1. OpenVAS A how-to guide about the most popular vulnerability test tool
Team Members: Yingchao Zhu; Chen Qian; Xingyu Wu; XuZhuo Zhang; Igibek Koishybayev;

2. Introduction: OpenVAS architecture and environment

3. OpenVAS Architecture

4. DVWA + XAMPP OpenWebMail Metasploitable Blackboard
Environment
DVWA + XAMPP
OpenWebMail
Metasploitable
Blackboard

5. Question: How to perform a normal scan with OpenVAS?

6. How to find the command set?
Solution: #openvas ‘double tab’
OpenVAS-Scanner: openvassd
openvas-mkcert
openvas-nvt-sync
OpenVAS-Manager: openvasmd
OpenVAS-Client: openvas-cli
Greenbone-Security-Assistant: gsad

7. How to find the command set?
openvas-setup
openvas-check-setup
openvas-nvt-sync
openvassd --help for more imformation
openvasmd help for more imformation
Reference: http: //

8. Target -- XAMPP XAMPP's name is an acronym for:
X (to be read as "cross", meaning cross-platform)
Apache HTTP Server
MySQL
PHP
Perl
It is a completely free, easy to install Apache distribution containing MySQL, PHP, and Perl.
Reference:

9. Set a target

10. Create a task

11. Get the result

12. Question: How to insert plugins into OpenVAS?

13. OpenVAS Plugins &Webmail Vuln.
Content
Webmail environment
Vulnerability tests
Insert your plugins

14. OpenVAS Plugins
NVTs
The OpenVAS project maintains a public feed of more than 35,000 NVTs (as of April 2014)
Command openvas-nvt-sync for online-synchronisation from the feed service.
Based on NASL scripts
(Nessus Attack Scripting Language)

15. OpenVAS Plugins Location: /var/lib/openvas/plugins
Security Tools INTERGRATED:
Portscanner: NMAP, pnscan, strobe
IPsec VPN scanning&fingerprinting: ike-scan
Web server scanning: Nikto
OVAL Interpreter: ovaldi
web application attack and audit framework: w3af ……

16. NVT Plugin How to write and implement our own plugins?
Copy our plugins to OpenVAS plugin directory:
/var/lib/openvas/plugins
Load plugins :
openvassd
rebuild the library
openvasmd –rebuild
If you want to attach signature and certificate for your plugin
Please refer to:

17. Webmail Vulnerability
Mail Server Set-Up Environment (Local)
OS : CentOS-6.5
SMTP : Postfix Sasl
IMAP/POP3 : Dovecot-2.0
Web : Apache-2.2
Webmail : Openwebmail-2.30 (perl)/
[Squirrelmail (php)]
localhost/cgi-bin/openwebmail/openwebmail.pl

19. Network Vulnerability Tests (NVTs)
OpenVAS Plugins
Network Vulnerability Tests (NVTs)

20. OpenVAS Plugins
NVTs Selection

21. OpenVAS Plugins # OpenVAS Vulnerability Test
# $Id: openwebmail_logindomain_xss.nasl :01:43Z jan $
# Description: Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability #
# Authors:
# George A. Theall,
# Copyright:
# Copyright (C) 2005 George A. Theall
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA USA.
include("revisions-lib.inc");
tag_summary = "The remote webmail server is affected by a cross-site scripting flaw.
Description :
The remote host is running at least one instance of Open WebMail that
fails to sufficiently validate user input supplied to the 'logindomain'
parameter. This failure enables an attacker to run arbitrary script
code in the context of a user's web browser.";
tag_solution = "Upgrade to Open WebMail version or later.";
if (description) {
script_id(16463);
script_version("$Revision: 17 $");
script_tag(name:"last_modification", value:"$Date: :01: (Sun, 27 Oct 2013) $");
script_tag(name:"creation_date", value:" :08: (Thu, 03 Nov 2005)");
script_tag(name:"cvss_base", value:"4.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_tag(name:"risk_factor", value:"Medium");
script_cve_id("CVE ");
script_bugtraq_id(12547);
script_xref(name:"OSVDB", value:"13788");
name = "Open WebMail Logindomain Parameter Cross-Site Scripting Vulnerability";
script_name(name);
desc = "
Summary:
" + tag_summary + "
Solution:
" + tag_solution; script_description(desc);
summary = "Checks for logindomain parameter cross-site scripting vulnerability in Open WebMail";
script_summary(summary);
script_category(ACT_ATTACK);
script_copyright("This script is Copyright (C) 2005 George A. Theall");
family = "Web application abuses";
script_family(family);
script_dependencies("openwebmail_detect.nasl");
script_require_ports("Services/www", 80);
if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) {
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary); }
script_xref(name : "URL" , value : "
exit(0);
include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if (!get_port_state(port)) exit(0);
# We test whether the hole exists by trying to echo magic (urlencoded
# as alt_magic for http) and checking whether we get it back.
magic = "logindomain xss vulnerability";
alt_magic = str_replace(string:magic, find:" ", replace:"%20");
# Test an install.
install = get_kb_item(string("www/", port, "/openwebmail"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
url = string(
dir,
"/openwebmail.pl?logindomain=%22%20/%3E%3Cscript%3Ewindow.alert('",
alt_magic,
"')%3C/script%3E" );
debug_print("retrieving '", url, "'.");
req = http_get(item:url, port:port);
res = http_keepalive_send_recv(port:port, data:req, bodyonly:TRUE);
if (isnull(res)) exit(0); # can't connect
debug_print("res =>>", res, "<<");
if (egrep(string:res, pattern:magic)) {
security_warning(port);

22. Insert Plugins (with certification)
OpenVAS Plugins
Insert Plugins (with certification)
1. script.nasl
2. # openvas-nasl -X script.nasl (insert without cert)
3. # vim /etc/openvas/openvassd.conf nasl_no_signature_check = no
4. Key generation
# wget
# gpg --homedir=/etc/openvas/gnupg --import OpenVAS_TI.asc

23. Insert Plugins (with certification)
OpenVAS Plugins
Insert Plugins (with certification)
5. Set Trust
6. Detach Signature
# gpg --homedir=/etc/openvas/gnupg/ --detach-sign -a -o script.nasl.asc script.nasl
7. Add Certificate
# gpg --homedir=/etc/openvas/gnupg --import script.nasl.asc
8. Parse & Execute
# openvas-nasl –p –t script.nasl
Load Scanner & Rebuild Manager

24. Openwebmail Vulnerbilities

25. Webmail Vuln. & OpenVAS Plugins
References
Openwebmail:
Online Demo:  
NVT Signature:

26. Question: How to understand NASL Script language?

27. NASL Language
NASL is a scripting language designed for the Nessus security scanner. Its aim is to allow anyone to write a test for a given security hole in a few minutes, to allow people to share their tests without having to worry about their operating system, and to guarantee everyone that a NASL script can not do anything nasty except performing a given security test against a given target.
Reference:

28. NVT Structure # OpenVAS Vulnerability Test // # $Id$ //
# Description: [one-line-description] //
(copyright and writer information)
if(description) //
script_oid(FIXME); # see //
script_version("$Revision$"); # leave as is, SVN will update this // …
include("FIXME.inc"); # in case you want to use a NASL library
# FIXME: the code. //

29. Metasploitable 2 Designed by HD Moore, Now owned by Rapid 7
(To test their well-known tool metasploit, for free)
A special version of Ubuntu Linux 8.0.4
A target machine with many built-in vulnerabilities
A good platform to conduct security training, test security tools, and practice common penetration testing techniques.

31. Vulnerbilities
Apache 2.2.8, Tomcat Password , Samba NDR Parsing, Heap Overflow, BIND libbind inet_network(), PHP , 5.2.6, 5.2.8, PHP Fixed security issue, VNC password is "password“, Samba 'reply_netbios_packet' Nmbd Buffer Overflow, cve , HTML Output Script Insertion XXS, Key algorithm rollover bug,
DNS service BIND 9.4.2, MySQL a and so on…
About 135 in All. 40 are critical vulnerabilities!

32. List

33. OpenVAS Scan Report
Sadly not as much result as it should be. (Using the full ultimate scan) .
Some NVTs don’t have the full function as the original program or CVE.

34. A Brief Example
We can use this vulnerability to remote login into the target as the root, and execute shell commands using the rsh-client servise.( In Kali Linux, apt-get install rsh-client.)

35. Nmap NVT port scan
No result in the Openvas NVT Nmap feed. It can’t list all the open ports while using the nmap in kali, we can get the full result.
All the open ports are printed out in nmap as well as their protocol or function. NVT can’t take the place of the original program.

36. Is vulnerability working?
Remote Login
TCP ports 512 is known as "r" services, and have been misconfigured to allow remote access from any host (a standard ".rhosts + +" situation).Fisrt, install rsh-client. Then type in rlogin -l root , so…

37. Do something bad
Since we are SSH with the remote target, why not generate the SSH (as we did in homework), so next time we can access unlimitedly!

38. Question: How to use OID to get NVT’s feed?

39. OID lookup
Use OID To look for the NVT and more information with it

40. NVT Core include("revisions-lib.inc"); // include("misc_func.inc"); //
port = get_kb_item("Services/rexecd"); //
if(!port)port = 512; //
//username is a string consist of 260 “x”
rexecd_string = string(raw_string(0), username, raw_string(0), "xxx", raw_string(0), "id", raw_string(0)); //
soc = open_sock_tcp(port); //
send(socket:soc, data:rexecd_string); //
buf = recv_line(socket:soc, length:4096); //
if(ord(buf[0]) == 1 || egrep(pattern:"too long", string: buf)) //
register_service(port:port, proto:"rexecd"); //
security_warning(port:port, protocol:"tcp"); //

41. Summary Our purpose of the lab generation
Completely use of the penetration tool
Practical use of OpenVAS
For attacker: Exploit, Sniff
For defender: Assess, Patch
Brief assessment of OpenVAS
Open source
Client-server structure
Extended and flexible NVT feed
Security and authentication

42. DEMO

43. Questions?