Table of Contents
Introduction to Cervantes
Cervantes is an open source, a collaborative platform designed for pen-testers and red teams looking to save time and manage their projects, clients, vulnerabilities, and reports in one place. This powerful tool allows users to easily monitor, track, and report their findings to stakeholders in a secure environment. With Cervantes, pen-testers and red teams can quickly gain insight into their clients' risk posture and take proactive steps to ensure their security. Some of the features of Cervantes tools include;
- It is open source.
- It is multiplatform.
- It is multilanguage.
- Allows for team collaboration.
- It has built-in dashboards and analytics.
- It helps you manage your clients and Offensive Security projects.
- Penetration testing reports can be generated in one click.
In this guide, I will be showing you how to install and use Cervantes vulnerability management
There are several ways we can use to install, run and use Cervantes. In this guide, we will be running Cervantes on docker. The first step is to clone the application files from the official GitHub repository to our computer using the command.
git clone https://github.com/CervantesSec/docker.git
Once the download is complete, we navigate to the folder having the files and run the command below to build Cervantes and start using it.
docker-compose -p cervantes up -d
Login to Cervantes
After installation is complete, you can visit http://localhost on your favorite browser to access the dashboard. The default admin login details username: “firstname.lastname@example.org” password: ”Admin123.”
Once logged into Cervantes, we are redirected to the tool’s dashboard. On the dashboard, the user is able to view different kinds of information related to clients, vulnerabilities, tasks, and even projects as shown in the image below.
The next Tab is the calendar page. On the calendar page, we can be able to view the available projects and their current status. Within the calendar, we can view backlog, ToDo, InProgress, Blocked, and completed tasks. Cervantes provides different color codes for these different states of the projects on the calendar.
With different color codes, a user is able to determine the status of the projects by just looking at the calendar hence he/she can prioritize tasks accordingly as shown in the image below.
On Workspaces, the user is able to view his/her assigned projects. Within the workspace, the user can also be able to view the status of each project. He/Se can know whether the project is active or has been completed.
Within the projects page, the user can view the list of projects, their status, start and completion dates, and the type of testing which is to be done i.e. BlackBox, White Box, and Gray Box. Under the projects option, we can also be able to create new project entries. You can also create templates that we can use later when creating new projects on Cervantes as shown in the image below.
Under the Clients Tab, we can view a list of all the registered clients. We can also be able to edit and add new clients prior to project creation on Cervantes.
The documents Tab holds the information regarding all the uploaded documents i.e. name of the document, the document description, and the user who uploaded the document. Penetration testers can be able to upload documents used for reference while performing penetration testing.
This is one of the most important Tabs on Cervantes. The effectiveness of Cervantes largely depends on the vulnerabilities recorded. On this tab, we can view the recorded vulnerabilities, the project having the vulnerability, the risk level of the record, the category, and even the user who created the vulnerability entry.
Under vulnerabilities, we also have categories that are used to classify the vulnerabilities found. We can also create custom templates which we will use when creating an entry.
Just like any other tool, Cervantes records the changes and actions performed by a user on the application. Keeping logs of all actions important since we can be able to determine who did what if the need arises.
Since creating regular backups of your application is a recommended practice, Cervantes has a tab for users to create both database and other attachment backups. On this Tab, we can also restore database and attachments backups on a new instance.
Under the organization Tab, we can change the name of the organization, the contact name, email, phone, URL, and GitHub, add the company description, and update the organization logo.
On this Tab, the user can create the report templates. By default, Cervantes has two templates. It is from these templates that we will create reports for our penetration testing projects. We can also add more custom templates for use on our reports.
Under the users Tab, we can view all the users registered on Cervantes. We can view details related to specific users such as the email, full name, and position of the user in the organization. Editing and adding new users to the application is also possible. To ensure maximum security, Cervantes has two-factor authentication security. Although it is optional, it is recommended to have it enabled on each user of the system.
Cervantes offers users a wide range of features such as automated vulnerability scanning, asset identification, issue tracking, and reporting. With that, users can quickly identify and track threats, vulnerabilities, and other security risks in their environments. The platform also provides users with powerful reporting capabilities to help them quickly and accurately generate reports for their stakeholders.
The platform is designed to be highly secure, with features such as two-factor authentication, data encryption, and role-based access control. This ensures that only authorized personnel can access the platform and view the data. Additionally, Cervantes allows users to collaborate with other pentesters or red teams in real-time, so they can quickly identify and address any potential issues.
In the next guide on Cervantes, we will be learning how to add users, add projects, carry out reporting and finally generate a report for our penetration testing project.