usefulfor.com/security

dradis is a tool for sharing information during a pentest. If you are part of a team of testers working against the same set of targets, you will need to comunicate with each other. The most efficient this communication the more chances of a successful breach you will have.

While plenty of tools exist to help in the different stages of the test (information gathering, discovery, exploitation, etc.) not so many exist to share interesting information captured. dradis is a tool to help the team to look at the big picture. Each member of the team will add her findings to the common information repository and the tool will share the newly added information with the rest of the team.

dradis is written in ruby and combines various technologies/libraries. For the server side it uses the Ruby on Rails (RoR) MVC framework, for the client plain ruby and also the Qt library. The documentation page contains useful information on the architecture, instalation process, etc.

It was the development of dradis that lead me to write most of my ruby related posts since last summer. It has been really nice to spend time developing it and I have learned lots of interesting stuff.

dradis is also my first serious contribution to the security community and I am really excited to see what kind of feedback I get.

Before you download it, I recommend you to have a look at the “dradis, an overview” set of slides. You may also find useful two flash videos I created to show what dradis is capable of:

• intro: This video shows how the information is shared between the clients: you add new information from the command line interface and the graphical interface is notified. You can have different clients running different interfaces, they will all share the same information. Play video.
• graphical user interface: Learn what the different elements of the graphical interface are, how to perform basic tasks and how to get help on dradis commands. Play video.

Enjoy, and let me know about your toughts on dradis. Does it look interesting? Have you found it useful? Will it fit in your company way of pentesting?

This entry was posted on Tuesday, December 11th, 2007 at 10:37 pm and is filed under Tools. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.