Prancer PAC CLI

It is possible to integrate Prancer PAC pentesting in the CI / CD pipeline to integrate with your current SDLC process tightly. To do so, you will use Prancer PAC CLI to run the pentesting.

There are two different uses of Prancer-PAC. The first usage is in Scanner mode, and the system gets prancer PAC from the docker and then runs in AZURE or AWS cloud. The second usage is in custom mode, and we explain in this document how you can install and run Prancer-PAC on your local machine.

Prerequisites:

make sure the following binaries are installed on your CI machine:

How to Install Prancer Pac

To Install Prancer PAC, you can flow these steps:

  • You can download the latest version from here.

  • Extract download file : tar -xvf prancer-pac-latest.tar.gz.

  • If extract for the first time, You will run chmod command for install.sh: sudo chmod 0777 install.sh.

  • To Install Prancer PAC, you can run the following command: sudo ./install.sh

To make sure prancer-pac is installed successfully, you can run this command:

  $ prancer-pac version
  The version of prancer pac is 1.0.0-beta linux/amd64

CI Variables

Defining variables in PAC tool to run Prancer PAC in your pipeline, you need to define some variables.

Prancer API token

Generate a user access token from Prancer SaS solution How to generate token in Prancer SaaS

You should define this variable as APITOKEN or as input variable in your CI tool. Add this as a secret.

Pentest Configuration ID

you need to get target configoration, you need to go the admin panel and choose PAC Management page from side bar and then choose your config and press in pac configuration and finally copy config id.

Pentest Customer

This is company name used in the URL. example: https://portal.prancer.io/prancer-contoso/user/login, the customer is "contoso"

How to run

  • For running pentest run following command:

    prancer-pac pentest --config CONFIGURATION_ID -d prod --customer CUSTOMER_ID --token APITOKEN docker logs prancer-scanner -f

  • A sample azure pipeline script:

parameters:
  - name: configid
    displayName: 'configid of the PAC configuration eg: 630d8a975512099de059988b'
    type: string
    default: ''
  - name: customer
    displayName: 'Name of the tenant, eg: liquware'
    type: string
    default: contoso
  - name: token
    displayName: customer API token
    type: string
    default: ''  

trigger:
  - None

resources:
  - repo: self

stages:
  - stage: Prancer_PAC_CLI_Pipeline_Customer
    displayName: "Prancer PAC Cli setup in pipeline"
    jobs:
      - job: prancer_pac_cli
        displayName: "prancer pac build in agent"
        pool: test-agent
        steps:
          - bash: |
          echo "Fetching prancer-pac-latest from storage account...."
          curl -o prancer-pac-latest.tar.gz https://pacshare001.blob.core.windows.net/cli/prancer-pac-latest.tar.gz
          tar xvfz prancer-pac-latest.tar.gz
          chmod +x prancer-pac-latest/prancer-pac
          prancer-pac-latest/prancer-pac version
          docker pull prancer/prancer-pac:latest
          prancer-pac-latest/prancer-pac pentest -c ${{parameters.configid}} -d prod -i ${{parameters.customer}} -t ${{parameters.token}}  --dev prancer/prancer-pac:latest
          docker logs prancer-scanner-dev -f
          docker  rm prancer-scanner-dev
          docker image rm prancer/prancer-pac:latest
          displayName: 'Run Prancer PAC CLI'

How to run pentesting on the cloud

If the pac config file declared as cloud mode such as azure, aws or gcp then your code running on the cloud.

prancer-pac pentest --token [YOUR ACCESS TOKEN] --customer [YOUR CUSTOMER ID] --config [YOUR CONFIG ID]

Finally Pentesting start on your cloud.

Pentest command

[short description] Pentest command prepare an enviroment to set your information and create zap enviroment to start test.

[long description]

### The pentest flags

  • -c, --config => Config is the id of configuration that, it will going to extract required data from prancer database for setting up pentest configurations

  • -i, --customer => Customer should pass for getting jwt token

  • -e, --env => Set your working enviroment. the list including dev,qa and prod. (default is prod) (default "prod")

  • -t, --token => Access token should passed as prameter for getting jwt token so prancer-cli be able to send request to portal

  • -o, --output => Output field will use to get out put in terminal and out put support json and normal (Default=normal) (default "normal")

  • -p, --port => Set your available port for proxy docker port on your system, default is 8080 (default 8080)

  • -s, --silent => Silent field will use to ignore the details of terminal

  • -h, --help => Help for pentest

The pentest available commands

  • auth => [short description] you enter authentication details here when you run you pentest with authentication like form base or jwt authentication :
  • -u, --username => Enter your target user name for authorize
  • -p, --password => Enter your target user name for authorize

Prancer PAC CLI Usage Guide

Follow these steps to use the Prancer PAC Command Line Interface (CLI):

Step 1 - Fetch the Latest Docker Image of prancer/prancer-pac.

To obtain the latest Docker image of prancer/prancer-pac, follow this command:

docker pull prancer/prancer-pac:latest

Step 2 - Create a docker.env file and set the following environment variables:

Environment Variable Description
PAC_CONFIG_ID PAC configuration ID as in the Inventory Management.
PAC_CONFIG_TOKEN Access token generated from the Prancer portal.
PAC_CONFIG_CUSTOMER_ID Customer Id basically a company name in tenant URL prancer-<company name>
PAC_CONFIG_DOMAIN Set your working enviroment. It should be prod for the production.

Step 3 - Initiate PAC CLI

  • Run in daemon mode
docker run --env-file docker.env --rm --name remoterun  -d -p 8080:8080 prancer/prancer-pac:latest

Check the logs:

docker logs -t remoterun
  • Run in foreground mode
docker run --env-file docker.env --rm --name remoterun -it -p 8080:8080 prancer/prancer-pac:latest /bin/bash

Start the pentest process:

./run.sh