OpenVAS*the most popular(i.e. free) penetration test tool for

Report
OpenVAS —A how-to guide
about the most popular
vulnerability test tool
Team Members: Yingchao Zhu; Chen
Qian; Xingyu Wu; XuZhuo Zhang;
Igibek Koishybayev;
1
EC521: Cybersecurity OpenVAS
The objective: Lab generation
The objective of this project is to:
• Learn in detail about OpenVAS
• Give a presentation about OpenVAS to the
class(what we are doing now)
• Design an around 20-minute lab/tutorial making
use of this tool
We will also provide a solution manual for our
lab/tutorial.
2
EC521: Cybersecurity OpenVAS
An overview to OpenVAS
The Open Vulnerability Assessment Scanner known
more commonly as OpenVAS, is a suite of tools that
work together to run tests against client computers
using a database of known exploits and weaknesses.
The goal is to learn about how well your servers are
guarded against known attack vectors.
3
EC521: Cybersecurity OpenVAS
OpenVAS Architecture
4
EC521: Cybersecurity OpenVAS
OpenVAS Modules
Modules
•
•
•
•
•
•
Relevant Commands
OpenVAS-Scanner: openvassd
openvas-mkcert
openvas-nvt-sync
OpenVAS-Manager: openvasmd
OpenVAS-Client:
openvas-cli
Greenbone-Security-Assistant: it is an web
interface
5
EC521: Cybersecurity OpenVAS
Several significant commands
•
•
•
•
•
openvas-setup
openvas-check-setup
openvas-nvt-sync
openvassd --help for more imformation
openvasmd --help for more imformation
Reference: http: //www.openvas.org/setup-and-start.html
https://www.digitalocean.com/community/tutorials/how-to-useopenvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04
6
EC521: Cybersecurity OpenVAS
7
EC521: Cybersecurity OpenVAS
Environment Build-up procedure
• Build up the working environment
• Kali linux OS(set up on virtual machine)
• Install OpenVAS in Kali linux
• Use ‘openvas-check-setup’ to check the
Installation
• OpenVAS Mkcert (process to create certificate
of SSL) , this is a very important step!
• NVT synchronization: openvas-nvt-sync
• Start OpenVAS Scanner
EC521: Cybersecurity OpenVAS
9
Environment Build-up procedure
• Start OpenVAS Manager
• Use ‘OpenVAS-mkcert-client –n om –I’ to create
certificate for OpenVAS Manager
• Create admin/user for GSA web client:
openvasad -c add_user -n admin -r Admin
• openvasmd –rebuild
• openvasmd –p 9390 –a 127.0.0.1
10
EC521: Cybersecurity OpenVAS
Environment Build-up procedure
• Openvasad –a 127.0.0.1 –p 9393
• Ogsad –http-only –listen=127.0.0.1 –p 9392
Congratuations!!
• GSA location: https://localhost:9392
• Open it by web browser you will be very likely to
see the next slide’s picture
11
EC521: Cybersecurity OpenVAS
I am not a
bad guy
12
EC521: Cybersecurity OpenVAS
Question: How to perform a
normal scan with OpenVAS?
13
EC521: Cybersecurity OpenVAS
Target -- XAMPP
XAMPP's name is an acronym for:
X (to be read as "cross", meaning cross-platform)
Apache HTTP Server
MySQL
PHP
Perl
It is a completely free, easy to install Apache
distribution containing MySQL, PHP, and Perl.
Reference: https://www.apachefriends.org/index.html
http://en.wikipedia.org/wiki/XAMPP
EC521: Cybersecurity OpenVAS
14
Set a target
15
EC521: Cybersecurity OpenVAS
Create a task
16
EC521: Cybersecurity OpenVAS
Get the result
17
EC521: Cybersecurity OpenVAS
Question: What is NASL
Language?
18
EC521: Cybersecurity OpenVAS
NASL Language
NASL is a scripting language designed for the Nessus
security scanner. Its aim is to allow anyone to write a
test for a given security hole in a few minutes, to allow
people to share their tests without having to worry about
their operating system, and to guarantee everyone that a
NASL script can not do anything nasty except
performing a given security test against a given target.
Reference: http://virtualblueness.net/nasl.html
EC521: Cybersecurity OpenVAS
19
NASL Plugin
How to write and implement our own plugins?
• Copy our plugins to OpenVAS plugin directory:
/var/lib/openvas/plugins
• Load plugins :
openvassd
• rebuild the library
openvasmd –rebuild
If you want to attach signature and certificate for your plugin
Please refer to: http://www.openvas.org/trusted-nvts.html
EC521: Cybersecurity OpenVAS
20
Webmail Vulnerability
& OpenVAS Plugins
21
EC521: Cybersecurity OpenVAS
Webmail Vuln. & OpenVAS Plugins
Content
1. Webmail environment
2. Vulnerability tests
3. Insert your plugins
22
EC521: Cybersecurity OpenVAS
Webmail Vulnerability
Mail Server Set-Up Environment (Local)
OS
: CentOS-6.5
SMTP
: Postfix-2.6 + Sasl
IMAP/POP3
: Dovecot-2.0
Web
: Apache-2.2
Webmail
: Openwebmail-2.30 (perl)/
[Squirrelmail-1.4.22 (php)]
localhost/cgi-bin/openwebmail/openwebmail.pl
EC521: Cybersecurity OpenVAS
23
24
EC521: Cybersecurity OpenVAS
OpenVAS Plugins
Network Vulnerability Tests (NVTs)
25
EC521: Cybersecurity OpenVAS
OpenVAS Plugins
NVTs
The OpenVAS project maintains a public feed of more than
35,000 NVTs (as of April 2014)
Command openvas-nvt-sync for online-synchronisation
from the feed service.
Based on NASL scripts
(Nessus Attack Scripting Language)
EC521: Cybersecurity OpenVAS
26
OpenVAS Plugins
Location: /var/lib/openvas/plugins
Security Tools INTERGRATED:
Portscanner: NMAP, pnscan, strobe
IPsec VPN scanning&fingerprinting: ike-scan
Web server scanning: Nikto
OVAL Interpreter: ovaldi
web application attack and audit framework: w3af
……
27
EC521: Cybersecurity OpenVAS
OpenVAS Plugins
NVTs Selection
28
EC521: Cybersecurity OpenVAS
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
include("revisions-lib.inc");
tag_summary = "The remote webmail server is affected by a cross-site scripting flaw.
OpenVAS Plugins
Description :
The remote host is running at least one instance of Open WebMail that
fails to sufficiently validate user input supplied to the 'logindomain'
parameter. This failure enables an attacker to run arbitrary script
code in the context of a user's web browser.";
tag_solution = "Upgrade to Open WebMail version 2.50 20040212 or later.";
if (description) {
script_id(16463);
script_version("$Revision: 17 $");
script_tag(name:"last_modification", value:"$Date: 2013-10-27 15:01:43 +0100 (Sun, 27 Oct 2013) $");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"risk_factor", value:"Medium");
script_cve_id("CVE-2005-0445");
script_bugtraq_id(12547);
script_xref(name:"OSVDB", value:"13788");
name = "Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability";
script_name(name);
desc = "
Summary:
" + tag_summary + "
Solution:
" + tag_solution; script_description(desc);
summary = "Checks for logindomain parameter cross-site scripting vulnerability in Open WebMail";
script_summary(summary);
script_category(ACT_ATTACK);
script_copyright("This script is Copyright (C) 2005 George A. Theall");
family = "Web application abuses";
script_family(family);
script_dependencies("openwebmail_detect.nasl");
script_require_ports("Services/www", 80);
if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) {
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
}
script_xref(name : "URL" , value : "http://openwebmail.org/openwebmail/download/cert/advisories/SA-05:01.txt");
exit(0);
}
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if (!get_port_state(port)) exit(0);
EC521: Cybersecurity OpenVAS
29
OpenVAS Plugins
Insert Plugins (with certification)
1. script.nasl
2. # openvas-nasl -X script.nasl (insert without cert)
3. # vim /etc/openvas/openvassd.conf
nasl_no_signature_check = no
4. Key generation
# wget http://www.openvas.org/OpenVAS_TI.asc
# gpg --homedir=/etc/openvas/gnupg --import
OpenVAS_TI.asc
EC521: Cybersecurity OpenVAS
30
OpenVAS Plugins
Insert Plugins (with certification)
5. Set Trust
6. Detach Signature
# gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o
script.nasl.asc script.nasl
7. Add Certificate
# gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc
8. Parse & Execute
# openvas-nasl –p –t script.nasl
Load Scanner & Rebuild Manager
EC521: Cybersecurity OpenVAS
31
Openwebmail Vulnerbilities
32
EC521: Cybersecurity OpenVAS
Webmail Vuln. & OpenVAS Plugins
References
Openwebmail: http://www.openwebmail.org/
Online Demo: http://openwebmail.amcpl.net/
NVT Signature: http://www.openvas.org/trusted-nvts.html
33
EC521: Cybersecurity OpenVAS
Web Application (Blackboard)
34
EC521: Cybersecurity OpenVAS
DEMO: Web Application (Blackboard)
Description: Blackboard is the web application
used by students to post their homework
solutions, which vulnerable to XSS and CSRF
attack.
35
EC521: Cybersecurity OpenVAS
DEMO: Web Application (Blackboard)
Story on behalf: You (hacker) don’t know
solution to the homework and want to steal the
solutions from others. Also you want to steal
final exam questions from teacher in a such way
that no one will find out that it was you. (i.e. like
a ninja)
36
EC521: Cybersecurity OpenVAS
DEMO: Web Application (Blackboard)
Mission:
1. Steal the solutions from “nerd”;
2. Make “badguy” to steal final exam q/a for
you;
3. Be the smartest guy (ninja, hacker) in the
class;
37
EC521: Cybersecurity OpenVAS
DEMO: Web Application (Blackboard)
Wait a minute…where is OpenVAS???
We will make security assessment on our web
application using OpenVAS. (in near future)
38
EC521: Cybersecurity OpenVAS
Metasploitable 2
Designed by HD Moore, Now owned by Rapid 7
(To test their well-known tool metasploit, for free)
A special version of Ubuntu Linux 8.0.4
A target machine with many built-in
vulnerabilities
A good platform to conduct security training, test
security tools, and practice common penetration
testing techniques.
39
40
Vulnerbilities
Apache 2.2.8, Tomcat Password , Samba NDR Parsing,
Heap Overflow, BIND libbind inet_network(), PHP
5.2.12, 5.2.6, 5.2.8, PHP Fixed security issue, VNC
password is "password“, Samba 'reply_netbios_packet'
Nmbd Buffer Overflow, cve-2012-1667, HTML Output
Script Insertion XXS, Key algorithm rollover bug,
DNS service BIND 9.4.2, MySQL 5.0.51a and so on…
About 135 in All. 40 are critical vulnerabilities!
41
List
42
OpenVAS Scan Report
Sadly not as much result as it should be. (Using the full ultimate scan) .
Some NVTs don’t have the full function as the original program or CVE.
43
A Brief Example
We can use this vulnerability to remote login into the target as the root, and execute shell
commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)
44
Nmap NVT port scan
No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap
in kali, we can get the full result.
All the open ports are printed out in nmap as well
as their protocol or function. NVT can’t take the
place of the original program.
45
Remote Login
TCP ports 512 is known as "r" services, and have been misconfigured to allow
remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rshclient. Then type in rlogin -l root 192.168.99.131, so…
46
Do something bad
Since we are SSH with the remote target, why not generate
the SSH (as we did in homework), so next time we can
access unlimitedly!
47
NVT Behind
Use OID To look for the NVT and more information with it
48
NVT Behind
include("revisions-lib.inc"); //
include("misc_func.inc"); //
port = get_kb_item("Services/rexecd"); //
if(!port)port = 512; //
//username is a string consist of 260 “x”
rexecd_string = string(raw_string(0), username, raw_string(0), "xxx",
raw_string(0), "id", raw_string(0)); //
soc = open_sock_tcp(port); //
send(socket:soc, data:rexecd_string); //
buf = recv_line(socket:soc, length:4096); //
if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) //
register_service(port:port, proto:"rexecd"); //
security_warning(port:port, protocol:"tcp"); //
49
NVT Structure
# OpenVAS Vulnerability Test //
# $Id$ //
# Description: [one-line-description] //
(copyright and writer information)
if(description) //
script_oid(FIXME); # see http://www.openvas.org/openvas-oids.html
//
script_version("$Revision$"); # leave as is, SVN will update this //
…
include("FIXME.inc"); # in case you want to use a NASL library
# FIXME: the code. //
50
Nessus VS. Openvas
51
Lab Generation
Webmail
BlackBoard
Metasploitable
52
EC521: Cybersecurity OpenVAS
Questions?
53
EC521: Cybersecurity OpenVAS

similar documents