openvas a how-to guide about the most popular vulnerability test tool team members: yingchao zhu;...

Post on 23-Dec-2015

215 Views

Category:

Documents

0 Downloads

Preview:

Click to see full reader

TRANSCRIPT

OpenVAS A how-to guide about the most popular vulnerability test tool

Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev;

1

2

Introduction: OpenVAS architecture and environment

OpenVAS Architecture

3

Environment• DVWA + XAMPP• OpenWebMail• Metasploitable• Blackboard

4

Question: How to perform a normal scan with OpenVAS?

5

How to find the command set?• Solution:

#openvas ‘double tab’• OpenVAS-Scanner: openvassd• openvas-mkcert• openvas-nvt-sync• OpenVAS-Manager: openvasmd• OpenVAS-Client: openvas-cli• Greenbone-Security-Assistant: gsad

6

• openvas-setup• openvas-check-setup• openvas-nvt-sync• openvassd --help for more imformation• openvasmd --help for more imformation

Reference: http: //www.openvas.org/setup-and-start.html https://www.digitalocean.com/community/tutorials/how-to-use-

openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04

How to find the command set?

7

XAMPP's name is an acronym for:X (to be read as "cross", meaning cross-platform)Apache HTTP ServerMySQLPHPPerlIt is a completely free, easy to install Apache distribution containing MySQL, PHP, and Perl.Reference: https://www.apachefriends.org/index.html

http://en.wikipedia.org/wiki/XAMPP

Target -- XAMPP

8

Set a target

9

Create a task

10

Get the result

11

Question: How to insert plugins into OpenVAS?

12

OpenVAS Plugins &Webmail Vuln. Content

1. Webmail environment2. Vulnerability tests3. Insert your plugins

13

OpenVAS Plugins

NVTsThe OpenVAS project maintains a public feed of more than 35,000 NVTs (as of April 2014)

Command openvas-nvt-sync for online-synchronisation from the feed service.

Based on NASL scripts (Nessus Attack Scripting Language)

14

OpenVAS Plugins

Location: /var/lib/openvas/plugins

Security Tools INTERGRATED:

Portscanner: NMAP, pnscan, strobeIPsec VPN scanning&fingerprinting: ike-scanWeb server scanning: NiktoOVAL Interpreter: ovaldiweb application attack and audit framework: w3af……

15

NVT Plugin How to write and implement our own plugins?• Copy our plugins to OpenVAS plugin directory: /var/lib/openvas/plugins• Load plugins : openvassd• rebuild the library openvasmd –rebuild

If you want to attach signature and certificate for your pluginPlease refer to: http://www.openvas.org/trusted-nvts.html

16

Webmail VulnerabilityMail Server Set-Up Environment (Local)

OS : CentOS-6.5SMTP : Postfix-2.6 + SaslIMAP/POP3 : Dovecot-2.0Web : Apache-2.2Webmail : Openwebmail-2.30 (perl)/

[Squirrelmail-1.4.22 (php)]

localhost/cgi-bin/openwebmail/openwebmail.pl

17

18

OpenVAS Plugins

Network Vulnerability Tests (NVTs)

19

OpenVAS Plugins

NVTs Selection

20

OpenVAS Plugins# OpenVAS Vulnerability Test# $Id: openwebmail_logindomain_xss.nasl 17 2013-10-27 14:01:43Z jan $# Description: Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability## Authors:# George A. Theall, <theall@tifaware.com>## Copyright:# Copyright (C) 2005 George A. Theall## This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License version 2,# as published by the Free Software Foundation## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program; if not, write to the Free Software# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.#

include("revisions-lib.inc");tag_summary = "The remote webmail server is affected by a cross-site scripting flaw.

Description :

The remote host is running at least one instance of Open WebMail thatfails to sufficiently validate user input supplied to the 'logindomain'parameter. This failure enables an attacker to run arbitrary scriptcode in the context of a user's web browser.";

tag_solution = "Upgrade to Open WebMail version 2.50 20040212 or later.";

if (description) { script_id(16463); script_version("$Revision: 17 $"); script_tag(name:"last_modification", value:"$Date: 2013-10-27 15:01:43 +0100 (Sun, 27 Oct 2013) $"); script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)"); script_tag(name:"cvss_base", value:"4.3"); script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_tag(name:"risk_factor", value:"Medium"); script_cve_id("CVE-2005-0445"); script_bugtraq_id(12547); script_xref(name:"OSVDB", value:"13788");

name = "Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability"; script_name(name); desc = " Summary: " + tag_summary + " Solution: " + tag_solution; script_description(desc); summary = "Checks for logindomain parameter cross-site scripting vulnerability in Open WebMail"; script_summary(summary); script_category(ACT_ATTACK); script_copyright("This script is Copyright (C) 2005 George A. Theall");

family = "Web application abuses"; script_family(family);

script_dependencies("openwebmail_detect.nasl"); script_require_ports("Services/www", 80);

if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) { script_tag(name : "solution" , value : tag_solution); script_tag(name : "summary" , value : tag_summary); } script_xref(name : "URL" , value : "http://openwebmail.org/openwebmail/download/cert/advisories/SA-05:01.txt"); exit(0);}

include("global_settings.inc");include("http_func.inc");include("http_keepalive.inc");

port = get_http_port(default:80);if (!get_port_state(port)) exit(0);

# We test whether the hole exists by trying to echo magic (urlencoded# as alt_magic for http) and checking whether we get it back.magic = "logindomain xss vulnerability";alt_magic = str_replace(string:magic, find:" ", replace:"%20");

# Test an install.install = get_kb_item(string("www/", port, "/openwebmail"));if (isnull(install)) exit(0);matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");if (!isnull(matches)) { url = string( dir, "/openwebmail.pl?logindomain=%22%20/%3E%3Cscript%3Ewindow.alert('", alt_magic, "')%3C/script%3E" ); debug_print("retrieving '", url, "'."); req = http_get(item:url, port:port); res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE); if (isnull(res)) exit(0); # can't connect debug_print("res =>>", res, "<<");

if (egrep(string:res, pattern:magic)) { security_warning(port); exit(0); }}

21

OpenVAS Plugins

Insert Plugins (with certification)1. script.nasl2. # openvas-nasl -X script.nasl (insert without cert)3. # vim /etc/openvas/openvassd.conf

nasl_no_signature_check = no4. Key generation

# wget http://www.openvas.org/OpenVAS_TI.asc # gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

22

OpenVAS PluginsInsert Plugins (with certification)

5. Set Trust6. Detach Signature

# gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o script.nasl.asc script.nasl

7. Add Certificate

# gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc

8. Parse & Execute

# openvas-nasl –p –t script.naslLoad Scanner & Rebuild Manager

23

Openwebmail Vulnerbilities

24

Webmail Vuln. & OpenVAS PluginsReferences

Openwebmail: http://www.openwebmail.org/Online Demo: http://openwebmail.amcpl.net/NVT Signature: http://www.openvas.org/trusted-nvts.html

25

Question: How to understand NASL Script language?

26

NASL LanguageNASL is a scripting language designed for the Nessus security scanner. Its aim is to allow anyone to write a test for a given security hole in a few minutes, to allow people to share their tests without having to worry about their operating system, and to guarantee everyone that a NASL script can not do anything nasty except performing a given security test against a given target.

Reference: http://virtualblueness.net/nasl.html

27

# OpenVAS Vulnerability Test //# $Id$ //# Description: [one-line-description] //(copyright and writer information)if(description) //script_oid(FIXME); # see http://www.openvas.org/openvas-oids.html //script_version("$Revision$"); # leave as is, SVN will update this //…include("FIXME.inc"); # in case you want to use a NASL library# FIXME: the code. //

NVT Structure

28

Metasploitable 2Designed by HD Moore, Now owned by Rapid 7

(To test their well-known tool metasploit, for free)A special version of Ubuntu Linux 8.0.4

A target machine with many built-in vulnerabilities

A good platform to conduct security training, test security tools, and practice common penetration

testing techniques.

29

30

Apache 2.2.8, Tomcat Password , Samba NDR Parsing, Heap Overflow, BIND libbind

inet_network(), PHP 5.2.12, 5.2.6, 5.2.8, PHP Fixed security issue, VNC password is "password“, Samba 'reply_netbios_packet' Nmbd Buffer Overflow, cve-2012-1667, HTML Output Script Insertion XXS, Key

algorithm rollover bug,DNS service BIND 9.4.2, MySQL 5.0.51a and so on…

About 135 in All. 40 are critical vulnerabilities!

Vulnerbilities

31

List

32

OpenVAS Scan Report

Sadly not as much result as it should be. (Using the full ultimate scan) .

Some NVTs don’t have the full function as the original program or CVE.

33

A Brief Example

We can use this vulnerability to remote login into the target as the root, and execute shell commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)

34

Nmap NVT port scan

No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap in kali, we can get the full result.

All the open ports are printed out in nmap as well as their protocol or function. NVT can’t take the place of the original program.

35

Is vulnerability working?Remote Login

TCP ports 512 is known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rsh-client. Then type in rlogin -l root 192.168.99.131, so…

36

Do something badSince we are SSH with the remote target, why not generate the SSH (as we did in homework), so next time we can access unlimitedly!

37

38

Question: How to use OID to get NVT’s feed?

OID lookup

Use OID To look for the NVT and more information with it

39

include("revisions-lib.inc"); //include("misc_func.inc"); //port = get_kb_item("Services/rexecd"); //if(!port)port = 512; ////username is a string consist of 260 “x”rexecd_string = string(raw_string(0), username, raw_string(0), "xxx", raw_string(0), "id", raw_string(0)); //soc = open_sock_tcp(port); //send(socket:soc, data:rexecd_string); //buf = recv_line(socket:soc, length:4096); //if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) //register_service(port:port, proto:"rexecd"); //security_warning(port:port, protocol:"tcp"); //

NVT Core

40

1. Our purpose of the lab generation2. Completely use of the penetration tool3. Practical use of OpenVAS

• For attacker: Exploit, Sniff• For defender: Assess, Patch

4. Brief assessment of OpenVAS• Open source• Client-server structure• Extended and flexible NVT feed• Security and authentication

Summary

41

DEMO

42

Questions?

43

top related