Faraday

Overview

Faraday is an open-source collaborative penetration testing and vulnerability management platform. It aggregates findings from dozens of security tools in real time, stores them in a central database, and provides dashboards, statistics, and report generation. It is designed for team environments where multiple testers work simultaneously on the same engagement.

Category

#reporting #vulnerability-management #collaboration

Phase

Reporting

Developer

Faraday Security — faradaysec.com GitHub: github.com/infobyte/faraday

Editions

Edition	Notes
Community (CE)	Free, open-source; single user or small team
Professional	Multi-user, SSO, advanced analytics
Corporate/Enterprise	MSSP features, large-scale deployments

Install (Kali Linux / Debian)

# Install dependencies
sudo apt install postgresql -y
sudo systemctl start postgresql

# Install Faraday
pip3 install faradaysec

# Or via apt (Kali)
sudo apt install faraday

# Initialize and start
faraday-manage initdb
faraday-server
# Web UI: http://localhost:5985

# Start Faraday client (optional GUI)
faraday-client

Architecture

Faraday Server (Flask + PostgreSQL)
  ├── Web UI (dashboard, findings, reports)
  ├── REST API (tool integrations, automation)
  └── WebSocket (real-time updates across team)

Faraday Client / fplugin
  └── Intercepts tool output → sends to server

Tool Plugins (Auto-Import)

Faraday can parse output from 70+ tools:

• Nmap (XML)
• Nessus (.nessus)
• OpenVAS (XML)
• Metasploit (XML)
• Burp Suite, Nikto, w3af, Acunetix
• Shodan, Masscan, Hydra, SQLmap, and many more

Using fplugin (CLI Wrapper)

# Run nmap and auto-import results into Faraday
fplugin nmap -sV -oX - 192.168.1.0/24

# Run nessus scan and import
fplugin nessus scan_output.nessus

# Import existing tool output file
faraday-cli tool run -w MyWorkspace nmap nmap_output.xml

Faraday CLI

# Install Faraday CLI
pip3 install faraday-cli

# Login
faraday-cli auth -f http://localhost:5985 -u admin -p password

# List workspaces
faraday-cli workspace list

# Create workspace
faraday-cli workspace create "ClientName_2024"

# List hosts
faraday-cli host list -w MyWorkspace

# List vulnerabilities
faraday-cli vuln list -w MyWorkspace

# Export report
faraday-cli report generate -w MyWorkspace -t executive_report -o report.docx

Web UI Features

• Dashboard — Host count, vuln counts by severity, activity feed
• Hosts — All discovered hosts with services and vulns
• Vulnerabilities — Filterable, sortable table of all findings
• Activity Feed — Real-time log of all team actions
• Reports — Generate PDF/Word reports from templates
• Tags — Organize findings by category

Severity Classification

Faraday uses:

• Critical
• High
• Medium
• Low
• Informational
• Unclassified

REST API

# List workspaces
curl -u admin:password http://localhost:5985/api/v3/ws/

# Get vulnerabilities in a workspace
curl -u admin:password \
  http://localhost:5985/api/v3/ws/MyWorkspace/vulns/

# Create a vulnerability manually
curl -X POST -u admin:password \
  -H "Content-Type: application/json" \
  -d '{"name":"Test Vuln","severity":"high","description":"Details..."}' \
  http://localhost:5985/api/v3/ws/MyWorkspace/vulns/

Faraday vs Dradis

Feature	Faraday CE	Dradis CE
Focus	Real-time aggregation + stats	Report writing
Multi-user	Yes (CE limited)	Yes
Dashboard	Rich (charts, timelines)	Minimal
Tool plugins	70+	~20
Report quality	Good	More report-centric
Best for	Active team testing	Client deliverables

OPSEC Notes

Faraday’s PostgreSQL database contains sensitive client engagement data. Secure the server with strong credentials, bind to localhost or VPN-only interfaces, and encrypt the database. Back up the workspace before closing each engagement. Community edition has limited access controls — be cautious in multi-user environments.

Related Tools

• Dradis — Alternative reporting platform; stronger report templates
• Nmap, Nessus, OpenVAS — Primary data sources aggregated by Faraday
• Metasploit — Output can be fed into Faraday via plugin

Tags

#ethical-hacking #reporting #vulnerability-management #collaboration #dashboard