MagicTree vs. Dradis

Note: this post is unfinished - two videos are missing
Correction: Dradis can do reports in Word format

Several people have noted that MagicTree is similar to Dradis. In this post I will try to make a point by point comparison, outlining out both similarities and differences. Obviously, I have a bias - being MagicTree developer, I know MagicTree a lot better than Dradis. Feel free to correct me or point out the features that I have missed.

Both MagicTree and Dradis are trying to solve the similar set of problems - managing penetration testing data and report generation. Both MagicTree and Dradis are allow importing the data produced by various penetration testing tools, allow the user add data manually and support report generation. Both MagicTree and Dradis store the data in a tree-like structure.

That being said, there are significant differences between the two tools.

Design, Architecture and Technology

Architecture

Dradis (version 2.6) is a web application. Older versions used to have a console client, but it has been discontinued. Dradis has a central server, where multiple clients connect. Thus it is possible for multiple testers to work on the same project instantly sharing the data they collect. If only one tester is working on a project using Dradis, he/she can run the Dradis server on his/her own computer.

MagicTree is a classic desktop application. There is no server, no database and no listening sockets. MagicTree does not support instant data sharing the way Dradis does, but follows a different approach. At any point in time during the test, one tester can take the MagicTree project file created by someone else and merge it with his/her own, getting all the data obtained by the other tester.

Data Structure

Though both MagicTree and Dradis store the data in a tree, there is a fundamental structural difference. Dradis puts the data in the tree according to its source. MagicTree structures the data according to the real-world object it describes. Let me explain that.

Say, for example, you have ran a nmap TCP port scan, and then thought that you need a UDP scan as well, and ran that too for the same targets. Importing these two files into Dradis will create two tree branches - one for each imported file:

When the same two files are imported in MagicTree it will merge together the results of two scans, so that both open TCP and UDP ports will appear under the hosts that they belong to:

The same goes for all data that gets merged in MagicTree, regardless of where it came from or what tool produced it. Any piece of data always appears under the object (host, port, service, etc.) it describes. This approach to storing data is fundamental to MagicTree and in particular allows querying of the data. I will describe the queries and other features build on top of that later in this article.

Extensibility by user

Dradis is an open-source application written in Ruby. A user can modify and extend it any way he likes. Doing so obviously requires some knowledge of Ruby and the ability (and desire ;) ) to read and understand the existing Ruby code. In particular, if you want to extend Dradis to support importing data from some tool, you'll need to write an upload plugin.

MagicTree is a closed-source application. However, it is possible for a user to extend it to be able to import data from tools it does not support out of the box. Two possibilities exist. If the tool you want to import data from produces XML output, you can write an XSLT transform and add it to MagicTree. The procedure for this is described here. You can use the XSLT files that come with MagicTree (in $HOME/.magictree/xslt directory) as an example. Alternatively, if the tool does not output XML or you don't feel like writing XSLTs, you can make a wrapper in any programming language you like that runs the tool, reads its output, parses it and outputs MagicTree XML that can be directly consumed by MagicTree. The MagicTree XML format structure and semantics are described here. Several sample scripts come with MagicTree and can be found in $HOME/.magictree/snippets directory.

Features

Dradis allows importing vulnerability descriptions from sources such as OSVDB and MediaWiki. This video demonstrates this feature. MagicTree currently does not do this, this feature is on our "to do" list.

Now let me demonstrate several MagicTree features that are absent in Dradis. The first of those is data querying. MagicTree query engine allows getting answers to questions such as "show me all http hosts and ports","are there any Apache servers running on Linux" and so on. Let's see how it's done:

The second feature unique to MagicTree that I want to show here is command execution. It is tightly linked with queries, allowing the user to extract the necessary data from the tree and feed it to command-line tools (show query, launching multiple commands, remote execution, data import).
[video comes here]

The last thing I would like to show is MagicTree's approach to report generation.
[video comes here]

Summary

The following table gives a side by side comparison of MagicTree and Dradis

  MagicTree Dradis
General
Platform support Multi-platform: Java Multi-platform: Ruby
Architecture Desktop application Client-server. A fat client
and a web interface are available
License Proprietary. Distributed free of charge Open source. GNU GPL.
Supported import formats
Nmap Yes Yes
Nikto Yes Yes
Nessus XML version 1 Yes Yes
Nessus XML version 2 Yes No
Burp Yes Yes
OpenVAS Yes No. User-contributed plug-in exists
Qualys Yes No
Imperva Scuba Yes No
Typhon No Yes
NeXpose No No. User-contributed plug-in exists
Netsparker No No. User-contributed plug-in exists
Supported report formats
Microsoft Word Yes Yes
OpenOffice Yes No
HTML No Yes
Other features
Adding file attachments to nodes Yes Yes
Searching data in the tree Yes Yes
Dradis-only features
Vulnerability data import: Dradis supports importing vulnerability information from OSVDB and MediaWiki
Online collaboration: Dradis supports multiple testers accessing the same project database on-line
MagicTree-only features
Task execution: MagicTree supports running shell commands straight from the GUI, capturing command output
Data analysis: MagicTree allows querying the collected data and feeding it to shell commands
Knowledge reuse: MagicTree allows saving queries and commands to be reused in this or future projects
Tags: 

Comments

This is really looking good!

Great comparative! Very useful! thanks! :)

Any plans to add import NeXpose result functionality?

Yes, sure, why not.

If you use NeXpose, do you know if the XML for commercial versions is different from the free version? If you have a sample output and can send it to us, that will help.

Alla

Just curious if a plugin to import NeXpose Community Edition is available?

magictree is looking great.

Sorry, not yet. I need to set up a virtual machine to install Nexpose, cause it doesn't run on recent Ubuntu, scan a test target to get an XML sample and then make XSLT. I'll get around to it in January, I promise. :)

Thanks.

Thanks for the update. Appreciated.

Nexpose let's you output in the Qualys XML formal. While this is not as good as a native transform will be, its a good stapgap for the time being.

Thanks, I didn't know that.

Thanks a lot.
It was very helpfull.