User Manual

  1. overview
    1. scenario: where are we?
    2. system design: goals and benefits
    3. architecture

overview

dradis is a tool to help in the process of penetration testing. Penetration testing is about information:

  1. Information discovery
  2. Exploit useful information
  3. Report the findings

But penetration testing is also about sharing the information you and your teammates gather. Not sharing the information available in an effective way will result in exploitation oportunities lost and the overlpapping of efforts.

Before going on reading it may be interesting having a look at the demo section where you can find some introductory flash videos to dradis. There is also a set of slides with a brief dradis overview.

back to top

scenario: where are we?

Traditional pentesting teams face different types of challenges regarding information sharing. If you do not use a tool to share the information, every tester will use their own notes file to keep track of their findings.

Each will store this file locally, or on a shared resource, but the information will not arrive inmediately to the rest of the team.

If you want to know what are the latest findings of your mate you will need to look for the notes file. You also can try talking, but talking is not that effective when you need to know a speciffic cookie value or a sql query for an injection attack.

It seems reasonable that some effort must be put to increase the quality and efficiency of this process.

system design: goals and benefits

Four main goals have driven and will drive the development of dradis, the system should:

  • effectively share the information. Information should be available to all the clients without extra effort.
  • be easy to use, easy to be adopted. Otherwise it would present little benefit over other systems.
  • be flexible. It needs a powerful and simple module interface. In order for it to grow, users should be able to extend it with their own modules.
  • be small and portable. You should be able to use it while on site. It should be OS independent.

The main benefits derived from the use of dradis are:

  • information is organized
  • it saves time, both while testing and while reporting
  • the knowledge is effectively shared
  • it is also good for one-man testing

architecture

Both the client and the server are developed using ruby. The server uses the Ruby on Rails (RoR) framework, which is database independent MVC framework that provides both a web and a web service interface.

The client communicates with the server using SOAP web services, as a result, nothing prevents the development of new clients using different languages.

Two flavours of client interface have been developed, a command line interface for the hardcore testers and a graphical interface that uses the Qt library.

All components are supposed to be platform independet however, there are known issues regarding the use of the ruby bindings for the Qt library in Windows. The system has been developed using Debian GNU/Linux but has been tested and is known to work at least in Ubuntu/Kubuntu and Gentoo.

back to top

using dradis

developing dradis

Links