OpenVAS A how-to guide about the most popular vulnerability test tool

Slides:



Advertisements
Similar presentations
InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
Advertisements

Chapter 17: WEB COMPONENTS
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
OpenVAS —A how-to guide about the most popular vulnerability test tool
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
OpenVAS —A how-to guide about the most popular vulnerability test tool
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System Security Scanning and Discovery Chapter 14.
Vulnerability Analysis Borrowed from the CLICS group.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University
Assessing Vulnerabilities ISA 4220 Server Systems Security James A. Edge Jr., CISSP, CISM, CISA, CPTE, MCSE Sr. Security Analyst Cincinnati Bell Technology.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
OpenVAS Vulnerability Assessment Group 5 Igibek Koishybayev; Yingchao Zhu ChenQian; XingyuWu; XuZhuo Zhang.
Browser Exploitation Framework (BeEF) Lab
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Penetration Testing Training Day Capture the Flag Training.
April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Karlstad University Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
1 Nessus - NASL Marmagna Desai [592- Project]. 2 Agenda Introduction –Nessus –Nessus Attack Scripting Language [ N A S L] Features –Nessus –NASL Testing.
Security of Web Technologies: WebObjects Keshava P Subramanya
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Honeypot and Intrusion Detection System
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Development of Multiplatform, VR Applications Pablo Figueroa 1, Pierre Boulanger 1, H. J. Hoover 1, Mark Green 2, Robyn Taylor 1 1.University of Alberta.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Apache Web Server Quick and Dirty for AfNOG 2015 (Originally by Joel Jaeggli for AfNOG 2007) ‏
EC521: Cybersecurity OpenVAS Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev; 1 OpenVAS Vulnerability Test.
Web Applications Testing By Jamie Rougvie Supported by.
Introduction A security scanner is a software which will audit remotely a given network and determine whether bad guys may break into it,or misuse it.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Retina Network Security Scanner
VULN SCANNING Dr. Andy Wu BCIS 4630 Fundamentals of IT Security.
Server Side Scripting. Common Gateway Interface (CGI) The web is a client-server system.
Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.
Enumeration. Definition Scanning identifies live hosts and running services Enumeration probes the identified services more fully for known weaknesses.
GHOST 2.0: What you need to know about the glibc getaddrinfo vulnerability (CVE ) Johannes B. Ullrich, Ph.D, SANS
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
PowerTalk automatically speaks the text in presentations while you operate PowerPoint as usual. It uses computer speech that comes with Windows XP and.
Introduction to Vulnerability Assessment Labs Ge Zhang Dvg-C03.
Andrés Riancho ariancho cybsec.com w3af – A framework to own the Web CanSecWest 2008 Vancouver, Canada.
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Group 18: Chris Hood Brett Poche
WordPress Introduction
World Wide Web policy.
Penetration Test Debrief
Chris D Hicks Director of IT MCSE, MCP + Internet Security
Penetration Testing Karen Miller.
Metasploit a one-stop hack shop
Nessus Vulnerability Scanning
Intro to Ethical Hacking
Intro to Ethical Hacking
AppExchange Security Certification
SHELLSHOCK ATTACK.
Presentation transcript:

OpenVAS A how-to guide about the most popular vulnerability test tool Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev;

Introduction: OpenVAS architecture and environment

OpenVAS Architecture

DVWA + XAMPP OpenWebMail Metasploitable Blackboard Environment DVWA + XAMPP OpenWebMail Metasploitable Blackboard

Question: How to perform a normal scan with OpenVAS?

How to find the command set? Solution: #openvas ‘double tab’ OpenVAS-Scanner: openvassd openvas-mkcert openvas-nvt-sync OpenVAS-Manager: openvasmd OpenVAS-Client: openvas-cli Greenbone-Security-Assistant: gsad

How to find the command set? openvas-setup openvas-check-setup openvas-nvt-sync openvassd --help for more imformation openvasmd --help for more imformation Reference: http: //www.openvas.org/setup-and-start.html https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04

Target -- XAMPP XAMPP's name is an acronym for: X (to be read as "cross", meaning cross-platform) Apache HTTP Server MySQL PHP Perl It is a completely free, easy to install Apache distribution containing MySQL, PHP, and Perl. Reference: https://www.apachefriends.org/index.html http://en.wikipedia.org/wiki/XAMPP

Set a target

Create a task

Get the result

Question: How to insert plugins into OpenVAS?

OpenVAS Plugins &Webmail Vuln. Content Webmail environment Vulnerability tests Insert your plugins

OpenVAS Plugins NVTs The OpenVAS project maintains a public feed of more than 35,000 NVTs (as of April 2014) Command openvas-nvt-sync for online-synchronisation from the feed service. Based on NASL scripts (Nessus Attack Scripting Language)

OpenVAS Plugins Location: /var/lib/openvas/plugins Security Tools INTERGRATED: Portscanner: NMAP, pnscan, strobe IPsec VPN scanning&fingerprinting: ike-scan Web server scanning: Nikto OVAL Interpreter: ovaldi web application attack and audit framework: w3af ……

NVT Plugin How to write and implement our own plugins? Copy our plugins to OpenVAS plugin directory: /var/lib/openvas/plugins Load plugins : openvassd rebuild the library openvasmd –rebuild If you want to attach signature and certificate for your plugin Please refer to: http://www.openvas.org/trusted-nvts.html

Webmail Vulnerability Mail Server Set-Up Environment (Local) OS : CentOS-6.5 SMTP : Postfix-2.6 + Sasl IMAP/POP3 : Dovecot-2.0 Web : Apache-2.2 Webmail : Openwebmail-2.30 (perl)/ [Squirrelmail-1.4.22 (php)] localhost/cgi-bin/openwebmail/openwebmail.pl

Network Vulnerability Tests (NVTs) OpenVAS Plugins Network Vulnerability Tests (NVTs)

OpenVAS Plugins NVTs Selection

OpenVAS Plugins # OpenVAS Vulnerability Test # $Id: openwebmail_logindomain_xss.nasl 17 2013-10-27 14:01:43Z jan $ # Description: Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability # # Authors: # George A. Theall, <theall@tifaware.com> # Copyright: # Copyright (C) 2005 George A. Theall # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2, # as published by the Free Software Foundation # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. include("revisions-lib.inc"); tag_summary = "The remote webmail server is affected by a cross-site scripting flaw. Description : The remote host is running at least one instance of Open WebMail that fails to sufficiently validate user input supplied to the 'logindomain' parameter. This failure enables an attacker to run arbitrary script code in the context of a user's web browser."; tag_solution = "Upgrade to Open WebMail version 2.50 20040212 or later."; if (description) { script_id(16463); script_version("$Revision: 17 $"); script_tag(name:"last_modification", value:"$Date: 2013-10-27 15:01:43 +0100 (Sun, 27 Oct 2013) $"); script_tag(name:"creation_date", value:"2005-11-03 14:08:04 +0100 (Thu, 03 Nov 2005)"); script_tag(name:"cvss_base", value:"4.3"); script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N"); script_tag(name:"risk_factor", value:"Medium"); script_cve_id("CVE-2005-0445"); script_bugtraq_id(12547); script_xref(name:"OSVDB", value:"13788"); name = "Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability"; script_name(name); desc = " Summary: " + tag_summary + " Solution: " + tag_solution; script_description(desc); summary = "Checks for logindomain parameter cross-site scripting vulnerability in Open WebMail"; script_summary(summary); script_category(ACT_ATTACK); script_copyright("This script is Copyright (C) 2005 George A. Theall"); family = "Web application abuses"; script_family(family); script_dependencies("openwebmail_detect.nasl"); script_require_ports("Services/www", 80); if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) { script_tag(name : "solution" , value : tag_solution); script_tag(name : "summary" , value : tag_summary); } script_xref(name : "URL" , value : "http://openwebmail.org/openwebmail/download/cert/advisories/SA-05:01.txt"); exit(0); include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); port = get_http_port(default:80); if (!get_port_state(port)) exit(0); # We test whether the hole exists by trying to echo magic (urlencoded # as alt_magic for http) and checking whether we get it back. magic = "logindomain xss vulnerability"; alt_magic = str_replace(string:magic, find:" ", replace:"%20"); # Test an install. install = get_kb_item(string("www/", port, "/openwebmail")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (!isnull(matches)) { url = string( dir, "/openwebmail.pl?logindomain=%22%20/%3E%3Cscript%3Ewindow.alert('", alt_magic, "')%3C/script%3E" ); debug_print("retrieving '", url, "'."); req = http_get(item:url, port:port); res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE); if (isnull(res)) exit(0); # can't connect debug_print("res =>>", res, "<<"); if (egrep(string:res, pattern:magic)) { security_warning(port);

Insert Plugins (with certification) OpenVAS Plugins Insert Plugins (with certification) 1. script.nasl 2. # openvas-nasl -X script.nasl (insert without cert) 3. # vim /etc/openvas/openvassd.conf nasl_no_signature_check = no 4. Key generation # wget http://www.openvas.org/OpenVAS_TI.asc # gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

Insert Plugins (with certification) OpenVAS Plugins Insert Plugins (with certification) 5. Set Trust 6. Detach Signature # gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o script.nasl.asc script.nasl 7. Add Certificate # gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc 8. Parse & Execute # openvas-nasl –p –t script.nasl Load Scanner & Rebuild Manager

Openwebmail Vulnerbilities

Webmail Vuln. & OpenVAS Plugins References Openwebmail: http://www.openwebmail.org/ Online Demo:  http://openwebmail.amcpl.net/ NVT Signature: http://www.openvas.org/trusted-nvts.html

Question: How to understand NASL Script language?

NASL Language NASL is a scripting language designed for the Nessus security scanner. Its aim is to allow anyone to write a test for a given security hole in a few minutes, to allow people to share their tests without having to worry about their operating system, and to guarantee everyone that a NASL script can not do anything nasty except performing a given security test against a given target. Reference: http://virtualblueness.net/nasl.html

NVT Structure # OpenVAS Vulnerability Test // # $Id$ // # Description: [one-line-description] // (copyright and writer information) if(description) // script_oid(FIXME); # see http://www.openvas.org/openvas-oids.html // script_version("$Revision$"); # leave as is, SVN will update this // … include("FIXME.inc"); # in case you want to use a NASL library # FIXME: the code. //

Metasploitable 2 Designed by HD Moore, Now owned by Rapid 7 (To test their well-known tool metasploit, for free) A special version of Ubuntu Linux 8.0.4 A target machine with many built-in vulnerabilities A good platform to conduct security training, test security tools, and practice common penetration testing techniques.

Vulnerbilities Apache 2.2.8, Tomcat Password , Samba NDR Parsing, Heap Overflow, BIND libbind inet_network(), PHP 5.2.12, 5.2.6, 5.2.8, PHP Fixed security issue, VNC password is "password“, Samba 'reply_netbios_packet' Nmbd Buffer Overflow, cve-2012-1667, HTML Output Script Insertion XXS, Key algorithm rollover bug, DNS service BIND 9.4.2, MySQL 5.0.51a and so on… About 135 in All. 40 are critical vulnerabilities!

List

OpenVAS Scan Report Sadly not as much result as it should be. (Using the full ultimate scan) . Some NVTs don’t have the full function as the original program or CVE.

A Brief Example We can use this vulnerability to remote login into the target as the root, and execute shell commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)

Nmap NVT port scan No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap in kali, we can get the full result. All the open ports are printed out in nmap as well as their protocol or function. NVT can’t take the place of the original program.

Is vulnerability working? Remote Login TCP ports 512 is known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rsh-client. Then type in rlogin -l root 192.168.99.131, so…

Do something bad Since we are SSH with the remote target, why not generate the SSH (as we did in homework), so next time we can access unlimitedly!

Question: How to use OID to get NVT’s feed?

OID lookup Use OID To look for the NVT and more information with it

NVT Core include("revisions-lib.inc"); // include("misc_func.inc"); // port = get_kb_item("Services/rexecd"); // if(!port)port = 512; // //username is a string consist of 260 “x” rexecd_string = string(raw_string(0), username, raw_string(0), "xxx", raw_string(0), "id", raw_string(0)); // soc = open_sock_tcp(port); // send(socket:soc, data:rexecd_string); // buf = recv_line(socket:soc, length:4096); // if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) // register_service(port:port, proto:"rexecd"); // security_warning(port:port, protocol:"tcp"); //

Summary Our purpose of the lab generation Completely use of the penetration tool Practical use of OpenVAS For attacker: Exploit, Sniff For defender: Assess, Patch Brief assessment of OpenVAS Open source Client-server structure Extended and flexible NVT feed Security and authentication

DEMO

Questions?