Faraday v3.11 released: Collaborative Penetration Test & Vulnerability Management Platform

Faraday introduces a new concept – IPE (Integrated Penetration-Test Environment) a multiuser Penetration test IDE. Designed for distribution, indexation, and analysis of the data generated during a security audit.

The main purpose of Faraday is to re-use the available tools in the community to take advantage of them in a multiuser way.

Designed for simplicity, users should notice no difference between their own terminal application and the one included in Faraday. Developed with a specialized set of functionalities that help users improve their own work. Do you remember yourself programming without an IDE? Well, Faraday does the same as an IDE does for you when programming, but from the perspective of a penetration test.

Changelog

v3.11

• Move GTK client to another repository to improve release times.
• Fix formula injection vulnerability when exporting vulnerability data to CSV. This was considered a low impact vulnerability.
• Remove “–ssl” parameter. Read SSL information from the config file.
• Add OpenAPI autogenerated documentation support
• Show agent information in command history
• Add bulk delete endpoint for hosts API
• Add column with information to track agent execution data
• Add tool attribute to vulnerability to avoid incorrectly showing “Web UI” as creator tool
• Add sorting by target in credentials view
• Add creator information when uploading reports or using de bulk create api
• Add feature to disable rules in the searcher
• Add API endpoint to export Faraday data to Metasploit XML format
• Use run date instead of creation date when plugins report specifies it
• Improve knowledge base UX
• Improve workspace table and status report table UX.
• Improve format of exported CSV to include more fields
• Sort results in count API endpoint
• Limit description width in knowledge base
• Change log date format to ISO 8601
• Fix parsing server port config in server.ini
• Fix bug when _rev was send to the hosts API
• Send JSON response when you get a 500 or 404 error
• Fix bug parsing invalid data in NullToBlankString

Changes in plugins (only available through Web UI, not in GTK client yet):

New plugins:

• Checkmarx
• Faraday_csv (output of exported Faraday csv)
• Qualyswebapp
• Whitesource

Updated plugins:

• Acunetix
• AppScan
• Arachni
• Nessus
• Netspaker
• Netspaker cloud
• Nexpose
• Openvas
• QualysGuard
• Retina
• W3af
• WPScan
• Webinspect
• Zap

Plugins

Don’t change the way you work today! Faraday plays well with others, right now it has more than 50 supported tools, among them you will find:

There is 3 kind of plugins:

• Plugins that intercept commands, fired directly when a command is detected in the console. These are transparent to you and no additional action on your part is needed.
• Plugins that import file reports. You have to copy the report to $HOME/.faraday/report/[workspacename] (replacing [workspacename] with the actual name of your Workspace) and Faraday will automatically detect, process and add it to the HostTree.
• Plugin connectors or online (BeEF, Metasploit, Burp), these connect to external APIs or databases or talk directly to Faraday’s RPC API.

Installation & Tutorial

Source: https://github.com/infobyte/