Note: this post is unfinished - two videos are missing
Correction: Dradis can do reports in Word format
Several people have noted that MagicTree is similar to Dradis. In this post I will try to make a point by point comparison, outlining out both similarities and differences. Obviously, I have a bias - being MagicTree developer, I know MagicTree a lot better than Dradis. Feel free to correct me or point out the features that I have missed.
Both MagicTree and Dradis are trying to solve the similar set of problems - managing penetration testing data and report generation. Both MagicTree and Dradis are allow importing the data produced by various penetration testing tools, allow the user add data manually and support report generation. Both MagicTree and Dradis store the data in a tree-like structure.
That being said, there are significant differences between the two tools.
Design, Architecture and Technology
Architecture
Dradis (version 2.6) is a web application. Older versions used to have a console client, but it has been discontinued. Dradis has a central server, where multiple clients connect. Thus it is possible for multiple testers to work on the same project instantly sharing the data they collect. If only one tester is working on a project using Dradis, he/she can run the Dradis server on his/her own computer.
MagicTree is a classic desktop application. There is no server, no database and no listening sockets. MagicTree does not support instant data sharing the way Dradis does, but follows a different approach. At any point in time during the test, one tester can take the MagicTree project file created by someone else and merge it with his/her own, getting all the data obtained by the other tester.
Data Structure
Though both MagicTree and Dradis store the data in a tree, there is a fundamental structural difference. Dradis puts the data in the tree according to its source. MagicTree structures the data according to the real-world object it describes. Let me explain that.
Say, for example, you have ran a nmap TCP port scan, and then thought that you need a UDP scan as well, and ran that too for the same targets. Importing these two files into Dradis will create two tree branches - one for each imported file:
When the same two files are imported in MagicTree it will merge together the results of two scans, so that both open TCP and UDP ports will appear under the hosts that they belong to:
The same goes for all data that gets merged in MagicTree, regardless of where it came from or what tool produced it. Any piece of data always appears under the object (host, port, service, etc.) it describes. This approach to storing data is fundamental to MagicTree and in particular allows querying of the data. I will describe the queries and other features build on top of that later in this article.
Extensibility by user
Dradis is an open-source application written in Ruby. A user can modify and extend it any way he likes. Doing so obviously requires some knowledge of Ruby and the ability (and desire ;) ) to read and understand the existing Ruby code. In particular, if you want to extend Dradis to support importing data from some tool, you'll need to write an upload plugin.
MagicTree is a closed-source application. However, it is possible for a user to extend it to be able to import data from tools it does not support out of the box. Two possibilities exist. If the tool you want to import data from produces XML output, you can write an XSLT transform and add it to MagicTree. The procedure for this is described here. You can use the XSLT files that come with MagicTree (in $HOME/.magictree/xslt directory) as an example. Alternatively, if the tool does not output XML or you don't feel like writing XSLTs, you can make a wrapper in any programming language you like that runs the tool, reads its output, parses it and outputs MagicTree XML that can be directly consumed by MagicTree. The MagicTree XML format structure and semantics are described here. Several sample scripts come with MagicTree and can be found in $HOME/.magictree/snippets directory.
Features
Dradis allows importing vulnerability descriptions from sources such as OSVDB and MediaWiki. This video demonstrates this feature. MagicTree currently does not do this, this feature is on our "to do" list.
Now let me demonstrate several MagicTree features that are absent in Dradis. The first of those is data querying. MagicTree query engine allows getting answers to questions such as "show me all http hosts and ports","are there any Apache servers running on Linux" and so on. Let's see how it's done:
The second feature unique to MagicTree that I want to show here is command execution. It is tightly linked with queries, allowing the user to extract the necessary data from the tree and feed it to command-line tools (show query, launching multiple commands, remote execution, data import).
[video comes here]
The last thing I would like to show is MagicTree's approach to report generation.
[video comes here]
Summary
The following table gives a side by side comparison of MagicTree and Dradis
| MagicTree | Dradis | |
|---|---|---|
| General | ||
| Platform support | Multi-platform: Java | Multi-platform: Ruby |
| Architecture | Desktop application | Client-server. A fat client and a web interface are available |
| License | Proprietary. Distributed free of charge | Open source. GNU GPL. |
| Supported import formats | ||
| Nmap | Yes | Yes |
| Nikto | Yes | Yes |
| Nessus XML version 1 | Yes | Yes |
| Nessus XML version 2 | Yes | No |
| Burp | Yes | Yes |
| OpenVAS | Yes | No. User-contributed plug-in exists |
| Qualys | Yes | No |
| Imperva Scuba | Yes | No |
| Typhon | No | Yes |
| NeXpose | No | No. User-contributed plug-in exists |
| Netsparker | No | No. User-contributed plug-in exists |
| Supported report formats | ||
| Microsoft Word | Yes | Yes |
| OpenOffice | Yes | No |
| HTML | No | Yes |
| Other features | ||
| Adding file attachments to nodes | Yes | Yes |
| Searching data in the tree | Yes | Yes |
| Dradis-only features | ||
| Vulnerability data import: Dradis supports importing vulnerability information from OSVDB and MediaWiki | ||
| Online collaboration: Dradis supports multiple testers accessing the same project database on-line | ||
| MagicTree-only features | ||
| Task execution: MagicTree supports running shell commands straight from the GUI, capturing command output | ||
| Data analysis: MagicTree allows querying the collected data and feeding it to shell commands | ||
| Knowledge reuse: MagicTree allows saving queries and commands to be reused in this or future projects | ||
