Presentation is loading. Please wait.

Presentation is loading. Please wait.

OpenVAS —A how-to guide about the most popular vulnerability test tool

Similar presentations

Presentation on theme: "OpenVAS —A how-to guide about the most popular vulnerability test tool"— Presentation transcript:

1 OpenVAS —A how-to guide about the most popular vulnerability test tool
Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev; EC521: Cybersecurity OpenVAS

2 The objective: Lab generation
The objective of this project is to: Learn in detail about OpenVAS Give a presentation about OpenVAS to the class(what we are doing now) Design an around 20-minute lab/tutorial making use of this tool We will also provide a solution manual for our lab/tutorial. EC521: Cybersecurity OpenVAS

3 EC521: Cybersecurity OpenVAS
An overview to OpenVAS The Open Vulnerability Assessment Scanner known more commonly as OpenVAS, is a suite of tools that work together to run tests against client computers using a database of known exploits and weaknesses. The goal is to learn about how well your servers are guarded against known attack vectors. EC521: Cybersecurity OpenVAS

4 EC521: Cybersecurity OpenVAS
OpenVAS Architecture EC521: Cybersecurity OpenVAS

5 EC521: Cybersecurity OpenVAS
OpenVAS Modules OpenVAS-Scanner: openvassd openvas-mkcert openvas-nvt-sync OpenVAS-Manager: openvasmd OpenVAS-Client: openvas-cli Greenbone-Security-Assistant: it is an web interface Modules Relevant Commands EC521: Cybersecurity OpenVAS

6 Several significant commands
openvas-setup openvas-check-setup openvas-nvt-sync openvassd --help for more imformation openvasmd help for more imformation Reference: http: // EC521: Cybersecurity OpenVAS

7 EC521: Cybersecurity OpenVAS
Got it! EC521: Cybersecurity OpenVAS

8 EC521: Cybersecurity OpenVAS
Correctly installing and setting up OpenVAS is the very basic footstone of the rest of our vulnerability tests So lets have a brief tutorial EC521: Cybersecurity OpenVAS

9 Environment Build-up procedure
Build up the working environment Kali linux OS(set up on virtual machine) Install OpenVAS in Kali linux Use ‘openvas-check-setup’ to check the Installation OpenVAS Mkcert (process to create certificate of SSL) , this is a very important step! NVT synchronization: openvas-nvt-sync Start OpenVAS Scanner EC521: Cybersecurity OpenVAS

10 Environment Build-up procedure
Start OpenVAS Manager Use ‘OpenVAS-mkcert-client –n om –I’ to create certificate for OpenVAS Manager Create admin/user for GSA web client: openvasad -c add_user -n admin -r Admin openvasmd –rebuild openvasmd –p 9390 –a EC521: Cybersecurity OpenVAS

11 Environment Build-up procedure
Openvasad –a –p 9393 Ogsad –http-only –listen= –p 9392 Congratuations!! GSA location: Open it by web browser you will be very likely to see the next slide’s picture EC521: Cybersecurity OpenVAS

12 EC521: Cybersecurity OpenVAS
I am not a bad guy EC521: Cybersecurity OpenVAS

13 Question: How to perform a normal scan with OpenVAS?
EC521: Cybersecurity OpenVAS

14 EC521: Cybersecurity OpenVAS
Target -- XAMPP XAMPP's name is an acronym for: X (to be read as "cross", meaning cross-platform) Apache HTTP Server MySQL PHP Perl It is a completely free, easy to install Apache distribution containing MySQL, PHP, and Perl. Reference: EC521: Cybersecurity OpenVAS

15 EC521: Cybersecurity OpenVAS
Set a target EC521: Cybersecurity OpenVAS

16 EC521: Cybersecurity OpenVAS
Create a task EC521: Cybersecurity OpenVAS

17 EC521: Cybersecurity OpenVAS
Get the result EC521: Cybersecurity OpenVAS

18 Question: What is NASL Language?
EC521: Cybersecurity OpenVAS

19 EC521: Cybersecurity OpenVAS
NASL Language NASL is a scripting language designed for the Nessus security scanner. Its aim is to allow anyone to write a test for a given security hole in a few minutes, to allow people to share their tests without having to worry about their operating system, and to guarantee everyone that a NASL script can not do anything nasty except performing a given security test against a given target. Reference: EC521: Cybersecurity OpenVAS

20 EC521: Cybersecurity OpenVAS
NASL Plugin How to write and implement our own plugins? Copy our plugins to OpenVAS plugin directory: /var/lib/openvas/plugins Load plugins : openvassd rebuild the library openvasmd –rebuild If you want to attach signature and certificate for your plugin Please refer to: EC521: Cybersecurity OpenVAS

21 Webmail Vulnerability & OpenVAS Plugins
EC521: Cybersecurity OpenVAS

22 Webmail Vuln. & OpenVAS Plugins
Content Webmail environment Vulnerability tests Insert your plugins EC521: Cybersecurity OpenVAS

23 Webmail Vulnerability
Mail Server Set-Up Environment (Local) OS : CentOS-6.5 SMTP : Postfix Sasl IMAP/POP3 : Dovecot-2.0 Web : Apache-2.2 Webmail : Openwebmail-2.30 (perl)/ [Squirrelmail (php)] localhost/cgi-bin/openwebmail/ EC521: Cybersecurity OpenVAS

24 EC521: Cybersecurity OpenVAS

25 EC521: Cybersecurity OpenVAS
OpenVAS Plugins Network Vulnerability Tests (NVTs) EC521: Cybersecurity OpenVAS

26 EC521: Cybersecurity OpenVAS
OpenVAS Plugins NVTs The OpenVAS project maintains a public feed of more than 35,000 NVTs (as of April 2014) Command openvas-nvt-sync for online-synchronisation from the feed service. Based on NASL scripts (Nessus Attack Scripting Language) EC521: Cybersecurity OpenVAS

27 EC521: Cybersecurity OpenVAS
OpenVAS Plugins Location: /var/lib/openvas/plugins Security Tools INTERGRATED: Portscanner: NMAP, pnscan, strobe IPsec VPN scanning&fingerprinting: ike-scan Web server scanning: Nikto OVAL Interpreter: ovaldi web application attack and audit framework: w3af …… EC521: Cybersecurity OpenVAS

28 EC521: Cybersecurity OpenVAS
OpenVAS Plugins NVTs Selection EC521: Cybersecurity OpenVAS

29 EC521: Cybersecurity OpenVAS
OpenVAS Plugins # OpenVAS Vulnerability Test # $Id: openwebmail_logindomain_xss.nasl :01:43Z jan $ # Description: Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability # # Authors: # George A. Theall, # Copyright: # Copyright (C) 2005 George A. Theall # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2, # as published by the Free Software Foundation # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA USA. include(""); tag_summary = "The remote webmail server is affected by a cross-site scripting flaw. Description : The remote host is running at least one instance of Open WebMail that fails to sufficiently validate user input supplied to the 'logindomain' parameter. This failure enables an attacker to run arbitrary script code in the context of a user's web browser."; tag_solution = "Upgrade to Open WebMail version or later."; if (description) { script_id(16463); script_version("$Revision: 17 $"); script_tag(name:"last_modification", value:"$Date: :01: (Sun, 27 Oct 2013) $"); script_tag(name:"creation_date", value:" :08: (Thu, 03 Nov 2005)"); script_tag(name:"cvss_base", value:"4.3"); script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_tag(name:"risk_factor", value:"Medium"); script_cve_id("CVE "); script_bugtraq_id(12547); script_xref(name:"OSVDB", value:"13788"); name = "Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability"; script_name(name); desc = " Summary: " + tag_summary + " Solution: " + tag_solution; script_description(desc); summary = "Checks for logindomain parameter cross-site scripting vulnerability in Open WebMail"; script_summary(summary); script_category(ACT_ATTACK); script_copyright("This script is Copyright (C) 2005 George A. Theall"); family = "Web application abuses"; script_family(family); script_dependencies("openwebmail_detect.nasl"); script_require_ports("Services/www", 80); if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) { script_tag(name : "solution" , value : tag_solution); script_tag(name : "summary" , value : tag_summary); } script_xref(name : "URL" , value : " exit(0); include(""); include(""); include(""); port = get_http_port(default:80); if (!get_port_state(port)) exit(0); # We test whether the hole exists by trying to echo magic (urlencoded # as alt_magic for http) and checking whether we get it back. magic = "logindomain xss vulnerability"; alt_magic = str_replace(string:magic, find:" ", replace:"%20"); # Test an install. install = get_kb_item(string("www/", port, "/openwebmail")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { url = string( dir, "/'", alt_magic, "')%3C/script%3E" ); debug_print("retrieving '", url, "'."); req = http_get(item:url, port:port); res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE); if (isnull(res)) exit(0); # can't connect debug_print("res =>>", res, "<<"); if (egrep(string:res, pattern:magic)) { security_warning(port); EC521: Cybersecurity OpenVAS

30 Insert Plugins (with certification)
OpenVAS Plugins Insert Plugins (with certification) 1. script.nasl 2. # openvas-nasl -X script.nasl (insert without cert) 3. # vim /etc/openvas/openvassd.conf nasl_no_signature_check = no 4. Key generation # wget # gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc EC521: Cybersecurity OpenVAS

31 Insert Plugins (with certification)
OpenVAS Plugins Insert Plugins (with certification) 5. Set Trust 6. Detach Signature # gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o script.nasl.asc script.nasl 7. Add Certificate # gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc 8. Parse & Execute # openvas-nasl –p –t script.nasl Load Scanner & Rebuild Manager EC521: Cybersecurity OpenVAS

32 Openwebmail Vulnerbilities
EC521: Cybersecurity OpenVAS

33 Webmail Vuln. & OpenVAS Plugins
References Openwebmail: Online Demo:   NVT Signature: EC521: Cybersecurity OpenVAS

34 Web Application (Blackboard)
EC521: Cybersecurity OpenVAS

35 DEMO: Web Application (Blackboard)
Description: Blackboard is the web application used by students to post their homework solutions, which vulnerable to XSS and CSRF attack. EC521: Cybersecurity OpenVAS

36 DEMO: Web Application (Blackboard)
Story on behalf: You (hacker) don’t know solution to the homework and want to steal the solutions from others. Also you want to steal final exam questions from teacher in a such way that no one will find out that it was you. (i.e. like a ninja) EC521: Cybersecurity OpenVAS

37 DEMO: Web Application (Blackboard)
Mission: Steal the solutions from “nerd”; Make “badguy” to steal final exam q/a for you; Be the smartest guy (ninja, hacker) in the class; EC521: Cybersecurity OpenVAS

38 DEMO: Web Application (Blackboard)
Wait a minute…where is OpenVAS??? We will make security assessment on our web application using OpenVAS. (in near future) EC521: Cybersecurity OpenVAS

39 Metasploitable 2 Designed by HD Moore, Now owned by Rapid 7
(To test their well-known tool metasploit, for free) A special version of Ubuntu Linux 8.0.4 A target machine with many built-in vulnerabilities A good platform to conduct security training, test security tools, and practice common penetration testing techniques.


41 Vulnerbilities Apache 2.2.8, Tomcat Password , Samba NDR Parsing, Heap Overflow, BIND libbind inet_network(), PHP , 5.2.6, 5.2.8, PHP Fixed security issue, VNC password is "password“, Samba 'reply_netbios_packet' Nmbd Buffer Overflow, cve , HTML Output Script Insertion XXS, Key algorithm rollover bug, DNS service BIND 9.4.2, MySQL a and so on… About 135 in All. 40 are critical vulnerabilities!

42 List

43 OpenVAS Scan Report Sadly not as much result as it should be. (Using the full ultimate scan) . Some NVTs don’t have the full function as the original program or CVE.

44 A Brief Example We can use this vulnerability to remote login into the target as the root, and execute shell commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)

45 Nmap NVT port scan No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap in kali, we can get the full result. All the open ports are printed out in nmap as well as their protocol or function. NVT can’t take the place of the original program.

46 Remote Login TCP ports 512 is known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rsh-client. Then type in rlogin -l root , so…

47 Do something bad Since we are SSH with the remote target, why not generate the SSH (as we did in homework), so next time we can access unlimitedly!

48 NVT Behind Use OID To look for the NVT and more information with it

49 NVT Behind include(""); //
include(""); // port = get_kb_item("Services/rexecd"); // if(!port)port = 512; // //username is a string consist of 260 “x” rexecd_string = string(raw_string(0), username, raw_string(0), "xxx", raw_string(0), "id", raw_string(0)); // soc = open_sock_tcp(port); // send(socket:soc, data:rexecd_string); // buf = recv_line(socket:soc, length:4096); // if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) // register_service(port:port, proto:"rexecd"); // security_warning(port:port, protocol:"tcp"); //

50 NVT Structure # OpenVAS Vulnerability Test // # $Id$ //
# Description: [one-line-description] // (copyright and writer information) if(description) // script_oid(FIXME); # see // script_version("$Revision$"); # leave as is, SVN will update this // include(""); # in case you want to use a NASL library # FIXME: the code. //

51 Nessus VS. Openvas

52 EC521: Cybersecurity OpenVAS
Lab Generation Webmail BlackBoard Metasploitable EC521: Cybersecurity OpenVAS

53 EC521: Cybersecurity OpenVAS
Questions? EC521: Cybersecurity OpenVAS

Download ppt "OpenVAS —A how-to guide about the most popular vulnerability test tool"

Similar presentations

Ads by Google