Never Ending Security

It starts all here

Kvasir: Penetration Test Data Management

Kvasir: Penetration Test Data Management

Penetration tests can be data management nightmares because of the large amounts of information that is generally obtained. Vulnerability scanners return lots of actual and potential vulnerabilities to review. Port scanners can return thousands of ports for just a few hosts. How easy is it to share all this data with your co-workers?

That’s what Kvasir is here to help you with. Here’s what you’ll need to get started:

  • The latest version of web2py (
  • A database (PostgreSQL known to work)
  • A network vulnerability scanner (Nexpose, Nessus and Nmap supported)
  • Additional python libraries

Kvasir is a web2py application and can be installed for each customer or task. This design keeps data separated and from you accidentally attacking or reviewing other customers.


This tool was developed primarily for the Cisco Systems Advanced Services Security Posture Assessment (SPA) team. While not every methodology may not directly align, Kvasir is something that can be molded and adapted to fit almost any working scenario.

Currently the following sources are supported:

  • Rapid 7 NeXpose
  • Metasploit / Metasploit Pro
  • Tennable Nessus
  • ShodanHQ
  • Nmap
  • THC-Hydra
  • Medusa
  • John The Ripper

 Support for scanners such as Nessus, QualysGuard, SAINT, and others are in various stages of development already


Kvasir is a web-based application with its goal to assist “at-a-glance” penetration testing. Disparate information sources such as vulnerability scanners, exploitation frameworks, and other tools are homogenized into a unified database structure. This allows security testers to accurately view the data and make good decisions on the next attack steps.

Multiple testers can work together on the same data allowing them to share important collected information. There’s nothing worse than seeing an account name pass by and finding out your co-worker cracked it two days ago but didn’t find anything “important” so it was never fully documented.

more information can be found at:


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s