Presentation is loading. Please wait.

Presentation is loading. Please wait.

EC521: Cybersecurity OpenVAS OpenVAS —A how-to guide about the most popular vulnerability test tool Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo.

Similar presentations


Presentation on theme: "EC521: Cybersecurity OpenVAS OpenVAS —A how-to guide about the most popular vulnerability test tool Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo."— Presentation transcript:

1 EC521: Cybersecurity OpenVAS OpenVAS —A how-to guide about the most popular vulnerability test tool Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev; 1

2 EC521: Cybersecurity OpenVAS OpenVAS Architecture 2

3 Our Environment DVWA + XAMPP OpenWebMail Metasploitable Blackboard EC521: Cybersecurity OpenVAS 3

4 Question: How to perform a normal scan with OpenVAS? EC521: Cybersecurity OpenVAS 4

5 How to find the command set? Solution: #openvas ‘double tab’ OpenVAS-Scanner: openvassd openvas-mkcert openvas-nvt-sync OpenVAS-Manager: openvasmd OpenVAS-Client: openvas-cli Greenbone-Security-Assistant: gsad EC521: Cybersecurity OpenVAS 5

6 openvas-setup openvas-check-setup openvas-nvt-sync openvas-nasl Reference: http: //www.openvas.org/setup-and-start.html https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit- the-security-of-remote-systems-on-ubuntu EC521: Cybersecurity OpenVAS 6 How to find the command set?

7 EC521: Cybersecurity OpenVAS XAMPP's name is an acronym for: X (to be read as "cross", meaning cross-platform) Apache HTTP Server MySQL PHP Perl It is a completely free, easy to install Apache distribution containing MySQL, PHP, and Perl. Reference: https://www.apachefriends.org/index.html Target -- XAMPP 7

8 EC521: Cybersecurity OpenVAS Set a target 8

9 EC521: Cybersecurity OpenVAS Create a task 9

10 EC521: Cybersecurity OpenVAS Get the result 10

11 Question: How to insert plugins into OpenVAS? EC521: Cybersecurity OpenVAS 11

12 EC521: Cybersecurity OpenVAS Webmail Vuln. & OpenVAS Plugins Content 1.Webmail environment 2.Web-app scanning 3.Insert plugins 12

13 EC521: Cybersecurity OpenVAS Webmail Environment Mail Server Set-Up Environment (Local) OS: CentOS-6.5 SMTP: Postfix Sasl IMAP/POP3: Dovecot-2.0 Web: Apache-2.2 Webmail: Openwebmail-2.30 (perl)/ [Squirrelmail (php)] localhost/cgi-bin/openwebmail/openwebmail.pl 13

14 EC521: Cybersecurity OpenVAS 14

15 EC521: Cybersecurity OpenVAS Network Vulnerability Tests NVTs The OpenVAS project maintains a public feed of more than 35,000 NVTs (as of April 2014) Command openvas-nvt-sync for online-synchronisation from the feed service. Based on NASL scripts (Nessus Attack Scripting Language) 15

16 EC521: Cybersecurity OpenVAS Q1: Locate required NVT scripts Security Tools INTERGRATED: Portscanner: NMAP, pnscan, strobe IPsec VPN scanning&fingerprinting: ike-scan Web server scanning: Nikto OVAL Interpreter: ovaldi web application attack and audit framework: w3af 16

17 EC521: Cybersecurity OpenVAS A1: Locate required NVT scripts (from Kali) Location: /var/lib/openvas/plugins Find: ls | grep ‘specific_scripts’ 17

18 EC521: Cybersecurity OpenVAS A1: Locate required NVT scripts (from Greenbone Security Assistant) Secinfo Management => NVTs => Help: Powerfilter Family=“Web application abuses” Name~“openwebmail” 18

19 EC521: Cybersecurity OpenVAS A1: Locate required NVT scripts # … introduction comments, description … if (description) { script_id(16463); script_version("$Revision: 17 $"); script_tag(name:"last_modification", value:"$Date: :01: (Sun, 27 Oct 2013) $"); script_tag(name:"creation_date", value:" :08: (Thu, 03 Nov 2005)"); script_tag(name:"cvss_base", value:"4.3"); script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_tag(name:"risk_factor", value:"Medium"); script_cve_id("CVE "); script_bugtraq_id(12547); script_xref(name:"OSVDB", value:"13788"); # … 19

20 EC521: Cybersecurity OpenVAS Q2: Scan Webmail (Application) 20

21 EC521: Cybersecurity OpenVAS A2: Scan Webmail (Application) Configuration => Scan Configs => New Scan Config Scan Settings: Http Login Page Login configurations 21

22 EC521: Cybersecurity OpenVAS A2: Scan Webmail (Application) 22

23 EC521: Cybersecurity OpenVAS Q3: Implement OpenVAS Plugins Plugin Extension? 23

24 EC521: Cybersecurity OpenVAS A3: Insert OpenVAS Plugins 1. script.nasl 2. # openvas-nasl -X script.nasl (insert without cert) 3. # vim /etc/openvas/openvassd.conf nasl_no_signature_check = no 24

25 EC521: Cybersecurity OpenVAS A3: Insert OpenVAS Plugins 4. Key generation # gpg --homedir=/etc/openvas/gnupg --gen-key # wget # gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc 25

26 EC521: Cybersecurity OpenVAS A3: Insert OpenVAS Plugins 5. Set Trust # gpg --homedir=/etc/openvas/gnupg --list-keys # gpg --homedir=/etc/openvas/gnupg --lsign-key XXXXXXXXX 6. Detach Signature # gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o script.nasl.asc script.nasl 26

27 EC521: Cybersecurity OpenVAS A3: Insert OpenVAS Plugins 7. Add Certificate # gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc 8. Parse & Execute # openvas-nasl –p –t script.nasl 9. Copy plugins to /var/lib/openvas/plugins Load Scanner & Rebuild Manager # openvassd#openvasmd --rebuild 27

28 EC521: Cybersecurity OpenVAS A3: Insert OpenVAS Plugins Plugin found! Flexible and Extendable 28

29 EC521: Cybersecurity OpenVAS Webmail Vuln. & OpenVAS Plugins References Openwebmail: Web App Scan: NVT Feed: NVT Signature: 29

30 Question: How to understand NASL Script language? EC521: Cybersecurity OpenVAS 30

31 EC521: Cybersecurity OpenVAS NASL Language NASL is a scripting language designed for the Nessus security scanner. Its aim is to allow anyone to write a test for a given security hole in a few minutes, to allow people to share their tests without having to worry about their operating system, and to guarantee everyone that a NASL script can not do anything nasty except performing a given security test against a given target. Reference: 31

32 32 NVT Structure # OpenVAS Vulnerability Test // # $Id$ // # Description: [one-line-description] // (copyright and writer information) if(description) // script_oid(FIXME); # see //http://www.openvas.org/openvas-oids.html script_version("$Revision$"); # leave as is, SVN will update this // … include("FIXME.inc"); # in case you want to use a NASL library # FIXME: the code. //

33 Metasploitable 2 Designed by HD Moore, Now owned by Rapid 7 (To test their well-known tool metasploit, for free) A special version of Ubuntu Linux A target machine with many built-in vulnerabilities A good platform to conduct security training, test security tools, and practice common penetration testing techniques. 33

34 34

35 Apache 2.2.8, Tomcat Password, Samba NDR Parsing, Heap Overflow, BIND libbind inet_network(), PHP , 5.2.6, 5.2.8, PHP Fixed security issue, VNC password is "password“, Samba 'reply_netbios_packet' Nmbd Buffer Overflow, cve , HTML Output Script Insertion XXS, Key algorithm rollover bug, DNS service BIND 9.4.2, MySQL a and so on… About 135 in All. 40 are critical vulnerabilities! 35 Vulnerbilities

36 36 List

37 37 OpenVAS Scan Report Sadly not as much result as it should be. (Using the full ultimate scan). Some NVTs don’t have the full function as the original program or CVE.

38 38 A Brief Example We can use this vulnerability to remote login into the target as the root, and execute shell commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)

39 39 Nmap NVT port scan No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap in kali, we can get the full result. All the open ports are printed out in nmap as well as their protocol or function. NVT can’t take the place of the original program.

40 40 Is vulnerability working? Remote Login TCP ports 512 is known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rsh- client. Then type in rlogin -l root , so…

41 41 Do something bad Since we are SSH with the remote target, why not generate the SSH (as we did in homework), so next time we can access unlimitedly!

42 42 Question: How to use OID to get NVT’s feed? Use OID To look for the NVT and more information with it

43 43 NVT Core include("revisions-lib.inc"); // include("misc_func.inc"); // port = get_kb_item("Services/rexecd"); // if(!port)port = 512; // //username is a string consist of 260 “x” rexecd_string = string(raw_string(0), username, raw_string(0), "xxx", raw_string(0), "id", raw_string(0)); // soc = open_sock_tcp(port); // send(socket:soc, data:rexecd_string); // buf = recv_line(socket:soc, length:4096); // if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) // register_service(port:port, proto:"rexecd"); // security_warning(port:port, protocol:"tcp"); //

44 44 Summary 1. Our purpose of the lab generation 2. Completely use of the penetration tool 3. Practical use of OpenVAS For attacker: Exploit, Sniff For defender: Assess, Patch 4. Brief assessment of OpenVAS Open source Client-server structure Extended and flexible NVT feed Security and authentication

45 45 Blackboard: Demo

46 EC521: Cybersecurity OpenVAS Questions? 46


Download ppt "EC521: Cybersecurity OpenVAS OpenVAS —A how-to guide about the most popular vulnerability test tool Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo."

Similar presentations


Ads by Google