1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

TUTORIAL - Vulnerability scanning with OpenVAS

Discussion in 'Vulnerability Identification' started by Witranx, Apr 1, 2013.

  1. Witranx

    Witranx Staff Member

    If you are a Sysadmin, IT Manager or Security Manager, you need to protect your network. You need to know where your weaknesses are, so that you can put together a plan to fix them.

    You are a busy guy, and the business where you work doesn't really want to spend all it's hard-earned cash on vulnerability scanning software (without good justification). If you can't justify a full external pentest (EPT) or internal vulnerability assessment (IVA), you are the guy on the ground, and your companies' security is your problem.

    Increasing costs

    Vulnerability scanners can be expensive. Nessus (which used to be free) is now a pay-for subscription-based service, and other scanners such as SAINT are not cheap either.

    Core-impact for example is an awesome piece of software, well worth purchasing if you are a professional Pentesting company with lost of clients, but way outside the IT Security budget of most companies.

    Free solution

    So, thank goodness for open-source software; OpenVAS to the rescue.

    Here we take a look at the basic setup process, using OpenVAS on Backtrack4, and do some scans to see what results we get, and how useful they are.


    Free solution

    So, thank goodness for open-source software; OpenVAS to the rescue.

    Here we take a look at the basic setup process, using OpenVAS on Backtrack4, and do some scans to see what results we get, and how useful they are.

    Setting up and updating OpenVAS

    Before we start, it is very important that access to your vulnerability scanner is secure. This system is going to hold all the data from your scans. It will hold information detailing vulnerable systems, systems with configuration errors, weak passwords, missing patches etc. You definitely don't want this information to fall into the hands of an attacker.

    Using OpenVAS

    I will cover here getting OpenVAS setup on Backtrack from the command line, because it looks to me that this is the easier way to use it in the long run.

    Setting up the credentials

    First create a certificate for your server (such that the communications are secured)
    Code:
    openvas-mkcert


    (Accept the defaults for testing purposes, or fill in the details correctly, the choice is yours)

    Now we will create a user for administration

    Code:
    openvas-adduser


    Enter a user, select password as the authentication method, set a password, and skip the rule creation with Ctrl-D. Don't forget this username and password, we will need it below, and in the future for running further scans and accessing scan reports.

    Updating the OpenVAS signatures

    Next we need to update our scan signatures, which can be done as follows.
    Code:
    openvas-nvt-sync


    You will see lots of information whiz past as the updates are performed. This may take a few minutes to run, so be patient.

    Starting the scanner and performing a scan

    Once you have downloaded the latest updates, you can start the scanner and client, and do a basic scan.

    First we need to start the scanner:

    Code:
    openvassd


    You will see the plug-ins being loaded, which should take minute or so on a fast system (If this takes a long time you should consider the hardware you are running this system on. It needs some power)

    To open the client interface type:

    Code:
     OpenVAS-Client
    To run our first scan, click on the "Scan Assistant" top left. Give the task a scope and name, add the subnets or hosts you want to scan, and then click "execute". (I suggest starting with a single host)

    Authenticating to the scanner to start the scan


    The dialog will ask you to authenticate to the scanner with the credentials you supplied above.

    If you get an authentication failure (I have had a few issues with this dialog at times) check that your scanner is running on port 9390 by running the command:
    Code:
    netstat -antp | grep 9390


    If not stop, and start it again with the following commands:
    Code:
    pkill openvassd

    Code:
    openvassd 
    Scanning progress

    You will see a blue progress bar (the UI may then hang for a bit, but that will clear) confirm with OK, and your scan should start shortly.

    You should then see the scan dialog below. Depending on the number of hosts you are scanning, this may take a long time to complete. Be patient.

    I advise starting by scanning small numbers of machines, and then work up to larger groups as you get more familiar with it, and progress in experience.


    The report

    When the scan completes, you will get a report. The items that need urgent attention will be detailed with a "no entry" sign. There will likely also be warnings and other informational messages.

    Bear in mind, that whether vulnerabilities pose a real threat is very much dependent on the location and purpose of the systems in question.


    Are the threats real?

    I have often seen false positives in vulnerability scans where, after further investigation, the highlighted threats simply do not exist, so take care to examine the reports with a questioning mind. Often there are non-issues flagged. This is where analysis, experience, knowledge and evaluation come into play.

    Additionally, many companies will have lots of internal systems that have numerous services running on them. These may be flagged as having potential vulnerabilities, though this may not be a relevant issue if the systems are running purely in an internal LAN environment (As long as there are no attackers on the internal LAN).

    However, if public facing systems, that have firewall ports open to the internet, have similar vulnerabilities, then this is much more of a problem, and would likely need to be addressed as soon as practical.

    In short, all these vulnerabilities need to be put into context and prioritized - You don't want to spend all of your time fixing non-problems, you need to prioritize and focus on the most pressing issues.

    Planning remediation

    Now you have found all these problems, and prioritized the most urgent issues, it is time to have a chat with your management team, and get some focus and agree timescales/resources to fix them.


    OpenVAS is not a "magic" solution

    Take all this with a pinch of salt though; vulnerability scanners are automated systems, and are limited in their scope and flexibility.

    Vulnerability scanning is not the same as penetration testing, and a skilled Pentester or Ethical Hacker will likely find many issues that a automated vulnerability scan would miss (I certainly have)
  2. sanimorphic_tux

    sanimorphic_tux New Member

    nice tuturial bro ..
    autonomous and Witranx like this.
  3. danlix

    danlix New Member

  4. St3altH

    St3altH New Member

    tx great !
  5. dragon

    dragon New Member

    thank good tutorial:D
  6. AfterBurn

    AfterBurn Member

  7. google

    google New Member

    great thanks for this tutorial :)
  8. erphidi

    erphidi New Member

    nice share bro
  9. OsBinHD

    OsBinHD New Member

    thanx mate i will post ya tut to mines forum :) creds to ya anyway respect...
  10. nulldev

    nulldev New Member

    I joined this site because i found this post on the interwebs..


    Code:
    OpenVAS-Client
    Is not a command (anymore?), the first few commands worked but once i got to that, i had no where else to go.
  11. rawstring

    rawstring Staff Member

    Nice tutorial :D
  12. rEvolt!

    rEvolt! New Member

    Nice bro :D
    This thread is helpful
  13. __DG__

    __DG__ New Member

    can we get an update on this? - it would seem these instructions are somewhat deprecated with the newest releases.
  14. Premier

    Premier New Member

    Thanks... very self explanatory

Share This Page