Installing OpenVAS on BackTrack 5

In preparation for a talk I'll be giving at BSidesKC in October, I've been playing with BackTrack 5 and OpenVAS. OpenVAS was a little bit of a pain to get compiled on Ubuntu, but now that the OpenSUSE guys have built .DEB packages of a fairly recent version of OpenVAS (4.x), it's pretty easy to install on most modern Debian-derived systems. In fact, this works on Ubuntu Server as well, and I have tested it on 10.04 LTS. You just have to do it as root, like you'd do on BackTrack, because I was too lazy to write these instructions with "sudo" in front of each line (and using "| sudo tee -a" instead of the append-redirect for adding a quick line to the sources.list file).

This will be a rough post just to get my install notes down. The instructions on OpenVAS' website do not currently work as designed (however, I'm basing this post on them) and at the time of writing, the OpenSUSE build packages are broken in a number of ways that are easily fixed. For example, the openvas-scanner package provides a startup script in /etc/init.d, but the greenbone-security-assistant, openvas-manager and openvas-administrator packages do not. Some of the binaries are built to read files from /var/lib/openvas while others go for /usr/local/var/lib/openvas. Whatever. We'll deal with it. Also, a lot of these command lines are insanely long and probably will get cut off or line-wrapped by HiR's template. Copy. Paste. View Source. I trust our readers to be smart enough to figure that out.

Before starting, I recommend making sure you're up to date:

apt-get update && apt-get upgrade

Add the OpenVAS branch of the OpenSUSE Build Service to your apt sources, get the apt key and update your repository cache:

echo "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/Debian_5.0/ ./" >> /etc/apt/sources.list

apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys BED1E87979EAFD54

apt-get update

Next, install all the fun packages and dependencies needed in one run of things. Consider adding "gsd" to this package list if you think you'll want to use the Greenbone Security Desktop GUI interface. I plan on doing no such thing.

apt-get -y install greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldoc alien rpm nsis fakeroot

Make some directories and some symlinks to compensate for the clustercoitus of path discrepancies in the OBS packages.

mkdir -p /var/lib/openvas/private /var/lib/openvas/CA

mkdir -p /usr/local/var/lib/openvas /usr/local/var/lib/openvas/users

ln -s /var/lib/openvas/users /usr/local/var/lib/openvas/users

ln -s /var/lib/openvas/CA /usr/local/var/lib/openvas/CA

ln -s /var/lib/openvas/private /usr/local/var/lib/openvas/private

Make the openvas server cert, fetch the latest NVT plugins, and make the client cert used by openvas-manager:

openvas-mkcert -q

openvas-nvt-sync

openvas-mkcert-client -n om -i

Start the OpenVAS Services manually, rebuilding the OpenVAS Manager database once your get openvassd started (it'll take a good couple of minutes to load all the plugins), and all that jazz. Hey, Greenbone Security Assistant (the Web UI) works over https when you install it this way! It would only do HTTP when I installed it from source.

openvassd

openvasmd --rebuild

openvasmd

openvasad

gsad

Add an admin-level account for yourself. I suggest a different username for the -u argument. -r specifies the role, and you want to leave that value set to "Admin" if you want to be able to do much with OpenVAS.

openvasad -c add_user -n axon -r Admin

At this point, you should be good to go. Hit https: on your machine and have a blast.

Look for another article related to BackTrack 5 and OpenVAS right after BSidesKC. I've got something fun up my sleeve. If you're anywhere in the region, you should probably just show up. It'll be a good time.

OpenVAS & Greenbone Security Assistant Basics

This is the second part of a series on OpenVAS, the open-source vulnerability scanner. In my last post, I walked you through compiling the various pieces of OpenVAS and getting it up and running. Now it's time to talk about the fundamentals. For this and future posts, we'll be using the web front-end to OpenVAS, called Greenbone Security Assistant, and we'll assume it's running on your local machine.

Why bother with OpenVAS, or vulnerability scanning in general?

Vulnerability scanners are not "hacking tools!" They're very noisy. They're ungainly. They lack finesse. They're riddled with false positives (vulnerabilities you try to manually verify and turn out to be non-existent) and false negatives (vulnerabilities that it doesn't know about or can't be easily detected and are thus missed). With so many weaknesses, why would you even bother?

Simply put, running frequent vulnerability scans on your network gives you a good baseline complete with the ability to notice a change from one week to the next. At the very least, you get a good feel for the "low-hanging fruit" -- the obvious and easy targets on your network. Additionally, many vulnerability scanners including OpenVAS have the ability to use a scanner agent installed on systems, and login credentials to inspect the local security of your servers, workstations and infrastructure. In this way, you can identify software that's out of date and security settings that are out of compliance. This can be a huge asset to your IT security stance once you have the scanner configured properly and running smoothly. That's easier said than done, unfortunately.

If you'll be using this system as a vulnerability scanner regularly, I recommend a few things:

Make sure the openvas services start at boot. I just added this stuff to /etc/rc.local on Ubuntu server:

echo "Starting OpenVAS Scanner Daemon..."

/usr/local/sbin/openvassd && echo [ OK ]

echo "Starting OpenVAS Manager Daemon..."

/usr/local/sbin/openvasmd && echo [ OK ]

echo "Starting OpenVAS Administrator Daemon..."

/usr/local/sbin/openvasad && echo [ OK ]

echo "Starting Greenbone Security Assistant Web Interface..."

/usr/local/sbin/gsad --http-only && echo [ OK ]

echo "Downloading NVT Updates..."

/usr/local/sbin/openvas-nvt-sync && echo [ OK ]

Make sure you have nightly NVT Updates. I put this in root's crontab to run at 4:00AM each day:

0 4 * * * /usr/local/sbin/openvas-nvt-sync

And there you have it.

When you navigate to the web interface (usually http://localhost) and log in, you'll see the task screen, which I had shown you previously. Take note of the options on the left pane, as we'll be going through most of them.

One of the first things you'll want to do if you didn't set up daily updates is to hit the "NVT Feed" link (not shown above) and update the NVT database.

With that out of the way, our first stop is with scan configurations. OpenVAS comes with five template configurations, each of which might do something useful for you.

You don't need to create a custom scan config to get started with OpenVAS, but If you decide to create a new Scan Config, you'll have the ability to edit it (the wrench will not be greyed out)


and you'll be faced with a huge assortment of scanning options allowing you to fine-tune your scan. You'll also see options for so-called NASL Wrappers, which are scripts that help OpenVAS utilize third-party tools such as nmap, nikto, w3af and others. Tuning your scan parameters is important, but complicated enough that it's beyond the scope of this series. Most vulnerability scanners I've used (Nessus, ISS, etc...) have a configuration section like this, and it's always a very, very deep rabbit-hole. Mastering this is a bit of an art, but I usually break the enterprise up into "classes" so that like-systems are scanned with relevant checks so I'm not throwing 5,000 futile Windows checks at the Linux servers in the DMZ, for example. Feel free to leave me a comment if you want me to discuss this kind of classification setup in more detail.

When building custom configs, I recommend using the existing scan configs as a template, and tweaking things from there to get your bearings. Try the "Full and very deep" scan first if you have any doubts. It's unlikely to knock anything off the network, but be careful! The "Trend" radio button selects whether this scan config will grow and import new NVT plugins or remain static with only the plugins you selected for that particular plugin family. If you start using OpenVAS frequently, you'll probably want to become familiar with tuning scan configs to get rid of false positives or enable more features.

Schedules are triggers for one-time or recurring scans. It's not uncommon to schedule a network vulnerability scan to happen after business hours, so this option helps you there. I usually run weekly scans so that I can compare my security stance from one week to the next. Here, I've created a weekly trigger that runs at midnight (central time) every Tuesday. You can create as many schedules as you want, but none of them will actually do anything until you assign the schedule to a task. By the way, OpenVAS uses UTC for its clock. Keep that in mind.

In the introduction, I had mentioned using credentials or agents to run local security checks. OpenVAS is pretty flexible here, so experiment with the credential options. Create credentials in Greenbone Security Assistant, and make sure that they match an account on the target system. I recommend creating a dedicated account with the bare minimum privileges needed to run the local security checks. In a Windows environment, consider using an active directory service account on the domain. Authenticated scans and local checks open up some of the most powerful features of many vulnerability scanners. I may cover the use of Agents later, but for now, they're beyond the "basics" scope of this post.

Escalator is a funny word for this feature, but this robust option gives you the ability to trigger events based on the completion of a scan. Here, I'm just configuring it to send an email to me when a scan has finished running. Note: you will probably have to install the "mailutils" package or some equivalent on Ubuntu for this to work.

We can finally start picking what hosts or networks we want to scan with the "Targets" option. The target hosts can be single IP addresses, IP address ranges (192.168.0.1-192.168.0.23 or 192.168.0.1-23), CIDR networks like the example below, DNS names, or any combination of them separated by commas. I had mentioned setting up "classes" of scans earlier. Here, you may just insert a comma-separated list of similar servers, for example. The comment is optional, and the port range can also be a comma-separated list of individual port numbers or ranges. "default" uses all of the ports found in /usr/local/share/openvas/openvas-services, which contains over 8,000 ports, a far cry from 65,535. YMMV here. If you wish to use credentials, select them now.

The moment you've probably been waiting for. Create a new task. This is where you'll get to put it all together and start scanning! Here, I assigned a weekly scan schedule. This will run on its own, using the schedule I defined earlier.

If you don't define a scan schedule, you'll end up with an item on the task list, but it won't run on its own until you hit the "Play" icon (Green triangle). I added a manual scan to the task list as well. You can see both the scheduled and manual scans waiting to run here:

Clicking the spyglass icon on a task will show you a list of summaries from each time you've run the task. This weekly scan has only run one time, though, so you only see one summary here.

And clicking the spyglass on a scan summary pulls up the detailed results, which you can filter a number of ways. This page goes on and on, containing every item that was noted in the scan. You can also export the results a number of ways.

One thing that I like about OpenVAS is the fact that the web UI allows you to make remarks about the scan findings, assign arbitrary severity levels (including "false positive") and tune things so that future scans can take your professional opinion into account, if you so desire. You can perform these overrides or add notes to a single instance of a vulnerability or make sure that it applies to other hosts in the same scan. This can make OpenVAS extremely versatile.

Anyway, that's the basics of the OpenVAS scanner and Greenbone Security Assistant. Should be enough to get you started playing around in your own lab environments, or perhaps in a small office environment.

If you get serious about using OpenVAS, you may consider going with the Greenbone's Professional NVT Feed, which operates on a similar model to Tenable Security's Nessus ProfessionalFeed. Again, it's hard to compare OpenVAS and Nessus side by side, but they both try to fill the same niche. I've used both (and several other competing products) and I still can't say any one is actually better than another. The Greenbone Security Assistant Web UI seems like one of the best vulnerability scanner interfaces I've seen, though.

OpenVAS on Ubuntu 10.10 Maverick Meerkat Install Notes

When Tenable took Nessus through a code re-write and closed its source, the old code was forked a few times. As far as I can tell, OpenVAS is the strongest surviving variant. There's a really old version in most Linux distributions' package repositories, but it's out of date, the 2.x version.

I wanted to get the new version up and running. It turns out that compiling it for the first time was a gigantic clustercoitus of library dependencies and unnecessary branches in the OpenVAS subversion repository. So, I did what I usually do when I meet a challenge worth dissecting: I set up a VM, take some snapshots, and document it.

There are four components to OpenVAS: The scanner, administrator and managers, and then a client program. There are three clients to choose from:

• Greenbone Security Desktop, which looks a lot like the older Nessus GUI
• Greenbone Security Assistant, a clean web UI similar to the new Nessus, except more feature rich
• OpenVAS-cli, a tool that's good for lightweight scheduled scanning

There are well over 100 dependencies to get OpenVAS installed, but this big pile knocked them all out on both Ubuntu 10.10 server and desktop versions:

sudo apt-get install build-essential libpcap-dev subversion cmake libgpgme11-dev libglib2.0-dev uuid-dev doxygen libgnutls-dev libmicrohttpd-dev bison xmltoman libsqlite3-dev sqlfairy libxslt-dev texlive-latex-extra xsltproc

One last thing: If you really want to use the Greenbone Security Desktop GUI, there's a whole lot more you'll need, but they're all dependencies of libq4-dev. I have grown to really like the Web GUI, so you may want to play with that first before you decide to go with GSD.

sudo apt-get install libqt4-dev

If you pull up the SVN repository, you'll see the following branches. You do not need all of them, and some of them are absolutely massive. It's a big waste of bandwidth, drive space and time to check out everything.

# bindings/
# doc/
# gsa/
# gsd/
# image-packages/
# openvas-administrator/
# openvas-cli/
# openvas-client/
# openvas-compendium/
# openvas-libraries/
# openvas-manager/
# openvas-packaging/
# openvas-plugins/
# openvas-scanner/
# sladinstaller/
# tools/
# winslad/

We only want openvas-libraries, openvas-scanner, openvas-manager, openvas-administrator, openvas-cli, gsa and gsd. When you first run subversion, you'll have to accept the SSL certificate from OpenVAS.

mkdir openvas-source

cd openvas-source

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-libraries openvas-libraries

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-scanner openvas-scanner

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-manager openvas-manager

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-administrator openvas-administrator

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/openvas-cli openvas-cli

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/gsa gsa

svn checkout https://svn.wald.intevation.org/svn/openvas/trunk/gsd gsd

OpenVAS uses cmake, which is actually pretty slick as long as your dependencies are in order. Simply go into each of the directories above, and run the following commands to compile and install. I'll use openvas-libraries as an example:

cd openvas-libraries

cmake .

make

sudo make install

cd ..

One thing to keep in mind is that several libraries are deployed with the openvas-libraries package, and those are needed for the other packages. Make sure you run ldconfig to update the library cache before compiling the other packages.

sudo ldconfig

Do the same for openvas-scanner, openvas-manager, openvas-administrator, openvas-cli, gsa and (if you want to use the native gui), gsd.

Once everything is installed, you need to do a few quick things to set everything up. First, start the OpenVAS Scanner Daemon:

sudo openvassd

update the plugins. This takes a long time the first time you run it.

sudo openvas-nvt-sync

Create a CA (walk through the prompts):

sudo openvas-mkcert 

Create a client certificate for OpenVAS Manager (om):

sudo openvas-mkcert-client -n om -i

Rebuild the OpenVAS Manager database, then start OpenVAS Manager

sudo openvasmd --rebuild

sudo openvasmd

Start OpenVAS Administrator, then create an administrator account for yourself:

sudo openvasmd

sudo openvasad -c 'add_user' -n Admin (or other desired username) - It will prompt you for details.

Launch a client tool. I noticed that on Ubuntu, libmicrohttpd (a library the web UI uses) had some issues with SSL. I'm generally averse to running over plain HTTP, but if you make sure you run it locally or through a tunnel, you should be fine. I had to start Greenbone Security Assistant in http-only mode:

sudo gsad --http-only

Point your browser at http://localhost/ - It looks like this, if you have everything working properly. Here, I'm in the middle of a test scan.

Alternatively, you can run GSD:

gsd

Which looks a bit like this. You use the tabs to navigate it, export reports and all that.

I had trouble getting either GSD or GSA to export the report in PDF format. There may be a library or CLI tool that I'm missing. The HTML export works like a champ.

Update: Poking through the errors I found in /tmp, I discovered that I needed some files provided by LaTeX. Installing texlive-latex-extra and its dependencies got PDF export working, thus I've included it in the list of packages to install with apt-get at the beginning of this post.

In summary, OpenVAS works, and it's come a long way since the original fork of Nessus. It's difficult (and honestly, pointless) to compare OpenVAS to Nessus in their current states. They're not the same, and they likely have different strengths. I've spent quite a bit of time working with the latest versions of Nessus, so OpenVAS is new territory for me. Now that I have it up and running, I look forward to putting it through the paces.

I'll be talking about OpenVAS more in the coming days (or weeks, if things stay as busy as they have been lately). There are some interesting aspects of OpenVAS' architecture I'm playing with.

Tools of the day: nmap 5.10 Beta 1, Shodan beta

Two seriously awesome blips across my infosec radar today:

nmap 5.10BETA1 was released. New .NSE scripts, performance enhancements, OS fingerprints and minor fixes abound. Definitely worth checking out.

Shodan Beta. This computer/port/network search-engine is, as Mubix put it, "a game-changer. " Some of my favorite queries so far:

• ProFTPD country:BR (Vulnerable FTP servers in Brazil via Hevnsnt)
• port:23 list of built-in commands (unpassworded shells via HD Moore)
• Live View (via me, finds lots of Axis Webcams)
• jetdirect (find networked printers, maybe good for FTP Bounce scans?)

Rubber-hose cryptanalysis and how to not get a wrench to the head

From xkcd this morning:


In the security industry, we call this "rubber-hose cryptanalysis" -- a euphemism coined by Marcus Ranum for getting the target to give you access to the encrypted data via coercion. The name implies physical torture, but psychological coercion (threatening physical harm, litigation, etc) is pretty much the same thing. I personally consider this a variety of Social Engineering since it relies on manipulating your mark rather than using technology to directly attack the assets.

When attacking many modern cryptosystems, a technological attack is often going to take a lot longer than simply bludgeoning it out of someone. Some technological attacks that don't directly involve breaking the crypto through brute force can sometimes get decrypted data :

• Dumping the contents of the target's RAM and Swap file (can contain the crypto key, unencrypted data, evidence of encrypted data or metadata about the encrypted files)
• Operating system history "recently used" (can store history data and reveal structure of the encrypted volume)
  

When legally possible, you should never, ever relinquish your encrypted data. When faced with torture and/or the loss of your freedom, you still have a friend in your corner: deniable encryption.

Simply put, deniable encryption most often refers to encrypted data which can resolve to both the genuine data and decoy data, depending on the key used to decrypt the data. The decoy data should appear to be "secret" in nature, and it's best if the decoy data appears to be the same kind of data that you're really trying to protect. If you encrypted a bunch of proprietary documentation, your attacker may know what they're looking for. You'd be best to make the decoy data look like proprietary documentation while remaining innocuous, perhaps loaded with misleading facts. Using a video of Rick Astley's Never Gonna Give You Up might tip the attacker off that they need to keep looking (and torturing you) for the real goods.

While not the only tool available, one commodity piece of free, cross-platform software that handles this task quite nicely is TrueCrypt. It handles full-disk encryption, deniable encryption (which is called a "hidden volume" in TrueCrypt), and can even boot an operating system from a hidden volume. That's right, TrueCrypt can boot an entirely different operating environment based on which pre-boot passphrase you enter.

I'll save the merits and woes of full-disk encryption for another day.

I think I see the problem... [Soldering]

My NiMH Battery recharger has been acting up lately. One of the slots often (but not always) fails to charge. I finally took it apart today to check it out. The blue thermistor had somehow broken free from the negative terminal.


Thermistors are resistors that vary in value according to temperature. NiMH fast chargers almost always use some form of temperature sensor to determine the end of the charge cycle. That's what these thermistors are for.

I thought I'd introduce one of my favorite little gadgets. It's a Bernzomatic MicroFlame ST200.


A bona-fide soldering station will probably give you 150 watts or more of soldering power, fully adjustable. On full power, this little butane torch is probably in the 85-100W equivalent range, but is adjustable. It's considerably hotter than my 45W soldering iron, but not nearly as hot as my 150W soldering gun. On its lowest setting, I'd say it's about equivalent to 25 watts.



For little jobs and when I'm outside and away from electricity, this works quite well. It also heats up a lot faster than my 45W electric iron, which is why I chose it for this repair.

I also like the fact that it not only can be used as a torch for heating plumbing joints, loosening stubborn bolts, etc...


But it also features a hot air nozzle if you remove the solder tip. That's great for shrink tubing, de-icing locks, warming solder paste and removing surface-mount components.

Metasploit Framework 3.2 released

In a press release issued this morning, the Metasploit team announced the immediate release of Metasploit Framework version 3.2, which boasts significant improvements and additional features from previous versions:

Version 3.2 includes exploit modules for recent Microsoft flaws, such
as MS08-041, MS08-053, MS08-059, MS08-067, MS08-068, and many more.

The module format has been changed in version 3.2. The new format
removes the previous naming and location restrictions and paved the way
to an improved module loading and caching backend. For users, this means
being able to copy a module into nearly any subdirectory and be able to
immediately use it without edits.

The Byakugan WinDBG extension developed by Pusscat has been integrated
with this release, enabling exploit developers to quickly exploit new
vulnerabilities using the best Win32 debugger available today.

The Context-Map payload encoding system development by I)ruid is now
enabled in this release, allowing for any chunk of known process memory to
be used as an encoding key for Windows payloads.

The Incognito token manipulation toolkit, written by Luke Jennings, has
been integrated as a Meterpreter module. This allows an attacker to gain
new privleges through token hopping. The most common use is to hijack
domain admin credentials once remote system access is obtained.

The PcapRub, Scruby, and Packetfu libraries have all been linked into
the Metasploit source tree, allowing easy packet injection and capture.

There are many other improvements listed, so head on over and check it out, or get to the downloading already.

Simple Pleasures

I'm sitting here compiling the latest build of nmap directly from the source tree. I haven't done this in quite a while. I'm lazy and usually make do with whatever binary build I can find. Now that I have a reasonably fast OpenBSD machine (not in a VM) I decided to go for it again and saw this gem at the end of ./configure:



Perhaps I'm easily entertained, or maybe it's just been a heck of a week and I'm ready for Friday. Regardless, it made my day. Thanks, Fyodor!