Group5_OpenVAS_Final_Presentation_ver_ult
advertisement
OpenVAS —A how-to guide
about the most popular
vulnerability test tool
Team Members: Yingchao Zhu; Chen
Qian; Xingyu Wu; XuZhuo Zhang;
Igibek Koishybayev;
1
EC521: Cybersecurity OpenVAS
OpenVAS Architecture
2
EC521: Cybersecurity OpenVAS
Our Environment
DVWA + XAMPP
OpenWebMail
Metasploitable
Blackboard
3
EC521: Cybersecurity OpenVAS
Question: How to perform a
normal scan with OpenVAS?
4
EC521: Cybersecurity OpenVAS
How to find the command set?
•
•
•
•
•
•
•
Solution:
#openvas ‘double tab’
OpenVAS-Scanner: openvassd
openvas-mkcert
openvas-nvt-sync
OpenVAS-Manager: openvasmd
OpenVAS-Client:
openvas-cli
Greenbone-Security-Assistant: gsad
5
EC521: Cybersecurity OpenVAS
How to find the command set?
•
•
•
•
openvas-setup
openvas-check-setup
openvas-nvt-sync
openvas-nasl
Reference:
http: //www.openvas.org/setup-and-start.html
https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-auditthe-security-of-remote-systems-on-ubuntu-12-04
6
EC521: Cybersecurity OpenVAS
Target -- XAMPP
XAMPP's name is an acronym for:
X (to be read as "cross", meaning cross-platform)
Apache HTTP Server
MySQL
PHP
Perl
It is a completely free, easy to install Apache
distribution containing MySQL, PHP, and Perl.
Reference: https://www.apachefriends.org/index.html
http://en.wikipedia.org/wiki/XAMPP
EC521: Cybersecurity OpenVAS
7
Set a target
8
EC521: Cybersecurity OpenVAS
Create a task
9
EC521: Cybersecurity OpenVAS
Get the result
10
EC521: Cybersecurity OpenVAS
Question: How to insert
plugins into OpenVAS?
11
EC521: Cybersecurity OpenVAS
Webmail Vuln. & OpenVAS Plugins
Content
1. Webmail environment
2. Web-app scanning
3. Insert plugins
12
EC521: Cybersecurity OpenVAS
Webmail Environment
Mail Server Set-Up Environment (Local)
OS
: CentOS-6.5
SMTP
: Postfix-2.6 + Sasl
IMAP/POP3
: Dovecot-2.0
Web
: Apache-2.2
Webmail
: Openwebmail-2.30 (perl)/
[Squirrelmail-1.4.22 (php)]
localhost/cgi-bin/openwebmail/openwebmail.pl
EC521: Cybersecurity OpenVAS
13
14
EC521: Cybersecurity OpenVAS
Network Vulnerability Tests
NVTs
The OpenVAS project maintains a public feed of more than
35,000 NVTs (as of April 2014)
Command openvas-nvt-sync for online-synchronisation
from the feed service.
Based on NASL scripts
(Nessus Attack Scripting Language)
EC521: Cybersecurity OpenVAS
15
Q1: Locate required NVT scripts
Security Tools INTERGRATED:
Portscanner: NMAP, pnscan, strobe
IPsec VPN scanning&fingerprinting: ike-scan
Web server scanning: Nikto
OVAL Interpreter: ovaldi
web application attack and audit framework: w3af
16
EC521: Cybersecurity OpenVAS
A1: Locate required NVT scripts
(from Kali)
Location: /var/lib/openvas/plugins
Find: ls | grep ‘specific_scripts’
17
EC521: Cybersecurity OpenVAS
A1: Locate required NVT scripts
(from Greenbone Security Assistant)
Secinfo Management => NVTs => Help: Powerfilter
Family=“Web application abuses”
Name~“openwebmail”
18
EC521: Cybersecurity OpenVAS
A1: Locate required NVT scripts
# … introduction comments, description …
if (description) {
script_id(16463);
script_version("$Revision: 17 $");
script_tag(name:"last_modification", value:"$Date: 2013-10-27 15:01:43 +0100 (Sun, 27 Oct
2013) $");
script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"risk_factor", value:"Medium");
script_cve_id("CVE-2005-0445");
script_bugtraq_id(12547);
script_xref(name:"OSVDB", value:"13788");
#…
http://www.openvas.org/openvas-nvt-feed.html
EC521: Cybersecurity OpenVAS
19
Q2: Scan Webmail (Application)
20
EC521: Cybersecurity OpenVAS
A2: Scan Webmail (Application)
Configuration => Scan Configs => New Scan Config
Scan Settings:
Http Login Page
21
Login configurations
EC521: Cybersecurity OpenVAS
A2: Scan Webmail (Application)
22
EC521: Cybersecurity OpenVAS
Q3: Implement OpenVAS Plugins
Plugin Extension?
23
EC521: Cybersecurity OpenVAS
A3: Insert OpenVAS Plugins
1. script.nasl
2. # openvas-nasl -X script.nasl (insert without cert)
3. # vim /etc/openvas/openvassd.conf
nasl_no_signature_check = no
24
EC521: Cybersecurity OpenVAS
A3: Insert OpenVAS Plugins
4. Key generation
# gpg --homedir=/etc/openvas/gnupg --gen-key
# wget http://www.openvas.org/OpenVAS_TI.asc
# gpg --homedir=/etc/openvas/gnupg --import
OpenVAS_TI.asc
25
EC521: Cybersecurity OpenVAS
A3: Insert OpenVAS Plugins
5. Set Trust
# gpg --homedir=/etc/openvas/gnupg --list-keys
# gpg --homedir=/etc/openvas/gnupg --lsign-key
XXXXXXXXX
6. Detach Signature
# gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o
script.nasl.asc script.nasl
26
EC521: Cybersecurity OpenVAS
A3: Insert OpenVAS Plugins
7. Add Certificate
# gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc
8. Parse & Execute
# openvas-nasl –p –t script.nasl
9. Copy plugins to /var/lib/openvas/plugins
Load Scanner & Rebuild Manager
# openvassd #openvasmd --rebuild
27
EC521: Cybersecurity OpenVAS
A3: Insert OpenVAS Plugins
Plugin found!
Flexible and Extendable
28
EC521: Cybersecurity OpenVAS
Webmail Vuln. & OpenVAS Plugins
References
Openwebmail:
http://www.openwebmail.org/
Web App Scan:
http://www.greenbone.net/learningcenter/task_webappscan.html
http://www.tenable.com/blog/scanning-web-applications-that-require-authentication
NVT Feed:
http://www.openvas.org/openvas-nvt-feed.html
NVT Signature:
http://www.openvas.org/trusted-nvts.html
29
EC521: Cybersecurity OpenVAS
Question: How to understand
NASL Script language?
30
EC521: Cybersecurity OpenVAS
NASL Language
NASL is a scripting language designed for the Nessus
security scanner. Its aim is to allow anyone to write a
test for a given security hole in a few minutes, to allow
people to share their tests without having to worry about
their operating system, and to guarantee everyone that a
NASL script can not do anything nasty except
performing a given security test against a given target.
Reference: http://virtualblueness.net/nasl.html
EC521: Cybersecurity OpenVAS
31
NVT Structure
# OpenVAS Vulnerability Test //
# $Id$ //
# Description: [one-line-description] //
(copyright and writer information)
if(description) //
script_oid(FIXME); # see http://www.openvas.org/openvas-oids.html
//
script_version("$Revision$"); # leave as is, SVN will update this //
…
include("FIXME.inc"); # in case you want to use a NASL library
# FIXME: the code. //
32
Metasploitable 2
Designed by HD Moore, Now owned by Rapid 7
(To test their well-known tool metasploit, for free)
A special version of Ubuntu Linux 8.0.4
A target machine with many built-in
vulnerabilities
A good platform to conduct security training, test
security tools, and practice common penetration
testing techniques.
33
34
Vulnerbilities
Apache 2.2.8, Tomcat Password , Samba NDR Parsing,
Heap Overflow, BIND libbind inet_network(), PHP
5.2.12, 5.2.6, 5.2.8, PHP Fixed security issue, VNC
password is "password“, Samba 'reply_netbios_packet'
Nmbd Buffer Overflow, cve-2012-1667, HTML Output
Script Insertion XXS, Key algorithm rollover bug,
DNS service BIND 9.4.2, MySQL 5.0.51a and so on…
About 135 in All. 40 are critical vulnerabilities!
35
List
36
OpenVAS Scan Report
Sadly not as much result as it should be. (Using the full ultimate scan) .
Some NVTs don’t have the full function as the original program or CVE.
37
A Brief Example
We can use this vulnerability to remote login into the target as the root, and execute shell
commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)
38
Nmap NVT port scan
No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap
in kali, we can get the full result.
All the open ports are printed out in nmap as well
as their protocol or function. NVT can’t take the
place of the original program.
39
Is vulnerability working?
Remote Login
TCP ports 512 is known as "r" services, and have been misconfigured to allow
remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rshclient. Then type in rlogin -l root 192.168.99.131, so…
40
Do something bad
Since we are SSH with the remote target, why not generate
the SSH (as we did in homework), so next time we can
access unlimitedly!
41
Question: How to use OID to get
NVT’s feed?
Use OID To look for the NVT and more information with it
42
NVT Core
include("revisions-lib.inc"); //
include("misc_func.inc"); //
port = get_kb_item("Services/rexecd"); //
if(!port)port = 512; //
//username is a string consist of 260 “x”
rexecd_string = string(raw_string(0), username, raw_string(0), "xxx",
raw_string(0), "id", raw_string(0)); //
soc = open_sock_tcp(port); //
send(socket:soc, data:rexecd_string); //
buf = recv_line(socket:soc, length:4096); //
if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) //
register_service(port:port, proto:"rexecd"); //
security_warning(port:port, protocol:"tcp"); //
43
Summary
1. Our purpose of the lab generation
2. Completely use of the penetration tool
3. Practical use of OpenVAS
For attacker: Exploit, Sniff
For defender: Assess, Patch
4. Brief assessment of OpenVAS
Open source
Client-server structure
Extended and flexible NVT feed
Security and authentication
44
Blackboard: Demo
45
Questions?
46
EC521: Cybersecurity OpenVAS
