Data Model

One of the most important parts of this system is the data model, because it is where all the information gathered by it will reside. This data model has to be able to represent machines inside a network, and the vulnerabilities each machine has.

The core of this system’s data model are the audits. An audit is the representation of the penetration testing process. As such, an audit always has a target, the date when it was created, and a pair of optional attributes that keep track of its progress.

User

As a result of running an audit, the system will find machines related to the target of the audit. This machines are represented as a data class as well. Each machine has an address and a name as primary identifiers. Different information about the machines in the target is collected, and this information has to be stored in the database as well.

This information includes the Operating System of that machine and its associated cpe and if it has a Web Application Firewall or not. Each machine is scanned in order to find information about the ports it has in use, and the services listening to those ports.

For each port some information is stored. This information contains the number of the port inside the machine, the service it provides and its state, and the product that is giving the service, together with its cpe.

Machine

Once the ports have been identified, the system will search for vulnerabilities in those ports. For that, each port has associated a number of vulnerabilities. Each vulnerability has a name, a description, a link to the vulnerability and the tool that has found it.

Additionally, they have the ids corresponding to the OSVDB and CVE systems, if the tool provides them.

The tools that the system uses can discover usernames and email addresses regarding to a target. This information has to be stored in the database as well. In order to store this information, there exists a class named employee. This class does not necessarily represent an employee of the target’s company, it is merely a container for either a username or an email address. In the case a tool is able to extract both the username and the email address of the same person, it could be stored together as well.

Audit

In order to control the audits, there exist two different classes. The firs class is the User.

This class represents a user of the system, and as such, it identifies it with a username and a password. It also asks for an email address, but it has no use yet. This class controls who creates Audits.

There could be the case where a tester wants to perform the same audit more than once.

In this case, it could be helpful to have all the audits that are directed to the same target together. To provide this scenario, there exists a class in the system called Network. A network is identified by a company name. This company name represents the target that wants to be tested. Then, the network comprises all the Audits that are performed towards the same target.

Lastly, the system’s database also incorporates the tools that the system will use. To

store the tools the command line that calls them has to be saved, along with some options of each tool. For each tool some attributes are saved as well, to get some extra information. This extra information could provide some customization to the system, for example to call only passive tools. The phases of the penetration testing process will also be stored, in order to have each action linked to a phase. This allows to quickly select all the tools that a phase needs to complete.

Phase name String order int Action

tool String

options String active? Bool fileOutput Bool

n 1

Figure 4.6: Phase and Action

In order to manage the data model, Object-Relational Mapping is used. This is achieved by the usage of a Python’s module called peewee. This module is a small and expressive ORM that includes support for sqlite, mysql and postgres databases. This module makes managing the database really easier, and allows for complex queries in really simple lines of codes. As this is a small and simple data model, it would be tempting to use a simple database engine like sqlite, however, since the aim of this project is to build an expandable system, the database engine chosen for the system is MySQL. MySQL is a powerful and well-known database engine which can be used in conjunction with peewee in order to make it simpler.

This is the complete data model for the system. However, esCERT UPC has provided the database of one of its tools, called Altair. This database contains information about known vulnerabilities, amongst others, and will be used to find vulnerabilities related to certain CPEs. This will provide some extra value to the system, getting information related to systems that is not gathered by any analysis tool.

User

The only thing that all the tools that are used by the system have in common is that they all are command line tools. This could suppose a problem in the sense that a custom class should be created for each tool that has to be used. Each tool would have it’s way of launching it, with different options, and different output styles. This could mean lots of work if someone would want to expand the number of tools in the system.

Instead of doing that, a simpler solution will be taken. In this solution, there exists a generic class able to call any command line tool with root privileges, and a collection of parsers, here, of course, one per tool, that would parse the output of the tools. With this system, calling any tool is really simple, and the only thing that has to worry the user is adding the parsing function to the collection. Since the parsing function had to be created anyway with the other model, this model does not add additional complexity.

This model of tool integration has two differentiate parts. The class that launches the tools, which will be called Tool, for obvious reasons, and the collection of parser functions, which will be stored in a file, together with a simple function that will retrieve each parsing function with the only need of the name of the tool it parses.