OpenVAS can be tricky to set up. Once OpenVAS packages are installed, there's a bunch of steps you need to perform, and in a pretty specific order, to turn it into a working vulnerability scanner. There are four parts to OpenVAS: The Scanner service, the Manager service, the Administrator service, and then some front-end client. In this case, I'm demonstrating Greenbone Security Assistant, which is yet another service, an SSL web UI that you can access locally, or from another computer, for managing OpenVAS.
I recommend using sudo instead of doing everything as root, but you're obviously not obliged to do it that way. These instructions presume you are using sudo, though. Sudo isn't in the Arch base distribution, but you can add it with:
[root@spx ~]# pacman -S sudo
First, install all the packages. gsa is the web UI, while gsd is a graphical client that runs under X11. You don't need to install both of them, but I usually do. A bunch of dependencies will be added with these packages. Stuff in bold is what I typed. Everything else is terminal output. Most of the really verbose output is truncated and noted with my own commentary in ellipses.
[axon@spx ~]$ sudo pacman -S openvas-administrator openvas-manager openvas-scanner gsa gsd
resolving dependencies...
Packages (75): alsa-lib-1.0.27.2-1 cmake-2.8.12.1-3 damageproto-1.2.1-2
...
...
openvas-administrator-1.3.2-4 openvas-manager-4.0.4-3
openvas-scanner-3.4.0-5
Total Download Size: 73.21 MiB
Total Installed Size: 338.56 MiB
:: Proceed with installation? [Y/n] y
:: Retrieving packages ...
Next, download all the OpenVAS NVT scripts. These are updated frequently. By default, OpenVAS doesn't ship with any scripts, so you need to download them. If there are no NVTs, OpenVAS scanner service doesn't like to start.
[axon@spx ~]$ sudo openvas-nvt-sync
... lots of text while the NVT scripts download ...
zyxel_pwd.nasl.asc
[i] Download complete
[i] Checking dir: ok
[i] Checking MD5 checksum: ok
Next, make the SSL Cert for OpenVAS with this handy script:
[axon@spx ~]$ sudo openvas-mkcert
Answer each prompt if you want, but as this is a private-use certificate, I usually just hit enter at all the prompts to accept the defaults. We also need to make a Client Cert for OpenVAS-Manager (om) like this:
[axon@spx ~]$ sudo openvas-mkcert-client -n om -i
...
Write out database with 1 new entries
Data Base Updated
User om added to OpenVAS.
Start the OpenVAS Scanner service. This can take a really long time, and consumes a lot of RAM.
[axon@spx ~]$ sudo openvassd
Loading the OpenVAS plugins...base gpgme-Message: Setting GnuPG homedir to '/etc/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '2.0.22'
Loading the plugins... 1887 (out of 33836)
The OpenVAS Manager service requires an SQLite database, but none is created during package installation. Use the following command to create the database. It will sit there for a few minutes and return to the command line without saying anything. This is normal.
[axon@spx ~]$ sudo openvasmd --rebuild
Start the OpenVAS Manager service. This runs quickly.
[axon@spx ~]$ sudo openvasmd
Add a user to OpenVAS. You'll log into OpenVAS with these credentials. Pick a strong password, not the one I use here.
[axon@spx ~]$ sudo openvasad -c 'add_user' -n adminusername -w adminpassword
ad main:MESSAGE:4484:2014-01-28 14h31.41 CST: No rules file provided, the new user will have no restrictions.
ad main:MESSAGE:4484:2014-01-28 14h31.41 CST: User adminusername has been successfully created.
Start the OpenVAS Administrator service.
[axon@spx ~]$ sudo openvasad
I'm
usually paranoid, and at this step, I check the process list for
"openvas" services. You should see openvassd, openvasad and openvasmd
all running. If not, look at the logs in /var/log/openvas to give you some hints, or check to make sure you performed each step necessay. If that all checks out, start a client, such as Greenbone Security Assistant.
[axon@spx ~]$ sudo gsad
Now just browse to https://localhost (or your BlackArch's network IP). You'll need to accept the self-signed certificate. Generating a new SSL cert for GSA is beyond the scope of this article.
Posts
