October 11, 2024

Open Vulnerability Assessment System (OpenVAS)

OpenVAS is an open source fork of the popular vulnerability scanner Nessus. It’s a server/client scanner, so you load it on the server (which does the “attacking” when you tell it to) and then load a client on your laptop telling the server what target to scan for vulnerabilities. You have to update the vulnerability definitions from the OpenVAS feed, which you do with a command on the server, that gets you the latest info to check for the latest threats on whatever server you’ll be testing

Server Install HowTo

on SERVER su to root (or you can do sudo, your choice, just add sudo to the command and authenticate when prompted) do:

apt-get install openvas-plugins-base openvas-plugins-dfsg openvas-server rsync

now you have to update the definitions, this could take awhile (uses rsync behind the scenes), at time of writing there are ~42k definitions to download, but will give you a progress bar.

openvas-nvt-sync

when it’s done you’ll have to restart openvas like:

/etc/init.d/openvas-server start

you may get some errors with specific items from the nvt feed, you can ignore them. Now you have to add the user that will be connecting to the server from your LAPTOP, so you can use the laptop client, do:

openvas-adduser whateverusernameyouwanttoadd

it will prompt you for a password (or a certificate if you want to use that instead), you can also specify what IP(s) you want your laptop client to be able to connect from if you want. Now you have to automate the updates on the server so it keeps current, so create a new file

vi /usr/src/openvas/openvas_update.sh

and add this:

#!/bin/sh
 
temp=`tempfile`
openvas-nvt-sync 2>&1> $temp
if [ $? -ne  0 ]
then
	cat $temp
fi
rm $temp
if [ -f /var/lib/run/openvasd.pid ]
then
	pid=`cat /var/lib/run/openvasd.pid`
	kill -1 $pid 2>/dev/null
fi

now add schedule it when you want it to run, in this case 4:25 every a.m., adjust as needed:

25 4 * * * /usr/src/openvas/openvas_update.sh

Laptop Setup HowTo

Now you have to install the client on your LAPTOP like:

apt-get install openvas-client

GUI client

The GUI client is located someplace like: Menu -> Internet -> OpenVAS-client. It will walk you through (with the wizard) creating a Task, then a target, then it’ll prompt you (when you run the task) to hook up to a SERVER, that’s the IP or hostname of the server we just set up at the beginning of this howto. Use the username you already set up on the server.

Command line client

I like command line because I can do things to automate it and easily record the results, YMMV. Here’s how to connect up to your server and then scan a host at IP 1.2.3.4, change both of these values to reflect your actual targets (explanation after commands):

echo "1.2.3.4" >> iptoscan.txt
openvas-client -qxV ser.ver.i.p 9390 yourusername "password" iptoscan.txt scanresults.html -T html

1. first command puts the IP you want to scan into a file called iptoscan.txt, that the client can later read

2. 2nd command connects to your server (ser.ver.i.p, replace with actual IP) on port 9390 in quiet mode (-q) without asking about the SSL (-x) and showing you what’s going on (-V) as your username you created on the server before (and password you entered), then reads in the IP you listed in iptoscan.txt and uses that as the scan target, and creats an .html output file of the results at filename scanresults.html. That’s a mouthful for one command to do, but that’s the beauty of command line stuff, the ugly is when it doesn’t do what you want it to and/or it doesn’t tell you what went wrong or what it might have just done.

if you don’t already have a webserver installed on your SERVER you want to read the .html report from, you’d have to login to your server and run something like:

apt-get install apache2 libapache2-mod-php5 php5 openssl ssl-cert

It’ll just sit there and act broken for awhile, want to know if it’s doing something? Open another command prompt somewhere and run


iftop -i wlan0 (that's my wireless interface on the laptop, change to whatever interface)

This will let you watch traffic going to/from your server at ser.ver.i.p. You can also run htop to see what’s happening, or you can go do something useful and check back after awhile. It’s not untypical to take 10-15 minutes per target, as an example.