Usage¶
SeReTo provides a command line interface (CLI) to help you create and manage your projects. After you have set it up, you can continue with the following steps.
Getting help¶
Any time you are unsure about anything, or cannot remember a command structure, you can always check the command's help:
sereto --help
You can also use help in the nested commands. For example, if you would like to know, what you can do with the dates in your project's configuration, you can run:
sereto config dates --help
Create project¶
To create a new project using SeReTo, you can use the new
command. The command takes a unique identifier for the project as a positional argument. For example, to create a project with the identifier TEST
, you would run the following command:
sereto new TEST
During the creation process, you will be prompted with questions about the project, such as its name. Please provide the necessary information when prompted.
Please note that the project identifier should meet the following requirements:
- It can only contain letters (
a-zA-Z
), numbers (0-9
), underscore (_
), dash (-
), and dot (.
). - It should be between 1 and 20 characters long.
For more information on the new
command, you can refer to the SeReTo CLI documentation.
List projects¶
You can see the list of all projects using the following command, which will show you the ID and name of the project, as well as the location of the project's file structure:
sereto ls
Configuring the project's details¶
SeReTo will need some information from you to generate the project. In our example, please change your working directory to your project's directory (you can discover it by running sereto ls
). It can look something like this:
cd projects/TEST
Now you can change the project's configuration. You should set up the dates, targets and people for the project.
Dates¶
Run the following command:
sereto config dates add
SeReTo will ask you which date you would like to configure:
- sow_sent = date when you will be sending your Statement of Work
- pentest_ongoing = pair of dates indicating when the assessment will be performed
- review = date when the review is going to be done
- report_sent = date when you will be delivering the report to your customer
You then set the dates using the format DD-Mmm-YYYY, such as 18-Apr-2024.
Run this command multiple times for each type of date you would like to set.
Targets¶
Run the following command:
sereto config targets add
SeReTo will ask you about some details you would like to set. Make sure to include all necessary details, such as destination IP addresses (dst_ips), source IP addresses (src_ips), list of URLs etc.
Run this command multiple times for each target.
People¶
Run the following command:
sereto config people add
SeReTo will let you choose the role (type) and details of the person you are currently setting.
Run this command multiple times for each person you would like to set.
Adding Findings To A Target¶
Find the directory of your target in your project's directory. The name of the target's directory should look like the following: target_<category>_<target_unique_name>
. For example target_dast_DBserver. You will find a findings.yaml file in this directory. Open it in your editor.
In the top of the findings.yaml file you can find an example of how to include a finding. Top level findings are called Group Findings. Each Group Finding has its name, in the following example the name is Misconfigured HTTP Headers. Each Group Finding also has one or more Nested Findings. In the following example these are HSTS Header Not Set (which has the ID "hsts_not_set") and Weakly Configured CSP Header ("weak_csp").
report_include:
- name: "Misconfigured HTTP Headers"
findings:
- "hsts_not_set"
- "weak_csp"
List all the Group Findings you would like to include in your report under the report_include directive. You can copy the identifiers of Nested Findings from the second section of findings.yaml (under "All discovered findings from the templates").
Individual Findings may require you to fill in extra information, such as screenshots, which will be used to customize the finding in automated way. Fill these in the second section of the findings.yaml. Manual editing of the findings is still possible.