Been messing with both lately. LAIR is really great at aggregating network penetration test data, but I do not like it for web apps because it only lists the first vulnerability found, even when importing from several means. For nmap data, LAIR does show the NSE findings, which is insightful.
Dradis is excellent, but also does have its limitations. I intend to try out KvasirSecurity, but was hoping to see it support NSE before giving it a full review. The developers have NSE support as “planned”.
Here is a short summary comparing the three primary FOSS tool aggregators:
- KvasirSecurity supports MSF Pro, metasploit-framework, Nessus, SHODAN, Nmap (NSE pending), Hydra, JTR, CANVAS, NeXpose, webshot, and vncshot. Other formats such as pcap, amap, Acunetix, Appscan, Netsparker, Burp, IP360, and OpenVAS data can be imported through MSF Pro or metasploit-framework
- LAIR supports imports to blacksheepwall, cookiescan, burp (via drone XML or Burp Extension), metasploit-framework (MSF XML), Nmap and NSE (via gnmap or XML files), Nessus, NeXpose, Nikto, dirb, and tshark. It also supports export to metasploit-framework (MSF XML) which I found to be an incredible feature
- Dradis supports burp, msf, nessus, nexpose, nikto, nmap, openvas, w3af, wXf, zap, acunetix, appspider, netsparker, and perhaps others. What is very unique about Dradis is that it supports IPv6, while the others lack this sort of support. Note that nikto, w3af, and many other tools do not support IPv6 but can be proxied through socat. Other favorite tools that support IPv6 include: dnsrecon, amap (especially good with IPv6 UDP), hydra, arachni, and sqlmap.
There is a great webapp-centric solution for aggregating test data here – https://github.com/dorneanu/appvulnms – which supports AppScan Standard Edition, Acunetix WVS, and Burp Suite Professional
For commercial, I’ve always found ProVM Auditor to pleasantly support many of the above, many federal or DoD tools, as well as AppDetective Pro, Imperva Scuba, NGSSoftware Squirrel and Orascan, etc – making it ideal for database-intensive pen tests.
Another tool, LunarLine Vulnerability Scan Converter, I was a bit nonplussed about. The leebaird discover.sh script can handle very similar output, but for free. discover.sh supports Burp, Nmap, Nessus, NeXpose, and Qualys QG XML to CSV conversions.
You know I’ve always been a fan of MaltEgo for aggregating pen test data, such as Sploitego (and many others), but I believe I do prefer the speed of something like LAIR, Dradis, or KvasirSecurity a tad more, as they are not as GUI-reliant. One of my favorite tools for tracking all sorts of data (including threat actor data) is Lumify (above and beyond MaltEgo and plugins). If you are just messing around on Kali Linux and need something to track test data, KeepNote is also great in a pinch.
Many people I know swear by Dradis Pro – which may still be the sweet spot if you can handle cloud-based data protection. What would be great would be to use LAIR for internal, network pen tests and Dradis Pro for external, especially public-web-facing pen tests.
Mobile devices, mobile apps, and IoT can throw a wrench into your gearworks. There are very little standards for either commercial (e.g., Metaintelli, NowSecure Enterprise, FOD, AppScan Mobile Analyzer, et al) or FOSS (e.g., Drozer, idb, repackaging with optool, PonyDebugger [Injected], etc) test data outputs. Perhaps a format similar to the appvulnms system described above would be a good investment?
Other considerations for tracking nmap and webapp pen test data (but these also perform actions such as launching the tools directly or iteratively, such as on a schedule) – https://bitbucket.org/al14s/rawr/wiki/Home – GitHub: sixdub/Minions, aschmitz/nepenthes, milo2012/metasploitHelper, and owtf/owtf