The pentest companion
Jarvis is a very simple pentest companion that provides the following features:
- penetration tests results directory management
- unified structure for all assessments
- hooks for useful commands and automated output saving
- unified command history file
- easy way to take screenshots
- creation of an easily reachable symlink that always point to your current pentest
It is fully written in Python and is designed to be easily extended.
This project is currently under development and many bugs may appear, do not hesitate to open issues or submit pull requests
As a pentester, I often faced with difficulties related to output recording. Sometimes, a very looonnnng nmap scan launched without output options and cancelled may be very painful due to the lack of exploitable files. I’m not even talking about closed terminals containing juicy outputs that may lack in a security assessment report.
For these reasons, I decided to implement a command hooking feature that would automatically add output options to command lines and record outputs if such options would not exist.
Basically, each command exposed by Jarvis is a specific method called on a Python class. This method retrieves the supplied command line, adds arguments and patches the command lines, and finally runs the built command in a patched environnement.
For using Jarvis, you will have to fill a /etc/jarvis.conf file:
[jarvis] pentests_history = /home/user/.pentests_history user_directory = user output_directory = records img_directory = img pentest_tree = [ "%(user_directory)s", "%(user_directory)s/img", "%(user_directory)s/scripts", "%(user_directory)s/records" ] notesfiles = notes.txt interface = eth0 editor = vim
Here is a quick description of available options (all of them are mandatory):
- pentests_history : path to the file that will contain all the paths to performed pentests
- user_directory : since a pentest is supposed to be performed by several persons, this is the name of your directory within the pentest’s one
- output_directory : the directory within your user’s directory that will contain all records produced by available hooks
- img_directory : the directory within your user’s directory that will contain screenshots
- pentest_tree : this is a very important configuration, it describes the structure of your pentest directory that will be created after a pentest init. For the moment, I’m too lazy for creating directories according to previously described options so the directory tree must be fully described in this setting. This advanced feature should come soon. Note that some commands will obviously fail if you do not create user_directory or output_directory
- notesfiles : the file that will be used for taking notes
- interface : the network interface through which test are going to be performed
- editor : your preferred editor (vim, emacs, whatever)
Pentest directory management
If you want to start a new pentest, run the following commands:
$ pentest start /path/to/pentest $ pentest init
The first command will append an entry inside the pentests history file. The second will create your pentest directory structure.
After init, the pentest directory is created:
$ tree /path/to/pentest /path/to/pentest └── user ├── img ├── records └── scripts
Note that pentests are stacked in the pentests_history file:
$ cat .pentests_history /tmp/pentest-1 /tmp/pentest-2 /tmp/pentest-3
Stopping a pentest with pentest stop will simply pop the last entry from the history file.
You can then define useful aliases. The most explicit example is jumping to the current pentest with a bash alias:
alias gopentest="cd $(tail -n 1 /path/to/.pentests_history)"
Jarvis is shipped with many commands hooks that can be listed:
$ pentest hooks airodump arpscan crackmapexec curl dnsmap dnsrecon hping3 http hydra nikto nmap patator smbclient smbmap sslyze wfuzz
Please note that Jarvis does not ships packages providings hookable scripts or binaries. Jarvis also expects that each hooked command should runnable as-is. Basically, wfuzz should be callable without Jarvis installed.
Currently, Jarvis throws an exception with the underlying command does not exist on the installed system
Let’s try running an nmap scan, which is one of the currently available hooks:
$ nmap 127.0.0.1 Starting Nmap 7.60 ( https://nmap.org ) at 2018-09-15 11:08 CEST Nmap scan report for factory (127.0.0.1) [...]
Now, the commands.log file is populated (noted that commands are also properly escape):
$ cat commands.log [192.168.1.19] 2018-09-15 11:08:13,978 :: nmap -oA /tmp/peni/b0z/records/nmap-127.0.0.1-2018-09-15-11-08-13 127.0.0.1
You can see that output options have been added, and output files created automatically:
$ ls records/ nmap-127.0.0.1-2018-09-15-11-08-13.gnmap nmap-127.0.0.1-2018-09-15-11-08-13.nmap nmap-127.0.0.1-2018-09-15-11-08-13.xml
Output files naming follows a basic format. Note that naming is really efficient when targets are placed at regular positions. For example, nmap will process the target independantly from its position within the command line. This is achieved through a huge parsing effort on the command line that I don’t want to reimplement in Python and for each hook. Thus, it is recommend to put the target at the end of the command line when tools are agnostic about its position.
Finally, it should be highlighted that some command line arguments automatically disable the hooking mechanism. Especially, when help is invoked (-h or --help), or when output options are passed (basically -oJ, -oA or whatever in nmap), hooking is not performed.
Some commands don’t provide output options, so recording is achieved by passing them to the script utility:
$ curl -s https://google.fr $ cat records/curl-record-2018-09-15-11-13-23.txt curl -s https://google.fr Script started on 2018-09-15 11:13:23+02:00 <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"> <TITLE>301 Moved</TITLE></HEAD><BODY> <H1>301 Moved</H1> The document has moved <A HREF="https://www.google.fr/">here</A>. </BODY></HTML> Script done on 2018-09-15 11:13:23+02:00
Disable hooking at runtime
Sometimes, many many commands are typed and recording is not especially needed. Jarvis allows users to circumvent the hooking mechanism by using the --nojarvis option. This option will be consumed by Jarvis witout consequences on subsequent commands.
Taking screenshot is also made easy with pentest screenshot. This command will run the Imagemagick import command with manual selection options. Once the screenshot is taken, you are prompted for a screenshot name (I used zenity for this purpose):
I recommend associating this command to a keybinding :-)
You can then list your screenshots:
$ pentest img screen-1.png screen-2.png
And edit any screenshot with pinta, which is one of the most convenient quickwin editor from my point of view:
$ pentest edit screen-1.png
Adding a new hook
Jarvis is mainly a python module that can be used for various purposes based on pentest needings. The sharify script was developed for saving files efficiently when crawling CIFS share. Usually you do:
$ smbclient -U "domain\user%password" //host/share cd directory get file
file is then stored in the same directory from which you ran smbclient. sharify consumes the Jarvis setup to drop downloaded files in the files directory within your current pentest directory:
$ sharify -u USERNAME -p PASSWORD -d DOMAIN //host/share cd directory get file $ tree /path/to/pentest/<user>/files /path/to/pentest/<user>/files └── host ├── share1 │ ├── file-1 │ └── file-2 └── share2 ├── file-1 └── file-2