurrently:

It provides a centralized information repository:
- Information is always available: during the project and afterwards.
- Quickly inspect the project history or review the projects for a given user.
- Ideal for teams that work across multiple time zones.
Hassle-free deployment: power up the virtual appliance and you and your team can start working and sharing information.
The virtual appliance is easy to update and backup.
Bundled with Vuln::DB, import issues to your Dradis projects from the central issue database.

I am thrilled about the prospect of making consultants' lives ever easier, helping organizations to work more effectively and to make sure their clients receive the best value for money. Let the consultants focus on what they are good at and what they enjoy most: breaking things while we minimize the hassle associated with the back-end tasks required to coordinate their efforts.

This is a great opportunity to make a difference. Let's make the most of it.

Daniel
Lead developer

Include screenshots stored in Dradis in your Word report

2011-05-30T14:21:00.000+01:00

Every week, a Dradis user somewhere is thinking: "Damn, it would be nice if I could get my screenshots in the Word report". The problem has been discussed in the forum and the mailing list before, it is quite simple actually, we need a way to get our screenshots (stored in Dradis as attachments) into the final report.

Up until now I though that any solution to the problem would go through several layers of Word and WordML magic, packing and base64-encoding of the images, however, last week I realised that a simpler solution may exist. We are going to use a Word macro to do the heavy lifting.

The first thing we need is to upload our screenshot as an attachment in Dradis:

Then we need to include a reference to it in the text of our note. To do this, just double-click on the uploaded attachment and copy the URL assigned to it:

Note that in Textile (the markup language understood by Dradis) images are referenced by their URL between exclamation marks (!!). Make sure that the preview panel renders the image correctly. Otherwise review the URL:

(By the way, the screenshot is of the first entry from Google when searching for "Index of")

So, the last thing we need to do is to assign this note to the WordExport ready category and generate our Word report (export > Word export > Generate report):

And here comes the magic. I have created a Word macro (DradisScreenshot) that parses your document, searches for !! and pulls the corresponding images from your Dradis server.

I'm working on a separate post describing the inner workings of the macro, including for instance why I could use a simpler approach (e.g. ) [hint, bad SSL cert + HTTP authentication]. In the mean time, you can just grab the code from GitHub: etdsoft/dradis-macros and start using it.

The result:

I've also added this as an icon in my "Quick Access Toolbar":

Hope you find this quick tip useful. The code of the macro is sparsely documented but it should do the trick. Remember to assign the temporary directory and if you find any issues, please report them in the issue tracker.

TL; DR;

Grab the Word macro from GitHub: etdsoft/dradis-macros
Enjoy

Windows cannot find 'blunder' error on Dradis 2.7.1

2011-05-25T14:22:00.002+01:00

Update May/26: An updated installer has been published that fixes the issue described below and is available through the download page.

The Dradis 2.7.1 Windows package (dradis-v2.7.1-setup.exe) that we released yesterday contains a typo in in one of the batch files: server.bat.

If you try to run the file directly or through the Start menu start server icon, you will get an error message:

Windows cannot find 'blundler'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

In order to fix this open the file in an editor (go to the Start menu icon, right click > Edit) and adjust it to:


@echo off

::If the script doesn't work, uncomment and adjust the following:
set PATH=c:\Ruby187\bin;%PATH%
set RAILS_ENV=production
set BASE=%~dp0
cd %BASE%\server\

start "Dradis Framework Server (Ctrl+C to terminate)" bundle exec rails server webrick

Thanks to Doug Ipperciel for bringing this to our attention.

Upgrading from Dradis 2.7.0 to 2.7.1

2011-05-24T22:05:00.001+01:00

This week we are releasing Dradis Framework 2.7.1 which closes several bugs and brings a new note editor.

If you're new to Dradis or upgrading from an older (2.6.x, 2.5.x...) release, go ahead and download the full package from the downloads page.

However, if you already have a working install of Dradis 2.7.0 maybe you don't want to run the Windows installer again, or wait until your distro prepares an updated version of the package (did you know that BackTrack 5 shipped with Dradis 2.7.0?). Here is how to get the latest 2.7.1 code up and running.

Go to your install location:

In Windows:


c:\> cd %APPDATA%\dradis-2.7

In BackTrack:


# cd /pentest/misc/dradis

Backup the old server folder:


# mv server 2.7.0-server

Now you have a decision to make: upgrade to 2.7.1 or clone the Dradis repository so you can upgrade to 2.7.1 but also to any forthcoming releases (recommended)

Upgrading to 2.7.1

Download and uncompress the tarball for Dradis server 2.7.1 from GitHub:

https://github.com/dradis/dradisframework/tarball/REL-2.7.1

Uncompress in the drads-2.7 folder renaming the extracted directory to just server.

Using git repository for easy upgrading

From the current folder, clone Dradis git repository and point it to the latest release:


# git clone https://github.com/dradis/dradisframework.git server
# cd server
# git checkout -b REL-2.7.1 REL-2.7.1
# cd ..

Reset the environment and run the server


# ./reset.sh
# ./start.sh

If everything goes according to plan, you can now access Dradis on https://localhost:3004/ and in the top-right corner the version number will be 2.7.1.

Dradis 2.7.1 released!

2011-05-24T22:03:00.000+01:00

This bug-fixing release features:

Several closed issues: #3, #4, #6, #7, #8 and #10.
A cleaner, leaner note editor:

And all the goodness introduced in 2.7.0:

Improved command line API with Thor (thor -T to view all commands)
New Configuration Manager to handle all plugin config settings
New Upload Manager that runs uploads in the background and updates the interface through Ajax
New plugins:
- Metasploit import
- NeXpose (.xml) upload
- OpenVAS (.xml) upload
- SureCheck (.sc) upload
- w3af (.xml) upload
- Web Exploitation Framework (wXf) upload
Updated plugins:
- Nessus plugin supports .nessus v2
- Vuln::DB import updated to support the latest release
Bugs fixed: #2888332, #2973256
Update Rails to 3.0.6

download now

Dradis 2.7.0 in BackTrack 5

2011-05-23T20:05:00.001+01:00

A couple of weeks ago, BackTrack 5 was released and it shipped with Dradis 2.7 out of the box. You can find your Dradis install in:


/pentest/misc/dradis

Run ./reset.sh to prepare the environment and ./start.sh to start the Dradis server.

Kudos to the BT team.

Tidy up your note list

2011-05-11T19:37:00.000+01:00

After a few days of testing, your Notes view can become a bit cluttered. Although we are already discussing how to fix this for future releases in this blog post we will see what can be done about it.

So image that you currently have something like this:

It is difficult to make some sense out of that mess. It would be nice if we could filter the Text shown for each issue and display just the Title field:

We are going to do this using a renderer function for our Text column. Fire up your editor and open


./server/public/javascripts/dx/dradis.notes.NotesBrowserPanel.js

At around line#170, replace the existing renderer line with the following function:

What the new renderer does is look for notes that have a #[Title]# field defined and then extract the value of that title. Feel free to adjust the regular expression / extraction code to suit your needs.

After making the change, you need to delete the JavaScript bundle (autogenerated) and reload your browser:


$ rm ./server/public/javascripts/all.js

That's it, nice an easy. Now we have a much cleaner notes grid.

Running Dradis Framework (2.7) in BackTrack4 R2

2011-04-26T18:00:00.000+01:00

Following the series of articles on how to get the Dradis Framework running in different operating system, this time is the turn of BackTrack 4 R2.

Note this is almost a re-post of my Running Dradis Framework in BackTrack 4 R2 but updated to 2.7 (instead of 2.6.1).

First, get a download link for the latest Dradis from http://dradisframework.org/downloads.html and get it:


# wget http://downloads.sourceforge.net/dradis/dradis-v2.7.0.tar.bz2

Extract it:


# tar -xvvjf dradis-v2.7.0.tar.bz2

Next we need to update the version of RubyGems installed in BT4:


# gem -v
1.3.1
# gem update --system
[...]
# gem -v
1.7.2

And install the Bundler gem:


# gem install bundler

There is only one missing prerequisite to ensure everything runs smoothly, the development bindings of the libxslt package. You can get them with:


# apt-get install libxslt-dev

Now we are ready to get things going:


# cd dradis-2.7

# ./reset.sh
Your Gemfile's dependencies could not be satisfied
Install missing gems with `bundle install`
Some Ruby gems are missing, do you want to install them now? [y] y

Ok then, I am going to run bundle install for you, then you should run this script again.

Fetching source index for http://rubygems.org/
Installing rake (0.8.7)
Installing RedCloth (4.2.5) with native extensions
Installing abstract (1.0.0)
[...]
Your bundle is complete! Use `bundle show [gemname]` to see where a bundled gem is installed.

After all the dependencies are installed, we are ready to initialize the database and start the server. However, there is just one thing that have to be changed in the startup scripts.

Edit the last line of reset.sh to look like this:

bundle exec thor dradis:reset

Now we are ready, run the reset script again to generate the database:


# ./reset.sh

And start the server with:


# ./start.sh

Everything should be up and running in: https://127.0.0.1:3004/

Dradis 2.7 released!

2011-04-19T13:33:00.000+01:00

Improved command line API with Thor (thor -T to view all commands)
New Configuration Manager to handle all plugin config settings
New Upload Manager that runs uploads in the background and updates the interface through Ajax
New plugins:
- Metasploit import
- NeXpose (.xml) upload
- OpenVAS (.xml) upload
- SureCheck (.sc) upload
- w3af (.xml) upload
- Web Exploitation Framework (wXf) upload
Updated plugins:
- Nessus plugin supports .nessus v2
- Vuln::DB import updated to support the latest release
Bugs fixed: #2888332, #2973256
Update Rails to 3.0.6

download now

Dradis Framework live demo

2011-03-11T16:59:00.001Z

You can try Dradis before downloading / installing. Check out our live demo at:

http://dradis.heroku.com

Dradis Framework in Grey Hat Hacking 3rd Edition

2011-02-20T12:36:00.003Z

Grey Hat Hacking 3rd edition has a full chapter on Information Sharing During a Penetration Test featuring the Dradis Framework extensively.

Installation, configuration, upload, export and import plugins, OSVDB configuration are all covered. Some quotes:

The Dradis Server is the best way to collect and provide information sharing during a penetration test.

The real magic of Dradis occurs when multiple users enter data at the same time.

Access may be granted to the client, enabling them to keep abreast of the current status at all times. Later, when the assessment is done, a copy of the framework database may be left with the client as part of the report.

Dradis 2.6.1 released!

2011-02-11T12:35:00.002Z

Update Rails to 3.0.4 and RedCloth to 4.2.5
Update the SSL certificate for 2011 (see ./server/conf/ssl/README)
Deal with Burp Scanner's opinionated handling of null bytes
Improve verify.sh to find Bundler even when not in the PATH
Fix the start.sh script to use UNIX forward slash instead of Windows back slash

download now

Dradis Winter Week of Code 2010

2010-12-17T12:35:00.002Z

The guys from the development team of MWR Infosecurity are going to be working full-time on Dradis for a week next week!

See the official announcement of the first ever Dradis Winter Week of Coding. If you want to start tinkering around with your own Dradis plugins or want to help out the project by advancing some of the stuff in the roadmap you are welcome to join.

Follow the progress on #dradis at irc.freenode.org and @dradisfw on Twitter.

Dradis 2.6 released!

2010-12-03T12:34:00.001Z

Improved performance across the board
Upgraded libraries: Rails 3 and ExtJS 3.3
New First Time User Content showing how to use the interface
You still get all the old features
- HTML and Word reporting plugin.
- Burp Upload plugin so you can use Burp Scanner output.
- Nikto Upload plugin to use your Nikto scan results.
- OSVDB Import plugin straight from the OSVDB.
Bugs fixed: #3021312, #3030629, #3076709.

download now

Do you want to contribute to Dradis?

2010-11-30T12:33:00.001Z

We have updated the How to become a comitter page with the guidelines for commit access approval.

If you want to contribute with a plugin or a new feature, now it is easier than ever.

Running Dradis inside Metasploit's Cygwin

2010-06-27T12:32:00.000+01:00

Getting Dradis up and running in your Windows environment has never been easier. If you already have Metasploit installed, you can start using Dradis in a few minutes with the Running Dradis inside Metasploit's Cygwin tutorial.