Cisco launches open-source tool for penetration testers

Penetration testers seeking flaws in computer systems can now take advantage of Kvasir, a web-based application built to assist in "at-a-glance" tests.
Written by Charlie Osborne, Contributing Writer

Cisco has opened up access to Kvasir, which helps penetration testers worldwide assess the security levels of computer systems at a glance.

In a blog post, Kurt Grutzmacher, solutions architect at Cisco's Security Practice Advanced Services team, said that the tool was initially created for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team to keep track of the tests and data collected by the firm's penetration testers.

A pen test is a way to test a system's security standard by simulating a cyberattack.

During typical assessments of network security, pen testers may analyze between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, and then they have to collect, sift through and document the results.

These tests require the use of various tools, including Nmap Security Scanner, Metasploit Pro, ShodanHQ, ImmunitySec CANVAS and Foofus Medusa. That's where Kvasir comes in -- as a means to homogenize data collected on security threats into a unified database structure, which is especially important in a time where large data sets, new data types and the need for inter-team interaction is present.

"Kvasir, as open source for you to analyze, integrate, update, or ignore. [The tool] allows security testers to accurately view the data and make good decisions on the next attack steps," Grutzmacher writes.

"Multiple testers can work together on the same data allowing them to share important collected information. There's nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn't find anything "important" so it was never fully documented."

The Cisco rep notes that the tool isn't perfect, but can act as a handy program that developers can take for themselves and improve. Currently, Kvasir supports the following tools:

Support for scanners such as Nessus, QualysGuard, SAINT, and others are in various stages of development.


"Exploit frameworks such as Metasploit Pro and CANVAS as well as the Exploit Database archive from Offensive Security are mapped to vulnerability," Grutzmacher writes. "[In addition,] CVE entries granting the user an immediate view of potential exploitation methods. CORE Impact's list of exploits is being researched for inclusion."

The SPA team generally uses Rapid7's Nexpose and Metasploit Pro, and Kvasir integrates the use of these tools via their API. The team purposefully did not incorporate some features but may have future plans for others, the security tester says.

The importation of Nexpose site reports is fully automated -- Kvasir will generate the XML report, download and parse it, and then this data can be imported into a Metasploit Pro instance. When it comes to Metasploit Pro results, XLM reports must first be generated, then Kvasir will download and parse it automatically. "Kvasir also supports the db_creds output and will automatically import pwdump and screenshots through the Metasploit Pro API," the blogger notes.

The source code can be found here.

Editorial standards