I've been given the directive at work to try to automate the things that I can. One thing I'd like to investigate automating is the discovery and recon portions of a pen test. I came across a tool that claims to do just that. Legion is "an open source, easy-to-use, super-extensible and semi-automated network penetration testing framework that aids in discovery, reconnaissance and exploitation of information systems." So let's dive in and see if Legion can help achieve my goals.First off, Legion is a fork of Sparta. Some of the key changes are:
- Moving to Python 3.6.
- More intuitive GUI with things like task completion estimates, 1-click scans, and granular nmap scanning options.
- Simplification of installation (including a Docker container!).
- An active development team.
Installation really is pretty simple. Here are the steps:
git clone https://github.com/GoVanguard/legion.git
sudo chmod +x startLegion.sh
Once the installation is completed, the application will launch itself. Here is what you will be greeted with:
Starting up is pretty intuitive, simply click the box under the "Hosts" tab and add some targets (IP addresses, hostnames, CIDR ranges).
Selecting "Hard" mode allows you to fine tune the port scan, host discovery, and custom options. Once you're satisfied with the scope, select Submit.
At the bottom of the application, in the processes tab, you will see that the scan has already begun:
As the scan ran, it opened an "Image Viewer" window. However, I received an error message stating the the image could not be loaded. This eventually caused the application to crash.
As the process runs, we can navigate through the Hosts, Services, and Tools tabs. There is even a search tool so that you can narrow down to specific hosts.
The hosts and services tabs display exactly what you would expect them to. The tools tab displays the different tools used against the hosts. For example, here Nikto was used and you can see the full output. Over time, the tool will continue to discover new information about your scoped hosts. For example, the hostname and OS. It will also run relevant tools such as `smbenum` for hosts that have port 445 open.
There is also the "Brute" tab at the top. This allows you to run brute force attacks. For example, by default it fills in SSH with
password . You can import a list of usernames or passwords to streamline your brute force attack. There are also several other options such as the number of threads, exiting on first valid, and verbose.
Another feature worth pointing out is the ability to import an existing nmap scan. This could be useful if you've started a test already and want to let Legion do some more digging.
Overall, Legion does exactly what it claims to do. It even goes beyond my original expectations with the sensible exploitation of the hosts. It manages to automate a good portion of the early testing phases. At the time of writing, the current limitation that stands out to me is the lack of ability to export the data. Thankfully, that feature is on their roadmap.
I'm really looking forward to deploying this tool on my next assessment!