Reconmap : VAPT (Vulnerability Assessment And Penetration Testing) Automation And Reporting Platform

Reconmap is a vulnerability assessment and penetration testing (VAPT) platform. It helps software engineers and infosec pros collaborate on security projects, from planning, to implementation and documentation. The tool’s aim is to go from recon to report in the least possible time.

Requirements

  • Docker
  • Docker compose

Documentation

Go to https://reconmap.org to find the user, admin and developer manuals.

Open-Source Vulnerability Assessment And Pentesting Management Platform

Reconmap is an open-source collaboration platform for InfoSec professionals that allows them to plan, execute and document all phases of penetration test projects for multiple targets and clients.

#vulnerability-management #penetration-testing #vapt

History

There is an unwritten rule that says that after doing something manually for the third time, you should automate it. We reached out to the same conclusion after completing our 4th or 5th pentest report. There is a lot of boilerplate and repetition that could be saved should a tool for managing security projects and their reports exist. We looked around for such tool on the open source community and to our surprise there weren’t many complete pentest report generation tools, with the level of documentation, support, and feature set that we were looking for.

That’s our history, we were born to get rid of some unnecessary tedious work in an elegant way. We hope to provide some value to all the infosec professionals (individuals or teams) who are finding themselves spending as much time in reporting as in the actual security work.

About the name

We picked the Reconmap name for two reasons:

  • The pentest work starts typically with the reconnaissance phase (recon for short), and ends with a report of all the vulnerabilities, exploits and recommendations (the map).
  • Reconmap contains the word nmap in its name, a tribute to our favourite network mapper tool.

Development

Version control

All the code for Reconmap is in the open. Below are the most important Github links:

  • Github organisation

REPOSITORIES

  • REST API – PHP backend
  • Web client – React frontend
  • CLI – Golang command line
  • Website – This website

Architecture

The Reconmap architecture is quite simple. We have a RESTful API written in PHP8.4 and a bunch of clients written in React and React native. The information is stored in a MySQL 8.0 server and for background processing and messaging we relay on Rabbitmq.

The command automation is done using the Docker API and a Golang client.

Roadmap

  • Version 1
  • Version 2
  • Version 3

Version 1

IN DEVELOPMENT

Release dateApril 2020
TasksView on github

FEATURES

  • Vulnerability management
  • Tasks
  • Projects
  • Clients
  • Templates
  • Reports
  • REST API
  • Docker deployment options

Version 2

PLANNING

Release dateOctober 2020
TasksView on github

FEATURES

  • Agents (to run automation without connecting to a terminal)
  • AI and Machine Learning. Automatically assign vulnerability scores, detect risks and so on.
  • Better analytics.
  • Desktop app (Electron based)
  • gRPC API
  • Kubernetes deployment options

Version 3

PLANNING

Release dateFebruary 2021
TasksView on github

FEATURES

  • Reporting engine
  • Integration with Solr for more powerful search features
  • Use of Keycloak for identity management
  • Addon marketplace
  • (others to be defined)

Troubleshooting

Errors occur for many reasons. From environmental differences, to permissions, to differences in software versions and more. Here you will find some resources that could help you troubleshoot problems with Reconmap. If these notes still leave you facing a problem, reach out to us on Gitter where we will happily assist you.

Server logs

Server logs show all sort of warnings and errors and should be your first stop while troubleshooting problems with Reconmap. Its location is /var/log/nginx/error.log inside the backend API Docker container.

If you want to see the last lines of this file run the following Docker command:

$ docker exec reconmap-backend-api tail /var/log/nginx/error.log

Example output

#0 /var/www/webapp/src/Services/ConfigLoader.php(12): json_decode()
#1 /var/www/webapp/public/index.php(26): Reconmap\Services\ConfigLoader->loadFromFile()
#2 {main}
thrown in /var/www/webapp/src/Services/ConfigLoader.php on line 12″ while reading response header from upstream, client: 172.19.0.1, server: localhost, request: “OPTIONS /users/login HTTP/1.1”, upstream: “fastcgi://unix:/var/run/php/php7.4-fpm.sock:”, host: “localhost:8080”, referrer: “http://localhost:3001/login”
2020/10/29 19:40:11 [error] 25#25: *54 FastCGI sent in stderr: “PHP message: PHP Warning: file_get_contents(/var/www/webapp/config.json): failed to open stream: No such file or directory in /var/www/webapp/src/Services/ConfigLoader.php on line 12PHP message: PHP Stack trace:PHP message: PHP 1. {main}() /var/www/webapp/public/index.php:0PHP message: PHP 2. Reconmap\Services\ConfigLoader->loadFromFile() /var/www/webapp/public/index.php:26PHP message: PHP 3. file_get_contents() /var/www/webapp/src/Services/ConfigLoader.php:12PHP message: PHP Fatal error: Uncaught TypeError: json_decode() expects parameter 1 to be string, bool given in /var/www/webapp/src/Services/ConfigLoader.php:12
Stack trace:
#0 /var/www/webapp/src/Services/ConfigLoader.php(12): json_decode()
#1 /var/www/webapp/public/index.php(26): Reconmap\Services\ConfigLoader->loadFromFile()
#2 {main}
thrown in /var/www/webapp/src/Services/ConfigLoader.php on line 12″ while reading response header from upstream, client:

Application logs

After the sever logs come the application logs. Its location is API_FOLDER/logs/application.log and similarly to the server logs, here you can see warnings and errors generated by the API or the backend jobs.

Example output

[2020-10-29 12:26:01] cron.DEBUG: Running queue processor {“class”:”Reconmap\Tasks\EmailTaskProcessor”} []
[2020-10-29 12:26:01] cron.DEBUG: Running queue processor {“class”:”Reconmap\Tasks\TaskResultProcessor”} []
[2020-10-29 12:26:21] http.WARNING: Expired token [] []
[2020-10-29 12:26:21] http.WARNING: Expired token [] []
[2020-10-29 12:26:21] http.WARNING: Expired token [] []

Features

  • Simple dashboard with analytics
  • Search across all your data (projects, vulnerabilities, tasks, …)
  • Users and roles (including client access to projects)
  • Two-factor authentication (2FA/MFA, TOPT)
  • Security commands database and automation
  • Vulnerability database
  • Tasks manager
  • Project and templates
  • Client management
  • Export/import data
  • Notes with markdown support
  • Attachments (docs, screenshots) to projects, vulnerabilities and tasks
  • Rest API: to easily integrate Reconmap with external tools and scripts.
  • Custom (whitelabel) report generation (HTML, PDF)
  • Audit log
  • Extensible via plugins
  • Web and mobile clients
  • Dark/Light themes
  • Free and open source
  • And more!

Integrations

IntegrationURL
Acunetixhttps://twitter.com/acunetix
Amaphttps://www.thc.org/thc-amap/
Arachnihttps://twitter.com/ArachniScanner
arp-scanhttp://linux.die.net/man/1/arp-scan
BeEFhttps://twitter.com/beefproject
Brutexsshttps://github.com/rajeshmajumdar/BruteXSS
Burp, BurpProhttps://twitter.com/Burp_Suite
Core Impact, Core Impacthttps://twitter.com/CoreSecurity
Dig 
Dirbhttp://tools.kali.org/web-applications/dirb
Dirsearch 
Dnsenumhttps://github.com/fwaeytens/dnsenum
Dnsmaphttps://github.com/makefu/dnsmap
Dnsreconhttps://github.com/darkoperator/dnsrecon
Dnswalkhttps://github.com/leebaird/discover
evilgradehttp://twitter.com/infobytesec
Fiercehttp://tools.kali.org/information-gathering/fierce
Fruitywifihttp://www.fruitywifi.com/index_eng.html
ftp 
Goohosthttp://www.aldeid.com/wiki/Goohost
hping3http://tools.kali.org/information-gathering/hping3
Hydrahttps://www.thc.org/thc-hydra
Immunity Canvashttp://www.immunityinc.com/products/canvas/
Ip360 
Lynishttps://cisofy.com/lynis/
Listurls 
Maltegohttps://www.paterva.com/web6/products/maltego.php
masscanhttps://twitter.com/ErrataRob
Medusahttp://h.foofus.net/?page_id=51
Metagoofilhttps://code.google.com/p/metagoofil/downloads/list
Metasploithttps://twitter.com/metasploit
Ndiffhttps://nmap.org/ndiff/
Nessushttps://twitter.com/tenablesecurity
Netcathttp://netcat.sourceforge.net/
Netdiscover 
Netsparkerhttps://twitter.com/Netsparker
Netsparker Cloud 
Nexpose, Nexpose Enterprisehttps://twitter.com/rapid7
Niktohttps://cirt.net/Nikto2
Nmaphttps://twitter.com/nmap
Openvashttps://twitter.com/openvas
PasteAnalyzerhttps://github.com/Ezequieltbh/pasteAnalyzer
Peeping Tomhttps://bitbucket.org/LaNMaSteR53/peepingtom/
ping 
propeciahttp://packetstormsecurity.com/files/14232/propecia.c.html
Qualysguardhttps://www.qualys.com/
Recon-NGhttps://hackertarget.com/recon-ng-tutorial/
Retinahttp://www.beyondtrust.com/Products/RetinaNetworkSecurityScanner/
Reverseraiderhttp://sourceforge.net/projects/complemento/files/
Sentinel 
Shodanhttps://twitter.com/shodanhq
Skipfishhttps://code.google.com/p/skipfish/
Sqlmaphttps://twitter.com/sqlmap
SSHdefaultscanhttps://github.com/atarantini/sshdefaultscan
SSLcheck 
SSLyzehttps://github.com/nabla-c0d3/sslyze
Sublist3rhttps://github.com/aboul3la/Sublist3r
Telnet 
Theharvesterhttps://github.com/laramies/theHarvester
Traceroute 
W3afhttps://twitter.com/w3af
Wapitihttp://wapiti.sourceforge.net/
Wcscan 
Webfuzzerhttp://gunzip.altervista.org/g.php?f=projects#webfuzzer
WebInspecthttps://resources.infosecinstitute.com/webinspect/#gref
Wfuzzhttps://wfuzz.readthedocs.io/en/latest/index.html
whois 
WPScanhttps://wpscan.org/
Xsssniperhttps://github.com/gbrindisi/xsssniper
X1, Onapsishttps://twitter.com/onapsis
Zaphttps://twitter.com/zaproxy

Demo

The demo server has 4 users to show the different permission levels. The credentials for these users are:

UsernamePasswordRole
adminadmin123Administrator
susu123Superuser
useruser123User
custcust123Client

Watch it working

Web client demonstration

If you prefer to watch a Reconmap demonstration instead hit the play button below.

Screenshots

Vulnerabilities

Tasks

Project templates

Client form

Audit log

Integrations

How to run locally in 2 easy steps

  • First you need to start your docker containers

$ docker-compose up -d

  • After this, open your browser at http://localhost:3001