Updates to the Lair Ecosystem

By Dan Kottmann ·

Back in 2013 FishNet Security sponsored the development of an open-source, collaborative penetration testing framework named Lair. My former colleague and I went on a speaking tour (Defcon, Black Hat Arsenal, BSides Las Vegas, Derbycon) promoting the release of the product, which has greatly increased the efficiency, accuracy and overall quality of the pentesting projects we execute.

In an effort to further expand the Lair ecosystem, we’ve created a number of supporting components that enhance tool interactivity with Lair. This brief article discusses some of the supporting components developed to continually evolve the project. Community contributions are encouraged. Give me a shout (@djkottmann) if you need help getting started.

Lair Burp Extension

Burp Suite, one of the most valuable web application testing tools available, exposes a development framework for end users to create product extensions. I recently developed an extension capable of sending individual scan results directly to Lair from within the Burp UI. Although an official Burp drone exists to import XML data files in bulk, I often find it more desirable to cherry-pick the scan issues and send them to Lair on demand.

The extension is not yet in the Burp Suite App (“BApp”) store but is available for download at https://github.com/djkottmann/Lair-Burp-Extension. Detailed installation instructions are included on the GitHub site.

Figure 1: Context Menu to Export Issue to Lair

Lair Drones

Lair Drones, small tools used to quickly import pentest data into Lair, exist for a number of common tools – Nessus, NeXpose, Burp and nmap. However, there’s no reason why other unique data sets cannot be consumed nor is there a requirement that the drones be written in Python.

For example, Tom Steele created a custom tool  - blacksheepwall - to assist with hostname reconnaissance. To import the data sets he created a drone (written in Go) to perform the necessary logic (https://github.com/tomsteele/lair-drone-blacksheepwall).

Official drones can be found at https://github.com/fishnetsecurity/Lair-Drones.

Lair Browser Scripts

So, during the initial release of Lair, it was quite clear that there were a lot of unique, repetitive or tedious tasks that we found ourselves doing to manage and manipulate project data. Depending on the project size, this could prove to be a very timely and, in some instances, complex process.

The great thing about the framework under which Lair was developed is that a lot of the server side functionality can be exposed directly to the client. Via Javascript, the client can then interact directly with the server-side functions and leverage some of the pre-built logic of the server to manage and manipulate project data while maintaining some semblance of data integrity. Dubbed ‘Browser Scripts,’ these snippets of code can be run directly from a browser’s Javascript console and perform complex logic across large datasets in a fraction of the time.

FishNet Security has built an extensive library of scripts to achieve a variety of diverse tasks. Noteworthy examples include:

  • Generating URLs for every combination of hostname, IP and port for all web services in a project.
  • Merging multiple vulnerabilities matching a regex pattern into a single vulnerability. (Ever wanted to collapse 100 “Apache” vulnerabilities into a single finding?)
  • Searching across all project, host and service level notes for notes matching a regex.
  • Generating a unique list of all ports by protocol.

There are nearly 25 unique scripts in the library. Take a look at https://github.com/fishnetsecurity/Lair-Browser-Scripts.