Welcome to the inaugural blog post for our Tool Tuesday! On the first Tuesday of each month one of our penetration testers will share a tool or software that they use or have used that they can’t live without.

Engineer: James Carroll

Tool: AttackForge

Website: www.attackforge.com

To kick off the the first Tool Tuesday post, we wanted to share a tool that helps relieve some of the pain associated with one of the most dreaded parts of a penetration test for many penetration testers and team leads. Reporting, Test Cases, and Workflow Management.

To set the background on this, in Q1 2022 I was searching for a piece of software that would help accelerate Pentesting As a Service and enhance the customer experience of a penetration test. When you think about normal penetration tests, it’s usually started by a kick off call, maybe some cadence meetings, but the end result is usually an insanely long word document that’s hard to navigate, along with technical documentation that requires manual analysis to marry up with the report. To say that it’s a PITA is putting it lightly. We also wanted to reduce the Time to Remediate (TTR) of each engagement which allows customers to patch machines and make configuration changes at a more rapid pace and in a more streamlined fashion. I was searching for something that would create an interactive workspace so that customers could log in and see what penetration testers are doing, the findings, the tests they were performing, and give instant visibility to this without waiting weeks for a report. After demoing a handful of solutions that didn’t quite check all our boxes and/or cost as much as a new Mercedes, a good friend of mine mentioned that he was checking out a tool called AttackForge. His description of it seemed to tick all our boxes and he mentioned that the “two guys that founded it are really passionate about penetration testing and are great to work with”. After using the product for a couple years, we concur 🙂

I’m a bit of an anomaly because I really love reporting. There’s something about taking massive amounts of data, screenshots, and sometimes chaos that happens during an engagement, putting it into a polished document, putting a bow on that and delivering it to a customer. I imagine the feeling is similar to when Michelangelo finished painting the sistine chapel. I’m not sure what paintbrushes he used to for it, but for our penetration testing reporting and engagement management, that paintbrush is called AttackForge. AttackForge does reporting and beyond, and we’ll jump into our favorite 3 features of AttackForge; Reporting, Test Cases, and Collaboration. And yes, AttackForge can do all of this and more.

Reporting

A common problem with penetration testing teams is lack of uniformity in reports and presentation of data and findings. AttackForge helps standardize reporting for penetration testing teams by having vulnerability libraries. These libraries are internal databases of vulnerability descriptions, severities, remediation guidance and more. What’s even cooler is AttackForge comes out of the box with a plethora of vulnerabilities already pre-built into the library. All you have to do is search for the vulnerability and add it to your findings and presto, it’s there! You can also edit the vulnerability to your liking, add evidence such as screenshots, add paths to reproduce, create a new vulnerability if the one you found does not exist, or import vulnerabilities and details from third party tools such as Nessus and Burp Suite. These vulnerabilities can then be saved into the library for you (or your team!) to use on another engagement. No more master vulnerability documents filled with other customer names and no more insane word macro’s or internal reporting tools held together by shoestrings and bubblegum. AttackForge can do all of this with a couple clicks of the mouse.

Now let’s say (warning: pentester lingo incoming) you added the following vulnerabilities and were able to perform the following:

  1. Exploit SMB Signing Not Required, dump local SAM hashes
  2. Pass the hash due to shared local administrative accounts
  3. Execute mimikatz on the server and gain plaintext domain administrative credentials.

Sure, you can upload each of those as separate vulnerabilities, however, one of the best and flavorful parts of a penetration testing report is the Attack Path. This is the part where you get to flex your muscles and show how you went from zero to hero by completing the assessment objective. This is where AttackForge’s Attack Chains really comes in handy.

With Attack Chains, you can pick vulnerabilities from the assessment and chain them together, showing what you used, when you used it, and what it results in. One of my favorite features about this is that you can save Attack Chains, so if you have a common one (I think as penetration testers we all have/know what some of the most common killchains are) you can re-use them in other projects.

And now for the actual reporting section. Yes, you can take everything shown, vulnerabilities, attack paths, and create a report out of it. AttackForge includes a default template that can be used and altered to your liking and has very detailed documentation on their website on how to format reports so that the variables are automagically filled in. It also has a tool called ReportGen to help streamline this process (https://attackforge.com/reportgen.html). You can create different report templates as well, allowing you to create different report templates for different services or different reports for different audiences (cadence reports for PM’s, executive summaries for stakeholders, technical reports for IT staff, etc). One of my favorite parts is that this can be done on demand, by the customer if you like (you can also disable this permission).

Test Cases

A common problem amongst penetration testing teams is the lack of uniformity in methodology. Penetration Testing teams come from all different backgrounds and often use different tools and techniques to accomplish the same task. And because there is a general lack of standardization amongst penetration testing methodologies, it can often times be hard to make sure that each pentest is performing everything that is scoped into an engagement and everything that is expected of be tested.

Test cases allow you to use a predetermined “test” for each engagement. For example, if you are performing a web application penetration test, one of the most common test cases is the OWASP WSTG. AttackForge comes preloaded with different test cases that you can use out of the box, or you can edit them or create a totally custom a new test case to your liking. I love this feature because it allows team leads to assign different test cases to different engineers and allows the leads to view evidence and progress for each test case, in real time. From a pentesters viewpoint, it gives the tester a clear list of items to test for and provides a methodical, repeatable approach for engagements.

Now enter project managers. I’ve met very few penetration testers and engineers who will tell you that they love project managers. The great part about AttackForge is that you can create a role for a Project Manager and they can log in and see progress in each job that they are tracking, which eliminates the daily cadence emails and helps streamline status updates. The pentester can update the status of each test case (example below) and the progress meter for the job will change based on the number of test cases that are outstanding.

Collaboration

I’ve eluded to collaboration features throughout this post because it is my favorite feature and an element that I believe is crucial to a pentesting engagement. The collaboration features in Attackforge increases the customer experience for a penetration test and gives the customer a dashboard to see what’s occurring, the status of the penetration test, and what the findings are. One of our favorite collaboration features in AttackForge is being able to have customers mark vulnerabilities as ready for re-testing. An example workflow is something like the following.

  1. Pentester finds MS17-010 and exploits it, adds it to AttackForge
  2. Customer gets an automated email about the critical risk finding, logs in and see’s the vulnerability
  3. Customer remediates the vulnerability and marks it as ready for retesting
  4. Pentesting team gets a notification and re-tests the vulnerability and verifies that it has been patched
  5. Pentester updates the vulnerability as closed.

This workflow is so much better than the sending out a word document, sifting through data, and the endless back and forth emails about what’s been remediated, what’s not, what’s ready for retesting, when you can re-test, updates regarding the re-test, etc. etc. etc. This can all be done and tracked using native features in AttackForge in a clean, methodical, and organized fashion. The customer can even add remediation notes and screenshots proving that a patch has been applied or a configuration has been changed, which is also data that can reflected in the report if you wish to map those fields to the AttackForge template. Customers can request a round of re-testing from their AttackForge dashboard, which will ping the team that testing is ready.

Something that I really like about AttackForge is that you can specify the amount of retesting rounds that are included in a project. The project management team and stakeholders can also view the status of these re-testing rounds from their dashboard and the progress of it.

AttackForge Support

With any subscription based service the question of “how is the support?” is always an important one. With AttackForge, the support is second to none. Whenever we have a question, feature request, issue, etc. we are welcomed with responses by the founders of AttackForge within hours. Stas and Fil over at AttackForge have been nothing short of great to work with, and will spend countless hours jumping on a Zoom call to explain something, help create something, or demo a new feature that they are releasing. It’s very apparent that they are extremely passionate about the industry and committed to creating a product that is undoubtedly improving the penetration testing industry.

Conclusion

In conclusion, AttackForge is a great tool for any penetration testing team looking to streamline their workflow, increase customer visibility, and make reporting and collaboration a breeze. With the ability to standardize reporting and use test cases, it makes it easier for teams to be consistent with methodology, and for customers to track progress, vulnerabilities, and collaborate with the team in a much easier fashion. AttackForge has been a great addition to our toolkit, and we can’t recommend it enough.