This would give the option to move a service/port note into the list of host notes, or to move a host note to a specific service/port note (on that host)

This can currently be done in a manual way (copy, delete, new, paste), but this would make it more efficient to move notes around.

Under unknown contexts the OS list under the Host > OS tab does not sort correctly. Occasionally changing the weighting of a specific OS causes the wrong OS fingerprint weight to adjust.

Being able to create a new vulnerability/assign an existing one from the service/port details page would be useful.

Creating a new vulnerability could prefill the host/port/etc in the form.

Adding an existing vulnerability could show a dialog box/drop down of vulnerabilities that can be assigned to that service.

Create a complete export page that allows for granular selection of what to export.

This would in essence be a 'back button' (instead of having to click back through the main menu.

It would be very useful if this would remember/persist options from the page before (eg. scroll position (anchor link to hostname we came from?), hosts displayed (#'s of, all, etc)

Add an option to create a project from existing sources. Essentially, create a new project from existing projects. There should be options to include only certain projects, specific IPs/CIDRs, and certain tags (see #5).

Add a javascript button (and perhaps associated hotkey) that copies the current PID to the system clipboard.

The double-click highlight gets more than you want (at least in chrome) and slow-drag highlighting, is well, a drag.

I noticed in the json output for a project for a specific vulnerability there is a boolean titled "confirmed", however I don't see anything in the UI to toggle this setting.

Was this stubbed out for future use or am I missing the UI element for this?

I think it would be helpful. We tend to use the colors for this, but I think a seperate flag/boolean is more appropriate.

If possible move index generation from drone api into start.sh.

You're currently able to create a vulnerability with no name, even though it should be required.

• Check for this in the add new vulnerability form

In addition to this, when a vulnerability has no name, you're unable to go to the details page for it as the link is missing.

• If a vulnerability has no name, use a default string (eg. [blank]) to link to the details)

On the service, add vulnerability view (project//services//vulnerabilities/new) the "Title" text box does not perform the typehead lookup correctly. If a double-quote is present in any vuln title then the lookahead only retrieves a single character.

I think it would be a useful feature to be able to assign hosts to one or more arbitrarily named groups (eg. database servers, SAP installations, etc)

To implement this in a more extensible/reusable way, you could assign 0 or more 'tags' to an entry/host/vulnerability/etc.

You would then be able to view a list of (new page?) all entries matching the specified tag/group of tags (eg. #windows #databases #prod), as well as using them in the search/filter options.

Being able to bulk assign a group of hosts (checkbox + button on hosts page) to a tag or group of tags would be useful.

Show current working project name/title at the top of all pages within Lair.

Would be good to include a button to manually add a credential (at /project//credentials)

Near the delete button maybe?

This would allow you to associate a global note attached to a particular service/port/ combination, etc. This would show up for that service/port wherever it appears (on all hosts, etc)

Ideally, these global notes would be able to persist between projects.

I see this as being an easy way to provide helpful notes/knowledge base (eg. tools to use for further investigation of that service, command line options, notes of things to remember/investigate further, etc) This would enhance the information sharing aspects, especially allowing newer/less experienced team members to benefit more from the wisdom of those more experienced testers.

Need to add sort to host list generation.

Firstly, what is the purpose of the 'flag' icon?

I think having a page that can show an aggregation of all flagged entries would be useful (similar to Vulnerabilities, Credentials, Etc)

I get the following with an '@' in my mongo password:

'''
Enter a new lair database username: sudo
Enter password: ( @sudo in this case)
MongoDB shell version: 2.4.8
connecting to: 127.0.0.1:11015/admin
Sun Apr 20 21:19:37.206 Error: 18 { code: 18, ok: 0.0, errmsg: "auth fails" } at src/mongo/shell/db.js:228
Starting Lair http server on 127.0.0.1:11016
Starting Lair https to http proxy on 10.37.102.2:11013

Access Lair at https://10.37.102.2:11013/
Drones can access the mongodb instance at mongodb://sudo:@[email protected]:11014/lair?ssl=true
'''
Without the character, lair starts and connects to mongo

'''
lair-v1.0.4-darwin-x64 $ ./start.sh 10.37.102.2
Starting stunnel on 10.37.102.2:11014
Starting MongoDB on 127.0.0.1:11015
Have you previously added mongodb users? [y/n] y

Enter lair database username: root
Enter password: Starting Lair http server on 127.0.0.1:11016
Starting Lair https to http proxy on 10.37.102.2:11013

Access Lair at https://10.37.102.2:11013/
Drones can access the mongodb instance at mongodb://root:[email protected]:11014/lair?ssl=true
'''

When importing Nessus results can the vulnerabilities that are tagged by Nessus as exploitable by Metasploit, Core, or Canvas be marked as critical so that I don't have to hunt for them? The Nessus output includes the XML tag <exploit_framework_metasploit> and similar tags for Core and Canvas. Also you could add a note to show which Metasploit module is referenced in the Nessus output.

It is currently possible to enumerate all user account email addresses. We were aware of this during development, it is a common issue amongst Meteor.js apps. Occurrence in Lair is because we needed a way to get the amount of users, so we publish the user data set prior to authentication. Should be able to fix with a server side call.

Pages that return complete lists of available services or hosts should be paginated using one of the many packages on atmosphere. If this is not used, large projects will load extremely slowly.

Currently, the filtering options on the Hosts view page do not persist after leaving the Hosts page. All color filtering options clear when leaving and coming back to the Host page.

I'm not sure that colouring can be changed on an individual line as it's currently implemented (and changing it from a textfield would lose the ability to ctrl-a)

I'm thinking the addition of 2 icons to the left/right of each line of the ip address list.

• The first would show the current color for that host, and clicking on it would change the color.
• The second would allow linking through to the associated host entry.

It may also be beneficial to provide an onhover option (3rd icon?) giving a summary of the host. This could use the same code that would be required by #42

The links section under the hostnames tab should use "https" for port 443.

This would be a convenience/UI enhancement to display an onhover dialog box with a summary of the details for a host.

I would think this should have a expandable headings for each main tab (services, vulnerabilities, operating systems, notes, hostnames, credentials)

These would show a number after them (eg. [+] Services (13)), and would be collapsed by default.

Any information/details that doesn't need to be collapsed would be shown as a string above the expandable headings.

An alternative to showing all this information onhover of the IP address would be to show it onhover for each particular cell/column. (Eg. hovering over the hostname for a particular entry would show the weighted list of all hostnames (and allow you to change the weighting/add new/etc?)

The current notes/developer console option is a good interim solution, but I think going forward it would be useful to have a seperate 'scripts' page.

This would allow you to save scripts (as you currently can with notes), but also specify the page/pages/etc where they can be run.

This would be coupled with a sitewide option to execute scripts on the current page (could be a button/dialog, dropdown showing avaialble scripts for the current context, keyboard shortcut #36 , etc)

This could also implement either a link, or a direct ability to load scripts from the Lair Browser Scripts repo (or alternatively allow adding your own personal repo/sources as well)

When you click on a cell (to filter by that cell I believe?), you should fill the details for the filter into the relevant search boxes above.

Include a reset/clear button next to search (same effect as clearing them all and pressing search, but makes life a little easier)

start.sh script should have support for CentOS, Fedora, etc. Everything works except for compilation of stunnel. Addition to script should include elif for /etc/issue and check yum for openssl-dev.

Implement tagging of the hosts, services, and vulnerabilities.

This would be a new tab on the host notes page that allows you to view an amalgamation of all service/port notes for that host.

These would have the service/port associated with them shown (own column, header, ?) so they can be differentiated.

You would be able to add/edit/etc the notes as you can for each port.

Allowing services/product names to be specified with a weighted list (like operating systems) would allow more flexibility with recording information without losing potentially useful details.

Eg. nmap figures out it's http, another tool decides it's a tomcat server, we manually figure out that it's a specific implementation that makes use of tomcat.

This way we would preserve all of the information along the way (without having to make assumptions/rely on memory/etc)

The drone import fails stating 'validation failed' by the Lair API when trying to load a Nessus file that doesn't contain the plugin 19506 for the scan info. The API expects a command to be present.

This would make the 'color filter' option on pages like hosts/etc persist between page loads.

This would be on a per user, per page type basis, and could be stored locally (cookie/etc?)

For all of the "Last Modified By" fields, it would be cool to be able to see the time that it occurred.

This could be an additional column, but to save screen space having it display onhover would probably be even better.

I think it would be useful to add support for uploading files as well as just linking to files (might already be a feature you're planning?)

This would make it easier to store all the other data that doesn't quite fit into Lair currently.

It would also make it possible for drones to upload the raw/unparsed file to be stored as evidence (this could then be linked from the 'updated by tool' or similar?)

The CVE's section of Vulnerabilities could be enhanced to support other vulnerability id's.

This could later be leveraged to provide links to relevant details/information (eg. map a certain vulnerability id type to a certain website/source for more info)

Should be able to save the project as a .json file in the browser on the export page.

When viewing an individual service, clicking on the 'vulnerabilities' tab, selected one or more vulnerabilities, and clicking 'remove' fails. It appears the vulnerability id is undefined.

If you're not in the same directory as start.sh, it fails due to being unable to find files.

This could be enhanced to check/cd into the correct directory at the start of execution.

It would be good to have a button to be able to manually edit the title, CVSS, etc for an already existing vulnerability.

• You could include an inline edit link (and delete link?) for each vulnerability at /project/[uniqueid]/vulnerabilities
• Include an edit button near the delete button at /project/[uniqueid]/vulnerabilities/[vulnid]

Was thinking about this today. Wonder if there is a way to possibly have a console built into the GUI. Then you can run nmap, nikto, sqlmap, etc and have the outputs automatically loaded into the DB.

When a query has been performed on the services view, a sub table should be rendered which allows the client to toggle the color of ports for each host.

This will provide better sorting for OS fingerprints that have the same weight.

MongoDB's 'addUser' command has been deprecated as of version 2.6. New releases of Mongo will include version 2.6.1+ of Mongo. Replace all instances of 'addUser' with Mongo's new method 'createUser'.

Should be a quick and easy fix by just performing sort() on the array.

Being able to use keyboard shortcuts to navigate the features of the site, as well as specific functions on each page would increase usability/efficiency.

I envision this to work something like keyboard shortcuts on Github/GMail/etc

Could support vim style shortcuts as well as other custom ones?

Eg.

• ? -> Show the available keyboard shortcuts
• s or / for search -> Focus the search box so that additional text typed applies to it.
• etc

Need a way to sync data back and forth with the Metasploit PostgreSQL database. Ideally, this would be done using some sort of pub/sub type functionality and require no user interaction, a run once type of service.

Ability to upload bulk hostnames via csv