Writing Reports of Vulnerabilities or Bugs using Dradis and MagicTree in Kali Linux 2020

After finding a vulnerability a penetration tester or bug bounty hunter always need to submit the report to the employer. This is one of the most important part of every penetration testing jobs. A good report must contain each and every detail of the vulnerability. Writing a good report is a must have ability, it is an art for bug bounty hunters. So in this detailed tutorial we will learn how we can generate or write reports on a vulnerability on our Kali Linux system.
Writing Reports of Vulnerabilities or Bugs using Dradis and MagicTree in Kali Linux 2020

Our target will be clear, we must keep it detailed as possible, this will help the developers understand all the details about vulnerability and fix it with right patch as soon as possible.

There are so many ways to create a penetration testing report. In our this detailed post we will learn a few tools that we can use to create a perfect report that covers everything in detail.

Here we see some of the main points that should always be included in the report:
  • Details of the vulnerability we found.
  • Score on the Common Vulnerability Scoring System (CVSS).
  • Impact of the bug on the Organization.
  • Recommendations to patch the vulnerability.

Common Vulnerability Scoring System (CVSS) is a standard method for rating IT vulnerabilities and decide the urgency of a response. We can read more about CVSS here.

In this detailed post we will talk about how we can write a good report on our Kali Linux machine. Here we use some good free tool to write report.

Generating reports using Dradis


Dradis is an open-source browser-based reporting and collaboration application, which used to combine the outputs of different applications and make a report ready. Dradis is so easy to use but unfortunately didn’t comes with Kali Linux(New versions).

Installing Dradis

 

Installing Dradis is super easy we can follow the Dradis’s Github page. But there is an easy process. We can run following command:
sudo apt-get install dradis
This command will install Dradis, but it will take some time depending on internet speed.
The screenshot shows the output of the preceding command:
installing dradis in Kali Linux

After installing Dradis we can use simply dradis command to run it:

sudo dradis
Dradis is web-based tool so it will work on browser. After running it Dradis will open browser in some seconds or may be we manually need to open http://127.0.0.1:3000
The screenshot is following:

set up dradis
Here, we can set up our shared password to access the Dradis framework and log in with the password.

After set up the password we need to choose a username and enter our password then we will be redirected to the dashboard of Dradis as like following screenshot.
Dradis in Kali Linux

In the free version of Dradis framework supports plugins of some tools like nmap, Acunetix and Nikto.

In Dradis framework we can create methodologies. The methodologies can be considered as a checklist, which can be used while doing penetration testing jobs for an organization.
To create methodologies, we go to methodologies tab and click on Add new.

Then we assign a name and click on Add to Project.

Adding a project in Dradis

Now we can see a sample list created for us. We can edit it by clicking on the Edit button on the right hand side.

Now let’s look at how we can organize our scan reports more better. We go to the nodes option on the left hand side menu and click on the + sign. Then a pop-up window will open and we can add a network range and then click on Add.
Add top-level node

We also can add new sub-node, we select the node from the left hand side panel and then choose the Add sub-node option. This sub-nodes can be very useful when we are doing pentest activity on a organize a network-based on the host’s IP address.

Then we can add notes and screenshots as proof of concept of the bugs we found.
proof of concept

We even can import results of various tools to Dradis. This can be done by choosing Upload Output from tool from the top menu of Dradis.
Using various tool in Dradis

Here we can upload our output file. Dradis framework has some inbuilt plugins, which can parse reports of different tools.

When the import is done, we can see the results on the left hand side panel under the plugin output. Dradis results can be exported in many formats like CSV, HTML, JSON.

We can see the output of the scan results we just imported.
generating result from Dradis

Similarly, different scans can be imported and combined together and can be exported as one single report using the Dradis tool.

This is how we can generate good quality reports of pentesting activity for an organization using Dradis framework on our Kali Linux system.

MagicTree -- Magical Reporting Tool

There is another tool for writing reports called MagicTree. MagicTree is a data management and productivity reporting tool is quite like Dradis. It is designed to allow easy and straightforward data consolidation, querying, external command execution and obviously report creation. 

It named “Tree” because all the data is stored in a tree structure, and “Magic” is because it is designed magically do the most bulky and boring part of penetration testing – data management and reporting.

Installing MagicTree

In the previous versions of Kali Linux MagicTree comes pre-installed not in recent Kali Linux. So we need to download it. To download it we use following command:
wget http://www.gremwell.com/sites/default/files/MagicTree-build1814.jar
downloading MagicTree

Then the jar file will be downloaded. This is an executable file no we don’t need to install it. We simply can run it by using following command:
java -jar MagicTree-build1814.jar
After we accept the terms and conditions we can see the MagicTree application.
MagicTree Dashboard

Next, we create a node by clicking on node menu bar then navigate to “Auto create”.
creating nodes

In the box which opens, we type the IP address of the host we want to be added. After adding the node, it will appear in the left-hand side panel.
node hosts

To perform a scan on a host, we go to the Table view; at the bottom, we can see a box titled Command.
We can run Nmap scan on the host we have added.
MagicTree allow us to query the data and send it to the shell. We click on the Q* button, and it will automatically select the hosts for us.

Now, we just need to type the following command:
nmap -v -Pn -A -oX $results.xml $host

The output of the preceding command shows in the following screenshot.
nmap command in MagicTree

Here hosts are already identified, we do not need to mention the host here. Then we click on Run.
nmap scanning on MagicTree

In the above screenshot we see a window that shows the scan being executed along with the output. Once the scan is complete, we click on Import, and it will be imported into MagicTree.

Similarly, we can run any other tool and import their reports to MagicTree.

At last we can generate a report by clicking on Report > Generate Report.
generating reports

In the next window, we can see the list of templates we would like to use to save our generated report, as shown in the following screenshot.

Then we click on the Generate Report button, and we will see report being generated.
Generating Report

We can learn more about MagicTree by clicking here.

This is how we can write reports on our penetration testing activity. This is the most important step in ethical hacking and bug bounty hunting. Not only Dradis and MagicTree There are more options are available like Serpico.

This is how we can write or generate reports of our penetration testing jobs using Dradis, MagicTree and Serpico in or Kali Linux machine. To know more about Kali Linux Tutorial follow our website.

For quick updates and small news follow us on Twitter and Medium.

No comments:

Please do not spam here. It is comment box not a spambox. Promotional links are not allowed.

Powered by Blogger.