ec521: cybersecurity openvas openvas —a how-to guide about the most popular vulnerability test...

EC521: Cybersecurity OpenVAS

OpenVAS —A how-to guide about the most popular vulnerability test tool

Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang;

Igibek Koishybayev;

1


OpenVAS Architecture

2

Our Environment

DVWA + XAMPP

OpenWebMail

Metasploitable

Blackboard


3

Question: How to perform a normal scan with OpenVAS?


4

How to find the command set?

• Solution:#openvas ‘double tab’

• OpenVAS-Scanner: openvassd• openvas-mkcert• openvas-nvt-sync• OpenVAS-Manager: openvasmd• OpenVAS-Client: openvas-cli• Greenbone-Security-Assistant: gsad


5

• openvas-setup• openvas-check-setup• openvas-nvt-sync• openvas-nasl

Reference:

http: //www.openvas.org/setup-and-start.html

https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04


6

How to find the command set?


XAMPP's name is an acronym for:

X (to be read as "cross", meaning cross-platform)

Apache HTTP Server

MySQL

PHP

Perl

It is a completely free, easy to install Apache distribution containing MySQL, PHP, and Perl.Reference: https://www.apachefriends.org/index.html

http://en.wikipedia.org/wiki/XAMPP

Target -- XAMPP

7


Set a target

8


Create a task

9


Get the result

10

Question: How to insert plugins into OpenVAS?


11


Webmail Vuln. & OpenVAS Plugins

Content

1. Webmail environment

2. Web-app scanning

3. Insert plugins

12


Webmail EnvironmentMail Server Set-Up Environment (Local)

OS : CentOS-6.5

SMTP : Postfix-2.6 + Sasl

IMAP/POP3 : Dovecot-2.0

Web : Apache-2.2

Webmail : Openwebmail-2.30 (perl)/

[Squirrelmail-1.4.22 (php)]

localhost/cgi-bin/openwebmail/openwebmail.pl 13


14


Network Vulnerability Tests

NVTs

The OpenVAS project maintains a public feed of more than 35,000 NVTs (as of April 2014)

Command openvas-nvt-sync for online-synchronisation from the feed service.

Based on NASL scripts

(Nessus Attack Scripting Language) 15


Q1: Locate required NVT scriptsSecurity Tools INTERGRATED:

Portscanner: NMAP, pnscan, strobe

IPsec VPN scanning&fingerprinting: ike-scan

Web server scanning: Nikto

OVAL Interpreter: ovaldi

web application attack and audit framework: w3af

16


A1: Locate required NVT scripts

(from Kali)

Location: /var/lib/openvas/plugins

Find: ls | grep ‘specific_scripts’

17


A1: Locate required NVT scripts

(from Greenbone Security Assistant)

Secinfo Management => NVTs => Help: Powerfilter

Family=“Web application abuses”

Name~“openwebmail”

18


A1: Locate required NVT scripts# … introduction comments, description …

if (description) {

script_id(16463);

script_version("$Revision: 17 $");

script_tag(name:"last_modification", value:"$Date: 2013-10-27 15:01:43 +0100 (Sun, 27 Oct 2013) $");

script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");

script_tag(name:"cvss_base", value:"4.3");

script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");

script_tag(name:"risk_factor", value:"Medium");

script_cve_id("CVE-2005-0445");

script_bugtraq_id(12547);

script_xref(name:"OSVDB", value:"13788");

# …

http://www.openvas.org/openvas-nvt-feed.html 19


Q2: Scan Webmail (Application)

20


A2: Scan Webmail (Application)

Configuration => Scan Configs => New Scan Config

Scan Settings:

Http Login Page

Login configurations21


A2: Scan Webmail (Application)

22


Q3: Implement OpenVAS Plugins

Plugin Extension?

23


A3: Insert OpenVAS Plugins

1. script.nasl

2. # openvas-nasl -X script.nasl (insert without cert)

3. # vim /etc/openvas/openvassd.conf nasl_no_signature_check = no

24



4. Key generation

# gpg --homedir=/etc/openvas/gnupg --gen-key

# wget http://www.openvas.org/OpenVAS_TI.asc

# gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

25


A3: Insert OpenVAS Plugins5. Set Trust

# gpg --homedir=/etc/openvas/gnupg --list-keys

# gpg --homedir=/etc/openvas/gnupg --lsign-key XXXXXXXXX

6. Detach Signature# gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o script.nasl.asc script.nasl 26



7. Add Certificate# gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc

8. Parse & Execute# openvas-nasl –p –t script.nasl

9. Copy plugins to /var/lib/openvas/plugins

Load Scanner & Rebuild Manager

# openvassd #openvasmd --rebuild

27



Plugin found!

Flexible and Extendable28


Webmail Vuln. & OpenVAS Plugins

ReferencesOpenwebmail:

http://www.openwebmail.org/

Web App Scan: http://www.greenbone.net/learningcenter/task_webappscan.html

http://www.tenable.com/blog/scanning-web-applications-that-require-authentication

NVT Feed: http://www.openvas.org/openvas-nvt-feed.html

NVT Signature: http://www.openvas.org/trusted-nvts.html

29

Question: How to understand NASL Script language?


30


NASL LanguageNASL is a scripting language designed for the Nessus security scanner. Its aim is to allow anyone to write a test for a given security hole in a few minutes, to allow people to share their tests without having to worry about their operating system, and to guarantee everyone that a NASL script can not do anything nasty except performing a given security test against a given target.

Reference: http://virtualblueness.net/nasl.html31

32

NVT Structure# OpenVAS Vulnerability Test //

# $Id$ //

# Description: [one-line-description] //

(copyright and writer information)

if(description) //

script_oid(FIXME); # see http://www.openvas.org/openvas-oids.html //

script_version("$Revision$"); # leave as is, SVN will update this //

…

include("FIXME.inc"); # in case you want to use a NASL library

# FIXME: the code. //

http://www.openvas.org/openvas-oids.html

http://www.openvas.org/openvas-oids.html

Metasploitable 2

Designed by HD Moore, Now owned by Rapid 7

(To test their well-known tool metasploit, for free)

A special version of Ubuntu Linux 8.0.4

A target machine with many built-in vulnerabilities

A good platform to conduct security training, test security tools, and practice common penetration

testing techniques.

33

Apache 2.2.8, Tomcat Password , Samba NDR Parsing, Heap Overflow, BIND libbind inet_network(), PHP 5.2.12, 5.2.6, 5.2.8, PHP Fixed security issue, VNC

password is "password“, Samba 'reply_netbios_packet' Nmbd Buffer Overflow, cve-2012-1667, HTML Output

Script Insertion XXS, Key algorithm rollover bug,

DNS service BIND 9.4.2, MySQL 5.0.51a and so on…

About 135 in All. 40 are critical vulnerabilities!

35

Vulnerbilities

36

List

37

OpenVAS Scan Report

Sadly not as much result as it should be. (Using the full ultimate scan) .

Some NVTs don’t have the full function as the original program or CVE.

38

A Brief Example

We can use this vulnerability to remote login into the target as the root, and execute shell commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)

39

Nmap NVT port scan

No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap in kali, we can get the full result.

All the open ports are printed out in nmap as well as their protocol or function. NVT can’t take the place of the original program.

40

Is vulnerability working?Remote Login

TCP ports 512 is known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rsh-client. Then type in rlogin -l root 192.168.99.131, so…

41

Do something badSince we are SSH with the remote target, why not generate the SSH (as we did in homework), so next time we can access unlimitedly!

42

Question: How to use OID to get NVT’s feed?

Use OID To look for the NVT and more information with it

43

NVT Coreinclude("revisions-lib.inc"); //

include("misc_func.inc"); //

port = get_kb_item("Services/rexecd"); //

if(!port)port = 512; //

//username is a string consist of 260 “x”

rexecd_string = string(raw_string(0), username, raw_string(0), "xxx", raw_string(0), "id", raw_string(0)); //

soc = open_sock_tcp(port); //

send(socket:soc, data:rexecd_string); //

buf = recv_line(socket:soc, length:4096); //

if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) //

register_service(port:port, proto:"rexecd"); //

security_warning(port:port, protocol:"tcp"); //

44

Summary1. Our purpose of the lab generation

2. Completely use of the penetration tool

3. Practical use of OpenVAS

For attacker: Exploit, Sniff

For defender: Assess, Patch

4. Brief assessment of OpenVAS

Open source

Client-server structure

Extended and flexible NVT feed

Security and authentication

45

Blackboard: Demo


Questions?

46

ec521: cybersecurity openvas openvas —a how-to guide about the most popular vulnerability test...

Documents

cybersecurity openvas

openvassetup openvascheck

cybersecurity openvas

openvas project

cybersecurity openvas

command openvasnvt

setup openvasnvt

sync openvasmanager