OpenVAS

Last Modification

OpenVAS is a software framework of several services and tools offering vulnerability scanning and vulnerability management. The project was started from a fork of the last free version of Nessus back in 2005. OpenVAS can be a great option for those wanting to explore how to implement Vulnerability Management in their organizations or those with budgets that cannot afford Nessus or Nexpose. Having said that OpenVAS provides everything you need for a successful vulnerability management program, and many organizations prefer utilizing OpenVAS over their commercial counterparts.

Tip

Nessus Home is a version of Nessus that is available for personal use in a home environment only, if you want to explore their offering its a great way to get started. Nexpose Community has a 30 day trial with full functionality if you wish to investigate it.

Success

I was originally tasked to research OpenVAS for a project at work. We were looking at using OpenVAS as a value add for our customers by providing them with internal vulnerability scanning. I can't really go into either the details nor the objectives of the specific project, but I can say that we wanted to interact with OpenVAS via the API (if offered) rather then the web interface. The following post are modified notes from my project research. My findings do not cover much of the WebUI or many of the features of OpenVAS.

☑️ I do want what I've learned to stick with me so I have come up with my own objectives and goals that I want to complete before marking this as done.

  1. I want to create a script that I can execute that will allow me to run a scan against a host without logging into the WebUI.
  2. If I can find some extra time, I would like to have the script execute and run a scan against new systems that join my home network.

OpenVAS Server (Virtual Machine Information)

Server

In my lab environment I created an Ubuntu VM for OpenVAS using the hardware requirements found here

Operating System Information:

  • Distributor ID: Ubuntu
  • Description: Ubuntu 16.04.3 LTS
  • Release: 16.04
  • Codename: xenial

Network Information

  • 192.168.0.30/24

OpenVAS Software Requirements & Dependencies

Install Dependencies

sudo apt-get install software-properties-common sqlite3

According documents I've read in order to test for vulnerabilities like MS17-010 SMB needs to be installed.

sudo apt-get install smbclient

Install OpenVAS9

Add OpenVAS Repository

sudo add-apt-repository ppa:mrazavi/openvas

Update System

sudo apt-get update

Install OpenVAS

sudo apt-get install openvas9

Note: One of the last processes of the install is Rebuilding NVT cache which can take several minutes, so don't panic.

Post Install Items

Open firewall ports Adding firewall allows for ssh, omp, and the webui. We will modify the webui to run on port 443 instead of port 4000.

sudo ufw allow 22
sudo ufw allow 443
sudo ufw allow 9390

Upgrade vulnerability databases

sudo greenbone-nvt-sync
sudo greenbone-scapdata-sync
sudo greenbone-certdata-sync

Enable and Start OpenVAS services

sudo systemctl restart openvas-scanner
sudo systemctl enable openvas-scanner
sudo systemctl restart openvas-manager
sudo systemctl enable openvas-manager
sudo systemctl restart openvas-gsa

sudo systemctl enable openvas-gsa

Start Service for OMP

sudo openvasmd -a 0.0.0.0 -p 9390

Rebuild Vulnerability Databases

sudo openvasmd --rebuild --progress

Add a cron to update vulnerability database Set crontab to run every Sunday at 2:15

sudo crontab -e
2 15 * * 0 /usr/sbin/greenbone-nvt-sync && /usr/sbin/greenbone-scapdata-sync && /usr/sbin/greenbone-certdata-sync && /usr/sbin/openvasmd --rebuild

Enable PDF reports

sudo apt-get install texlive-latex-extra --no-install-recommends

sudo apt-get install texlive-fonts-recommended --no-install-recommends

Install openvas-nasl Utility

sudo apt-get install libopenvas9-dev

IPv6

A good first step is to determine if you want to support IPv6 or not.

sudo vim /etc/default/ufw

Flip the IPV6= flag to yes or no depending upon your preference. If you set the flag to false IPv6 rules will not be created when adding to the ufw rulesets.

IPV6=no

Ensure the firewall is running:

sudo systemctl restart ufw
sudo ufw status

To disable IPv6 completely on the host, sudo edit /etc/sysctl.config and add the following lines:

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

If IPv6 isn't disabled try the following:

sudo sysctl -p

You should see the outuput of the 3 lines added to the sysctl.config file, next:

cat /proc/sys/net/ipv6/conf/all/disable_ipv6

It should return the value of 1.

openvasmd As A Service

To get things started we manually started the openvasmd to listen on port 9390 for the omp service. This isn't a great longterm solution. We've already enabled the service to start on boot etc., however, we need to change the configuration to allow for remote omp interaction..so if you want that functionality you will need to make some changes.

sudo vim /etc/default/openvas-manager

Add the following lines to the configuration:

LISTEN_ADDRESS="0.0.0.0"
PORT_NUMBER=9390

We also need to make one change to /etc/default/openvas-gsa. If we don't when you try to login to the WebUI you will receive an error, "Login failed. Waiting for OMP service to become available."

MANAGER_ADDRESS="127.0.0.1"

Now restart the services:

sudo systemctl restart openvas-manager; sudo systemctl restart openvas-gsa.service

Accessing the WebUI

I modified the port the WebUI was listening on from port 4000 to 443. To make the same modification or to change it to the port you want, edit:

sudo vim /etc/default/openvas-gsa

Now change the configuration to what you want.

PORT_NUMBER=443

Go to the IP address of the system hosting OpenVAS. In my case it was the following:

https://192.168.0.30

To change the default password password you can issue the following command on the system:

sudo openvasmd --user=admin --new-password=<new-password>
Connecting to WebUI via hostname

Error: "The request contained an unknown or invalid Host header. If you are trying to access GSA via its hostname or a proxy, make sure GSA is set up to allow it."

If you want to access the WebUI by hostname you will need to make another change to the /etc/default/openvas-gsa file by adding the hostname of the system:

ALLOW_HEADER_HOST="host.name.com"

Restart the service:

sudo systemctl restart openvas-gsa.service

If you want to add your own ssl certiicate the modificaitons should be made here as well.

OMP Setup and Configuration

Create OMP User

sudo openvasmd --create-user=omp --role=Admin

The command will output the password for the user.

User created with password '119e5192-c46a-45c1-8ef4-5e41ca6ce5dc'

Add OMP User to Configuration

Login to the WebUI and go to Configuration → Credentials and create a new user:

Checking our installation

I came across a script that will check to see if anything is amiss with our installation that I found valuable. First, download the script to /usr/local/bin/:

sudo sudo wget --no-check-certificate https://svn.wald.intevation.org/svn/openvas/branches/tools-attic/openvas-check-setup -P /usr/local/bin/

Now make the script executable:

sudo chmod +x /usr/local/bin/openvas-check-setup

Run the script to check the OpenVAS installation:

sudo openvas-check-setup --v9

OpenVAS Client (Virtual Machine Information)

OMP Client Info

I've created the client VM as a way to test and run the OMP client (API) which is how you can remotely inteface with OpenVAS.

Operating System Information:

  • Distributor ID: Ubuntu
  • Description: Ubuntu 16.04.3 LTS
  • Release: 16.04
  • Codename: xenial

Network Information

  • 192.168.0.31/24

Install OpenVAS9 Client (OMP)

Add OpenVAS Repository

sudo add-apt-repository ppa:mrazavi/openvas

Update

sudo apt-get update

Install OpenVAS Client

sudo apt-get install openvas9-cli

Client - Add Alias for OMP

Edit the users .bashrc

alias omp='omp -u rtkomp -w 119e5192-c46a-45c1-8ef4-5e41ca6ce5dc -h 192.168.0.30 -p 9390'

OpenVAS Scan Target (Virtual Machine Information)

Optional Step

I created a VM running Windows as a scan target for testing findings etc. Obviously you can run it against existing hosts if you prefer.

Operating System Information:

  • Distributor ID: Windows
  • Description: Windows 2008R2 64bit

Network Information:

  • 192.168.0.32/24

System Services Installed/Running:

  • IIS
  • File Services
  • Print and Document Services

OMP How-To/Walk-through

In order to scan a host(s) we need to use a configuration.

To see what configuration options are available run the following command:

omp -u rtkomp -w 119e5192-c46a-45c1-8ef4-5e41ca6ce5dc -h 192.168.0.30 -p 9390 -g
    8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
    085569ce-73ed-11df-83c3-002264764cea empty
    daba56c8-73ec-11df-a475-002264764cea Full and fast
    698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
    708f25c4-7489-11df-8094-002264764cea Full and very deep
    74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
    2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
    bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery

More detailed information is given by running the following command:

omp --xml='<get_configs/>'

If you run the command with the -i switch the output is more readable

Adding target(s) to the configuration

omp --xml='<create_target><name>greenbone-client</name><hosts>192.168.0.32</hosts></create_target>'

Retreiving the target ID in order to begin executing the scan

omp -T

Creating a Scan of the Target just created

omp --xml='<create_task><name>SingleHost Scan</name><comment>Full and very Deep Ulitimate Scan</comment><config id="74db13d6-7489-11df-91b9-002264764cea"/><target id="fd1303be-9a24-45d1-aa40-d1116b7a3a2d"/></create_task>'

The output from the executed command will provide you with the a task_id, in this example its is cfcd991d-24e5-4d86-b266-223f0e0a83d4

Starting the Scan

omp --xml='<start_task task_id="cfcd991d-24e5-4d86-b266-223f0e0a83d4"/>'

Controlling the Scan. You have the ability after starting the scan to stop or pause the scan with the following commands:

omp –xml=’<stop_task task_id=cfcd991d-24e5-4d86-b266-223f0e0a83d4"/>'
omp –xml=’<pause_task task_id=”cfcd991d-24e5-4d86-b266-223f0e0a83d4"/>'

Checking the Scan Status

omp -G

Retreiving the Report IDs

omp -iX '<get_tasks details="1"/>'
omp -iX '<get_tasks task_id="2a20a24f-d1fb-4b99-b6b0-0a0a54ff5238" details="1"/>'

Checking for Available Report Formats This is necessary to get the report format id in this case is for CSV Results format.

omp -iX '<get_report_formats/>'

Retrieve the Scan Reports

omp -iX '<get_reports report_id="dbb43b24-0504-4ddf-b168-32cdea5f0c74" format_id="c1645568-627a-11e3-a660-406186ea4fc5"/>'

OMP Return status codes

OMP uses return codes very similar to the HTTP response codes 200, 201, 202, 400, 401, 403, 404, 409, 500 and 503:

Code Response Code Meaning
2xx command successful (received, understood and accepted)
200 Ok
201 Ok, resource created
202 Ok, request submitted
4xx command could not be executed due to an error made by the client
400 Syntax error
401 Authenticate first
403 Access to resource forbidden
404 Resource missing
409 Resource busy
5xx command failed due to an error in the manager
500 Internal error
503 Service unavailable / Service temporarily down

Resources