Some suggestions

[AlessandroZ]

Hi guys,

Thank you for your work, this tool could be very great.

I have some suggestions to improve it.

• To not run all tools automatically (ex: nikto, etc.). Propose an option to the user to do it or to do it manually. It happens on pentest that we have too much ip to tests (it would not be supported by our computer to run nikto everywhere). Nikto is only an example, but if the user checks that he wants to do it manually, nothing is launched (or only the screenshot options).
• A log tab to see the nmap scan could be useful. When a scan is launched, a nmap tab will appear (as it's done with the other tools) with the output of the -v options.
• When I tried to run an nmap full tcp scan, it does not work (it does not show that nmap crash, just the statue changed to completed). The fast TCP scan works well by the way.

Your tool could be very useful during pentest. Have a great day.

Alessandro ZANNI

[st3r30byt3]

Hi Alessandro! Thanks for your feedback. We want to improve SPARTA in every way so we welcome every idea, suggestion and bug reports. :)

For your first point, you can completely configure what runs automatically by changing the sparta.conf file. You can completely disable automated attacks by setting "enable-scheduler" to False. As for what tools run automatically, it's as easy as modifying the [SchedulerSettings] section by adding/removing lines. In the future you will be able to do this is a more intuitive way by means of a settings menu. Also, we will update our documentation (http://sparta.secforce.com/documentation/) to make things clearer. :)

For the second point, this was a design decision at the time but we may consider changing this based on the community's feedback. The main reason for not doing it is that when you run the staged nmap, the GUI could become quite messy with several tabs appearing. Also, you typically run nmap on a range and there wasn't an intuitive way to display it as we always display tools per host. Maybe we could add a tab in the bottom pane where we append the output of all the nmap scans, as they happen.

For the third point, this seems very strange as it seems to be working for most people. Can you provide any other information that could help us troubleshoot? OS used? Privileges?

Thanks again.

[AlessandroZ]

Thanks for your answer.

I changed the "enable-scheduler" to False in the file and it works well. That is great.
For the last point, you were right, it was a privilege problem. For the full scan, nmap needs root privileges, so running sparta with sudo worked well.

Thanks to all, I will use it and if I have some idea, I will go back to you.

Alessandro

[control-panel]

Hello!
Good work, thank you for this!
But i have some suggestions:

• i`d like to have some "options" button/menu (or maybe config file) where would be were some options such as setting default terminal (i had to install gnome-terminal in order to check some functions), or it was not set to some predefined name,
• and the same with other used programs (e.g.: ability to add options to nikto or nmap or other tools, writing own scanning profiles)
• i think it would be good idea to add a proxy support to this nice instrument

[st3r30byt3]

Thanks for your feedback. For the first two points please have a look at my previous answer above. To summarise, there is a sparta.conf file which you can edit and we are already working on a settings menu to make the process easier! :)
For the third point, if you mean a web proxy we can definitely consider it. If you mean SOCKS, at the moment you can probably simply launch SPARTA through proxychains.

[control-panel]

Thank you for such rapid answer!)

I did not find file sparta.conf(e.g. with examples) in "latest zip", but i see information about this in documentation =)

Thank you for your work!

[st3r30byt3]

No problem! :)
The sparta.conf file gets created in SPARTA's installation folder when you run it for the first time. If you delete that file, it will create a new one.

[phillips321]

I agree with point 2 here, i would like the ability to see nap tabs, regardless of how many there are. It'll help to identify if a scan is taking a considerable time which allows me to cancel it...

[st3r30byt3]

Thanks for the feedback. Point taken. We are currently considering how to best approach this. We agree that it is useful to see the output of the nmap command. However, there are a few challenges such as the ones described in my first post that we need to address first.

[phillips321]

Ok so what I've looked into is starting the nmap scans as an external process under xterm. This works great as I can manually kill any scans that are taking ages, but it's clunky. Also stdout isn't captured by the python function calling the process so it breaks some other things. Currently you're marking nmap scans as hidden tabs, I've played with the code to try and fix this but haven't had much time whilst on client site.
What Dev environment are you using? Currently I'm just manually editing the code using nano but was hoping you had a project file and a recommended Python code editor? Once I've got the ability to view nmap scans as they're running I'll drop my pentest.sh (phillips321.co.uk) script in favour of Sparta. I'll also then contribute to it and import some of the functionality that my tool provides.

[st3r30byt3]

Hey again. Running nmap as an external process would lead to other problems given how central it is to SPARTA and how it must be treated differently from other tools (for nmap import, staged nmap, etc).

However, you can already kill an nmap scan if you feel it is taking to long (in the log tab, right-click on the process and kill). We will definitely find a way to display nmap as we also feel it is important. The best options we have so far is to display it in the Tools tab or next to the Log tab in the bottom panel.

[xpelican]

I agree that it's better if users can see nmap scans' contents under the Tools tab. I'm currently going through the code line by line to try and figure out the program flow for Sparta, and right now I can make nmap scans visible without any unintended hiccups:

• Open sparta/app/logic.py with a text editor.
• Under "getProcessesFromDB", tmp_query, the phrase to query the database with, is defined as below:
  tmp_query = ('SELECT "0", "0", "0", process.name, "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0" FROM db_tables_process AS process WHERE process.closed="False" AND process.name!="nmap" group by process.name')
• Delete the part that specifies the queried process name to NOT be nmap: AND process.name!="nmap"
• In short, change that line to the one below:
  tmp_query = ('SELECT "0", "0", "0", process.name, "0", "0", "0", "0", "0", "0", "0", "0", "0", "0", "0" FROM db_tables_process AS process WHERE process.closed="False" group by process.name')

Now all nmap scans will show up as new items under the Tools tab!

I'm going to do more with this program as I love it very much and think it has the best groundwork and the potential to be the finest pentesting automation tool there is. If anyone else is interested in developing it further, please let me know!