OpenVAS

De Linuxmemo.

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

Sommaire 1 Installation et setup 2 Clients 3 Service 4 Data 5 Metasploit plugin 6 Code status 7 NVT OID 8 Recettes 8.1 Conversion VM 8.2 Import 8.3 Export db Metasploit 8.4 Export db Postgres 9 Kali after update 10 Bugs

[modifier] Installation et setup

• Step 1: Configure OBS Repository

sudo apt-get -y install python-software-properties
sudo add-apt-repository "deb http://download.opensuse.org/repositories/security:/OpenVAS:/UNSTABLE:/v5/xUbuntu_12.04/ ./"
sudo apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys BED1E87979EAFD54
sudo apt-get update

• Step 2: Quick-Install OpenVAS

sudo apt-get -y install greenbone-security-assistant gsd openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc

• Step 3: Quick-Start OpenVAS

(copy and paste whole block, during first time you will be asked to set a password for user "admin")

test -e /var/lib/openvas/CA/cacert.pem  || sudo openvas-mkcert -q
sudo openvas-nvt-sync
test -e /var/lib/openvas/users/om || sudo openvas-mkcert-client -n om -i
sudo /etc/init.d/openvas-manager stop
sudo /etc/init.d/openvas-scanner stop
sudo openvassd
sudo openvasmd --migrate
sudo openvasmd --rebuild
sudo killall openvassd
sleep 15
sudo /etc/init.d/openvas-scanner start
sudo /etc/init.d/openvas-manager start
sudo /etc/init.d/openvas-administrator restart
sudo /etc/init.d/greenbone-security-assistant restart
test -e /var/lib/openvas/users/admin || sudo openvasad -c add_user -n admin -r Admin

• Step 4: Log into OpenVAS as "admin"

Open https://localhost:9392/ 
or
start "gsd" on a command line as a regular user (not as root!).

[modifier] Clients

• OpenVAS-Client - Obsolète car resté a la version du protocole OMP

/usr/bin/OpenVAS-Client

• OpenVAS CLI - Ligne de commande

/usr/bin/omp
omp -h 127.0.0.1 -p 9390 -u admin -w pass -X '<help/>'

Ref des commandes OMPv3: http://www.openvas.org/openvas-cr-28.html

• Greenbone Security Assistant - Service web

/usr/sbin/gsad

• Greenbone Security Desktop - Programme client "bureau"

/usr/bin/gsd

[modifier] Service

• OpenVAS-Scanner

le scanner OpenVAS

• OpenVas-Manager

fonctionnalités pour gérer et organiser les résultats de l'analyse, agit comme une couche entre le scanner OpenVAS et ses clients

• OpenVAS-Administrator

openvasad
gestion des comptes utilisateur et la gestion des feeds
openvasad --enable-modify-settings -c set_role -u openvas -r Admin
openvasad --enable-modify-settings -c <modify_user> <name>Foobar</name> <password modify="0"> </password> <role>Admin</role> <hosts allow="0"> </hosts> </modify_user> -u admin

Ref des commandes OAP: http://www.openvas.org/openvas-cr-30.html

[modifier] Data

• NVT's

For online-synchronisation use the command

openvas-nvt-sync

to update your local NVTs with the newest ones from the feed service. The command allows rsync, wget or curl as transfer method. The feed is usually updated every weekday.

• via proxy

If you have newer version of openvas-scanner (3.0.1 or higher). You can do something like this:

http_proxy="http://yourproxy.com:8080"; openvas-nvt-sync --wget

Or if you don't have wget, but curl:

http_proxy="http://yourproxy.com:8080"; openvas-nvt-sync --curl

• Results
• Configs

[modifier] Metasploit plugin

load openvas
(http) openvas_connect admin pass 127.0.0.1 9390
ou
(https) openvas_connect admin pass 127.0.0.1 9390 ok
openvas_help
openvas_target_create <name> <hosts> <comment>
openvas_config_list
openvas_task_create <name> <comment> <config_id> <target_id>
openvas_task_start <id>
openvas_task_list

Import dans la db metasploit via
openvas_report_import
ou depuis un fichier
db_import

[modifier] Code status

The OpenVAS manager uses numerical response codes to indicate whether a command issued by the client could be executed successfully. The response codes are very similar to the response codes used by HTTP as specified in RFC 2616; a response code in the 2xx range indicates that the command has been successfully received, understood, and accepted. A response code in the 4xx range indicates that the command issued could not be executed due to error made by the client. A response in the 5xx range indicates that an error occurred in the manager during the processing of this command. Responses are expected to include helpful information whenever possible, like the ID of the resulting report when a task is started. Implementations which transfer OMP using a response-code aware protocol (e.g. HTTP) might want to consider including this status code in the message generated by this protocol.

http://www.ietf.org/rfc/rfc2616.txt

[modifier] NVT OID

Ref: http://openvas.komma-nix.de/

[modifier] Recettes

[modifier] Conversion VM

ovftool --lax OpenVAS-6-DEMO-2.0.ova OpenVAS-6-DEMO-2.0.vmx

[modifier] Import

• restriction 4095 hosts maxi

<create_target_response status_text="Host specification exceeds 4095 hosts" status="400"></create_target_response>

• Création d'une "target" à l'aide d'un fichier xml

Fichier:

<create_target>
<name>new target</name>
<hosts>new_target.example.com</hosts>
</create_target>

• injection via la commande

omp -u admin -w "admin" --xml="$(cat monfichier.xml)"

[modifier] Export db Metasploit

• depuis la console metasploit avec le port 21 comme critère pas exemple:

services -u -p 21 -R
RHOSTS => file:/tmp/msf-db-rhosts-20130413-13479-dsxd0q-0

• Editer le fichier

vim /tmp/msf-db-rhosts-20130413-13479-dsxd0q-0
:%s/\n/,/g
supprimer a dernière ","
puis ajouter les balises xml

• Reste plus qu'a l'importer

[modifier] Export db Postgres

• depuis le shell

su postgres
psql -U postgres -d msf -c "COPY (SELECT hosts.address FROM hosts, services WHERE hosts.id = services.host_id AND services.state = 'open' AND services.port = '21' LIMIT 4095) to '/tmp/cli.csv' CSV HEADER"

[modifier] Kali after update

#!/bin/bash
systemctl stop greenbone-security-assistant.service
sed -i 's/120.0.0.1/0.0.0.0/g' /lib/systemd/system/greenbone-security-assistant.service
sed -i 's/9392/443/g' /lib/systemd/system/greenbone-security-assistant.service
systemctl daemon-reload && systemctl start greenbone-security-assistant.service

--
#Database version update
sudo runuser -u _gvm -- gvmd --migrate

--
greenbone-feed-sync --type all --no-wait --user _gvm  --group _gvm

[modifier] Bugs

• Failed to receive data: A TLS packet with unexpected length was received.

• Database is wrong version.

gvm-check-setup
tail -f /var/log/gvm/gvmd.log 
sudo runuser -u _gvm -- gvmd --migrate
gvm-check-setup

• Change web port (gsad)

vim /etc/systemd/greenbone-security-assistant.service
systemctl daemon-reload
systemctl restart gsad