Professional Documents
Culture Documents
Vulnerability Assessment Lab
Vulnerability Assessment Lab
To install Openvas 9 and its dependencies on our Kali Linux system we simply have to run
the following command:
openvas-setup
Accept the self-signed certificate warning and use the generated admin credentials to
login.
After logging in on the web interface we’re redirected to the Greenbone Security Assistant
dashboard. From this point on we can start to configure and run vulnerability scans.
Starting and stopping OpenVAS
The last step I want to point out before we head on with the installation of the virtual
appliance is how to start and stop OpenVAS services. OpenVAS services may consume a lot
of unnecessary resources and therefore it is advised to terminate these services when
you’re not using OpenVAS.
openvas-stop
To start the OpenVAS services again, run:
openvas-start
Setting up the OpenVAS Virtual Appliance
Instead of installing OpenVAS on Kali Linux we can also install the OpenVAS virtual appliance
in a network and configure it to periodically run scans on the network. The virtual appliance
can be downloaded using the following link: http://www.openvas.org/vm.html
After downloading the virtual appliance from the OpenVAS website we have to configure a
new virtual machine. In this tutorial we will be using VMware but you can also use other
hypervisors such as Hyper-V on Windows or Oracle VirtualBox. In production environments
you will most likely use VMware ESXi, Microsoft Hyper-V or other hypervisors. Let’s start
with configuring a VM with the following specifications:
▪ Processor cores: 2
▪ 2 GB RAM
▪ 10 GB Hard disk
▪ Network: NAT (only when using VMware Workstation/Free/Virtualbox)
▪ CD/DVD drive: ISO (choose the downloaded iso file as medium)
▪ Guest operating system: Linux Kernel 4.x or later 64-bit (VMWare) or Other Linux
(64bit) (VirtualBox)
For VMWare Workstation the virtual machine will be configured as follows:
And for VMWare ESXi we’ll create a virtual machine with the following specifications:
The next step is to boot the virtual machine which will take us to the following installation
menu:
Appliance login
Note: After the first reboot we’re presented with a different login screen, just wait until the
second reboot happens.
Here we can login using the credentials we’ve created earlier in the installation process
(username: admin). After logging in we’re presented with the following message which tells
us OpenVAS has not been fully configured yet. From here we can proceed with the setup
process. Choose ‘yes’ in the following menu the proceed with the setup process:
Choose ‘Yes’.
For our test setup we’ll keep the network configuration default and have it assigned an IP
address by our DHCP server. Optionally you can set a static IP address which is of course the
recommended option in a production environment. Choose ‘Ready’ to proceed:
The next step is to create a web-admin user, choose ‘Yes’ in the following menu:
Before we can actually start vulnerability scanning with OpenVAS 9, we have to complete
the following tasks:
Tip: Did you forget to write down or change your OpenVAS admin password? Check out the
installation tutorial to find out how to reset the admin password.
1 Creating a target in OpenVAS
The first step is to create and configure a target using the OpenVAS/Greenbone Security
Assistant web interface. This newly created target is selected in the following step where we
configure a scanning task.
In this section of the tutorial we will create a new scanning task. A scanning task defines
which targets will be scanned and also the scanning options such as a schedule, scanning
configuration and concurrently scanned targets and NVTs per host. In this tutorial we will
just create a scan task and use default scan configurations. In Vulnerability Scanning with
OpenVAS 9.0 part 3 (Will be published on: May 25 2018) we will have a more detailed look
into scanning configurations.
Enter the task name, target and schedule the task only once.
The newly created task will now appear in the task list as follows:
Now that we’ve configured the scan task and added the Metasploitable 2 machine to the
target list, all that remains is to run the task and wait for the results.
To run the newly created task we just have to click the green start button as follows:
Run the scan task.
The scan task will now execute against the selected target. Please note that full scan may
take a while to complete. When you refresh the tasks page you will be able to check the
progress for the executed task:
Now that the vulnerability scan is finished we can browse to ‘Scans -> Reports’ in the top
menu. On the reports page we can find the report for the completed scanning task:
Discovered vulnerabilities.
When we click on the vulnerability name we can get an overview of the details regarding the
vulnerability. The following details apply to a backdoor vulnerability in Unreal IRCD we’ve
covered in an earlier tutorial:
Vulnerability details.
Finally, we can also export the report in a variety of formats, such as: XML, HTML and PDF.
WE can do this by selecting the desired format from the drop-down menu and click the
green export icon as follows:
Before we can run a scheduled task on specific hosts or subnets we have to create a list of targets.
To do this, click the ‘Targets’ menu item from the ‘Configuration’ menu and click the blue icon in the
top left corner to create a new target:
We’ll name the new target ‘Target list 192.168.100.1/24’. In the next section of the new target dialog
screen we can specify the target hosts using a few different options. We can either specify a manual
host (range), read the hosts from a file or create a target list from the host assets. The last option is
greyed out as we currently have no hosts assets in our inventory. When you have to scan multiple
subnets using a single target list it’s easier to read the hosts from a text file. To do this simply create a
text file and separate each target IP or range with a comma on a single line as follows:
192.168.100.0/24,192.168.200.100-110,192.168.300.10
Now that we’ve got our target list set up, let’s run a scan to discover hosts in the subnet we’ve
specified earlier in the target list. Go to ‘Scans – > Tasks’ in the top menu and create a new task:
For this task we will set the ‘Scan targets’ option to the newly created target list and we choose to add
the results to our assets. Then we will set the ‘Scan config’ to ‘Host Discovery’ and click the ‘Create’
button to create the new scan task:
Next, we run the newly created task by clicking the ‘Run task’ icon:
After the host discovery scan is finished we can find the results on the results page (Scans ->
Results):
The result list consists of all hosts that were discovered using ICMP or ARP Ping. We can also find
the discovered hosts in the assets section of OpenVAS:
We now have an overview of all hosts that responded to our host discovery probes but this only tells
us that the host is life. To get some more information about these live hosts we can run a ‘System
Discovery’ scan. Before we run this scan let’s have a look at what it exactly does. Go to ‘Configuration
-> Scan configs’ and click the System Discovery scan config:
When we click the NVT family entries we can see that the System Discovery scan uses various
checks to determine the operating system and to discover SMB servers, printers and various
services. Now that we know what this scan does let’s run it on a few targets. From the discovered
hosts we’ve selected a few targets and included them in a new custom target list:
Then we create a new scan task, select the custom target list and finally choose the ‘System
Discovery’ scan:
Another interesting update took place in the assets section. When we browse to Assets -> Operating
Systems
we
Now that we’ve discovered the live hosts on the 192.168.100.1/24 subnet, created a custom target list
based on these hosts and ran some scans, let’s run a Full & Fast vulnerability scan. The Full & Fast
vulnerability scan is a balanced scan config that is optimized to provide the best results in the least
amount of time. This type of scan probes for the most NVTs and uses previously collected
information. Let’s set up this scan by creating a new task:
Again, we use the Custom Target list we’ve created earlier and select the Full & Fast scan config. You
can also specify how many NVTs and hosts will be scanned simultaneously using the scan config
settings. When you’re targeting many hosts with a relatively heavy scan config, please take into
account that your machine has enough resources available to effectively perform the scan task. Also
take into account that scanning different hosts at once with this type of scan generates a lot of
network traffic and might even crash services and hosts. For this demonstration we’ve scanned one
host and 20 NVTs at the same time. After a little over 1 hour of scanning, OpenVAS came up with the
following results:
The discovered vulnerabilities range from information disclosure vulnerabilities, such as ‘DCE/RPC
and MSRPC Services Enumeration Reporting’ for host 192.168.100.106 to more severe
vulnerabilities such as ‘Microsoft Windows SMB Server Multiple Vulnerabilities-Remote (4013389)’ or
better known as MS17-010 and EternalBlue. OpenVAS also scan targets for known misconfigurations
of which ‘IIS ASP.NET Application Trace Enabled’ is a nice example. A Misconfiguration like enabled
application tracing can be abused to allow an attacker to view web requests. These request[FB1] s
can include sensitive data such as POST requests with login credentials.
So far, the results are pretty interesting as we’ve found some serious vulnerabilities such as MS17-
010. We’ve also found different misconfigurations that allow attackers to retrieve sensitive data from
our systems that can be used to access system or provide useful information for later attack stages.
At this point I don’t want to go into too much detail about false positives, or even worse false
negatives, but scanning tools like OpenVAS can only detect vulnerabilities that it scans for. As I’m
scanning my own private lab machines I know there’s a few vulnerabilities/misconfigurations that
OpenVAS didn’t pick up and they would go unnoticed without further testing. While OpenVAS did
reveal severe vulnerabilities, we cannot rely on scanning results entirely and therefore it is also
important to do manual testing in combination with automated scanning. In part 4 of Vulnerability
scanning with OpenVAS we will cover false negatives (undetected vulnerabilities) and we’ll have a
look at what we can do to avoid this. In the next section we will have a look at how to perform
credentialed scans with OpenVAS.
Until now we’ve only scanned targets for vulnerabilities from the network perspective, such as
vulnerable web servers, SMB and FTP servers. We can also supply credentials in the target
configuration so that OpenVAS is able to sign in and check for local vulnerabilities such as security
issues in kernels and installed software, for example vulnerabilities that allow for privilege escalation.
Another way of using credentials is to check a target for default or easy to guess credentials, such as
admin/admin. In this case OpenVAS will check the given credentials on a target and report back if
they worked correctly. A good use case for this would be creating default credentials when you’re
scanning (a range of) Cisco devices. In this case you could add cisco/cisco as username and
password or just the username. For this demonstration we will scan Metasploitable 2 and supply
admin credentials.
To run credentialed scans on a target we have to create credentials first by going to ‘Configuration ->
Credentials’ and click the blue star icon to create a new set of credentials:
We’ll name it ‘MS2’ and supply the default credentials for Metasploitable 2 (username and password:
msfadmin). The next step is to create a new target, enter the target IP address and specify the newly
created credentials for SSH access so OpenVAS is able to run authenticated checks:
From here you’ll have to create a new scanning task and run it as we already did a few times during
this tutorial. Now that we’ve supplied the credentials, local vulnerabilities will be included in the report
once the scan is finished.
The last topic that we’ll cover in this tutorial is scan task scheduling. Task scheduling is particularly
useful when you want to scan a host or network ranges on a regular basis during pre-specified hours.
Let’s say we want to run a vulnerability scan on the company network at night when there’s little to no
traffic. In this case we can create a daily schedule that runs every day at 11 PM. Let’s have a look at
how to do this.
First, we need to create a schedule which we will then assign to a scanning task. To create a
schedule, go to Configuration -> Schedules, create a new schedule and specify the desired
parameters:
This schedule will run the vulnerability scan every day at 11 PM starting today. The only thing that
remains is to create a new scanning task and assign the schedule: