Prereq: Have a Metasploitable2 setup for scanning.
OpenVAS
OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.
The scanner is accompanied by a vulnerability tests feed with a long history and daily updates. This Greenbone Community Feed includes more than 64,000 vulnerability tests.
To install OpenVAS in your Kali VM, perform the following steps:
Update Kali:
$ sudo apt update
$ sudo apt -y upgrade
Install and configure OpenVAS. Note that, as of 2020, the commands are prefixed with GVM, short for Greenbone Vulnerability Management.
$ sudo apt install openvas
$ sudo apt install postgresql-14 # If needed, Spring 2022 addition...
$ sudo gvm-setup
The gvm-setup
command will take a long time to download all the vulnerabilty definitions. Why don’t you open a new terminal tab and skip ahead to the Nessus setup while this runs in the background?
Update the signatures used in OpenVAS scanning:
$ sudo gvm-feed-update # Should see a long list scroll past your screen!
$ sudo gvmd --rebuild # Required, otherwise you'll just see vulnerability IDs
# and not names in the GUI #SadOutput
The gvmd --rebuild
command will take a long time to build all the vulnerability definitions. The command will return immediately, but run in the background. You can continue and launch OpenVAS.
Start OpenVAS:
$ sudo gvm-start # Start openvas
# At this point, the following services should be running:
# greenbone-security-assistant
# opsd-openvas
# gvmd
The user “admin” was created with a random password at the end of the gvm-setup
process. You can save that login if you prefer, or create a new login account with a new more memorable password by the CLI:
$ sudo runuser -u _gvm -- gvmd --create-user=admin
$ sudo runuser -u _gvm -- gvmd --user=admin --new-password="XXXXXXXXX"
Open your web browser and go to https://127.0.0.1:9392 (or it will be auto-opened for you). Accept the self-signed certificate and login with the user and the password you just created.
Do not configure or initiate a scan until you see CVEs and NVTs in the scanning tool dashboard. OpenVAS is processing the newly-downloaded signatures in the background, and the scanner will not be available until that work is finished.
If you want to monitor the system status, run the top
program at the command line. While the signatures are being processed, you should see several OpenVAS related programs (ospd-openvas
and gvmd
) and several databases (postgres
and redis-server
) all actively consuming CPU resources.
When the signatures are fully processed, the Administration->Feed Status page should show your feeds as “Current”, and the main Dashboard should show graphs of CVEs and NVTs.
Now that the scanner is ready, it’s time to configure a scan! Go to Scans ->Tasks, click on the “magic wand” icon, and choose task wizard. Enter the IP of the Metasploitable2 VM and choose “Start Scan”. The tasks page will refresh every 30 seconds with the results of the scan.
The detailed scan will take a while to finish….
You can browse, but wait for the scan to fully complete to 100% before answering the questions…
At the menu, go to Scans->Reports and view the results for the task you just completed. Ensure its status is reported as DONE, and not ERROR. If barely any results are reported, consider that scan a failure and re-run it. Once the scan has finished, answer the Deliverables questions.
When you’re finished with the OpenVAS section of the lab, you can shut the program down.
$ sudo gvm-stop
Deliverables:
- How many high, medium, and low severity items were found?
- In OpenVAS, go to Scans -> Results. On the “Results by Severity Class” pie chart, restrict the list to vulnerabilities scoring as “High. Find the one labeled “TWiki XSS and Command Execution Vulnerabilities”. Answer the following questions just for this specific vulnerability.
- What installed version of TWiki is Metasploitable2 using? (Note that this version string won’t necessarily be valid, indicating the limitations of version detection)
- What is the oldest version of TWiki that contains a fix to this arbitrary code execution vulnerability?
- What are the two CVE (Common Vulnerabilities and Exposures) numbers for these related TWiki vulnerabilities?
- Submit the Report from OpenVAS for this scan in PDF format (Go to Scans->Reports, click on the date of the scan desired, and in the toolbar choose the “Download Filtered Report” button. Change the Report Format to PDF)
Deliverable (Essay):
Pick one of the vulnerabilities scoring as MEDIUM or HIGH on the rating scale, but avoid the “End of Life Detection” reports, as those are boring. Also avoid the TWiki vulnerability we just examined. Provide the title OpenVAS gives and then explain the vulnerability in your own words, as if you were explaining to another student. Copying and pasting text from the OpenVAS report is NOT a sufficient explanation here. You may need to follow the links OpenVAS provides and/or search for additional information on your own.
In your answer, explain:
- What is the vulnerability?
- How could it be exploited?
- How could it be fixed?
A 2 paragraph answer is a sufficient level of detail.
OpenVAS (GVM) Troubleshooting
To do a successful scan, the GVM dashboard must show CVEs and NVTs, the Configuration->Scanners page should show two scanners (CVE and OpenVAS Default), and the Administration->Feed Status page should show all feeds either “Current” or updated within the last month. They should not say “Rebuilding”.
To verify the installation and configuration of OpenVAS:
# How much RAM does Kali have allocated to it? 4GB is a reasonable amount.
$ free -m
# Look at the MEM row, under the TOTAL column
# total used free shared buff/cache available
# Mem: 3909 1224 407 60 2278 2342
# Swap: 975 52 923
# Is there space left on disk? (vuln definitions are large, cumulatively)
$ df -h /
# Filesystem Size Used Avail Use% Mounted on
# /dev/sda2 28G 22G 5.3G 81% /
$ sudo apt autoremove # Might free up some disk space - removes old updates
# Is your feed up to date?
$ sudo gvm-feed-update
# Have you rebuilt the db after updating your feed?
$ sudo gvmd --rebuild
# Is GVM running?
$ sudo gvm-start
# Should load greenboard-sercurity-assistant.service
# Should load gvmd.service
# Should load ospd-openvas.service
# Are there scanners configured and active?
$ sudo runuser -u _gvm -- gvmd --get-scanners
# 08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /var/run/ospd/ospd.sock 0 OpenVAS Default
# 6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE
# Do you have a user account to log into the web panel with?
$ sudo runuser -u _gvm -- gvmd --get-users --verbose
# admin 69431492-e29e-486d-8646-20aa0b939aef
# shafer 010eb26d-49e1-4ba3-bd17-04ead05ad161
# Does the self-checkup find anything amiss?
$ sudo gvm-check-setup
# (Lots of output...)
# (Lots of output...)
# (Lots of output...)
# It seems like your GVM-21.4.3 installation is OK.
Nessus
Nessus is a commercial vulnerability assessment scanner. OpenVAS is based on the original open source version of Nessus back in ~2005, but they have diverged significantly since then.
First, register for a personal activation code at https://www.tenable.com/tenable-for-education
Second, download a copy of Nessus from https://www.tenable.com/downloads/nessus. The current version of Nessus as-of Feb 2022 is 10.1.1 and since you are installing it into Kali (which is Debian-based), you want to look for the file Nessus-10.1.1-debian6_amd64.deb. Accept the license agreement, and the download will begin.
To install Nessus:
# First change directory ('cd') to wherever the
# .deb installer is. Then:
$ sudo apt install ./Nessus-10.1.1-debian6_amd64.deb
Register Nessus:
Register the program with the “Nessus Essentials” activation code that was emailed to you. After activation (and only after!) will Nessus download the current set of vulnerability plugins to scan for.
$ sudo /opt/nessus/sbin/nessuscli fetch --register xxx-xxx-xxxx
Add Nessus User:
$ sudo /opt/nessus/sbin/nessuscli adduser
# Pick your username
# Pick your password
# YES we want this user to be 'system administrator'
# Blank rule set
# YES to confirm
Start Nessus:
$ sudo systemctl start nessusd
# Verify it's running
$ sudo systemctl status nessusd
Access the Nessus web GUI at https://localhost:8834
- Accept the self-signed certificate.
- Wait (and wait, and wait) while Nessus compiles all the plugins.
- Login with the user account you previously created
Nessus External Scan: Tell Nessus to do an “Advanced Scan” of your Metasploitable2 VM:
- Go to Scans -> New Scan
- On the Scan Templates page under Vulnerabilities, choose the “Advanced Scan” type
- Provide a name for your scan configuration (e.g. “External Scan”)
- Provide the target IP address (in this case, the IP address of the Metasploitable2 VM)
- Save the scan template
- Press the “Play” button on the My Scans page to launch the scan you just created
Once the scan has finished, answer the Deliverables questions.
Deliverables (External Scan):
- How many vulnerabilities scored as critical, high, and medium did Nessus discover?
- Submit the Report from Nessus for this scan (PDF format, Report->Complete List of Vulnerabilities by Host)
Nessus Internal Scan: Tell Nessus to do an “Advanced Scan” of your Metasploitable2 VM. But this time, we will also give Nessus a login (credential, in their terminology) to the target system, allowing it to perform a greater number of tests. Nessus accepts a variety of credentials, not just to the operating system (i.e. SSH or Windows login), but also to application servers like databases, virtual machine managers, etc.
- Go to Scans -> New Scan
- On the Scan Templates page under Vulnerabilities, choose the “Advanced Scan” type
- Provide a name for your scan (e.g. “Internal Scan”)
- Provide the target IP address (in this case, the IP address of the Metasploitable2 VM)
- Under Credentials -> SSH, change the authentication method to password and enter the VMs login (msfadmin / msfadmin). This will allow Nessus to ALSO do a scan from inside the system (in addition to the default external scan)
- Save the scan template
- Press the “Play” button on the My Scans page to launch the scan you just created
Once the scan has finished, answer the Deliverables questions.
When you’re finished with the Nessus section of the lab, you can shut the program down.
$ sudo systemctl stop nessusd
Deliverables (Internal Scan):
- How many vulnerabilities scored as critical, high, and medium did Nessus discover?
- Submit the Report from Nessus for this scan (PDF format, Report->Detailed Vulnerabilities by Host).
Observe that there might be a slight difference in the length of the report, compared to the earlier report type.
Deliverable (Essay):
Pick one of the vulnerabilities scoring as “Critical” by Nessus. Provide the title Nessus gives and then explain the vulnerability in your own words, as if you were explaining to another student. Copying and pasting text from the Nessus report is NOT a sufficient explanation here. You may need to follow the links Nessus provides and/or search for additional information on your own.
In your answer, explain:
- What is the vulnerability?
- How could it be exploited?
- How could it be fixed?
A 2 paragraph answer is a sufficient level of detail.
Additional Lab: Vulnerability Scanning
The objective of this lab is to create a report of potential vulnerabilities for a virtual machine. The VM is a Ubuntu-based Linux distribution called MetaSploitable2, which is specifically designed to teach penetration testing skills such as vulnerability scanning.
During the lab, you may envision yourself as a defender, checking an organizational assets for vulnerabilities visible from an external perspective with the ultimate intention of patching them. Alternatively, you may envision yourself as an attacker, checking a target victim asset for vulnerabilities, with the ultimate intention of exploiting them. Both defenders and attackers may perform the same steps of vulnerability scanning.
Troubleshooting
Metasploitable2 is an ancient operating system. It is prone to crashing and otherwise behaving unexpectedly suddenly. If Metasploitable stops responding during the lab, then try force-off’ing it and starting it up again:
Part 1. Host Discovery and Scanning using NMAP
NMAP is the de facto standard of host discovery and port scanning and has a host of features that make the tool very robust. In this section of the lab, you’ll try a few of NMAP’s features.
Throughout the lab, you should replace <IP.addr.of.metasploitable2>
with the actual IPv4 address of Metasploitable.
- Open a “Terminal Emulator” window in Kali.
- Run all nmap commands as root – you’ll get more information as root for some commands.
- “Get root” in your shell (i.e.,
sudo -s
orsu root
).
- Run
nmap
. Take a quick look at the available options.
Use nmap
to determine whether the your Metasploitable2 VM is live using a “ping scan”:
nmap -sn <IP.addr.of.metasploitable2>
The ping scan not only sends an ICMP request, but also an ARP ping, TCP pinging, and other techniques to determine if a host is live on the network.
- Question 1: What kind of information is shown when you run this ping scan for Metasploitable2?
You could also scan a range of IPs using CIDR block notation. See the network map for the ipv4 block of the infosec-net network. This can be fun to do if you also have your vulnerable Windows 7 vm running at the same time, although this is not required.
nmap -sn <ipv4 CIDR block>
You can know your network by typing ifconfig
on either Kali or Metasploitable2, and looking for the inet
address plus the mask
value on the same line. For example, a “mask” of 255.255.255.0
applied to an “inet” address of 192.168.56.17 translates to a network of 192.168.56.0/ 24. (Where 24 is the number of bits to mask and it takes 8 bits to make 255, 8×3=24, so that would mask three of the ‘.’ blocks.)
Once you determine that a host is live, you can use NMAP to scan for open ports. Use a TCP scan to determine which ports are open on Metasploitable2:
nmap -sS <IP.addr.of.metasploitable2>
This scans approximately 1,800 of the most common TCP ports on the target machine.Question 2: Which ports are open on the Metasploitable2 VM?
You can also specify additional ports to scan. Scan the first 10,000 ports of the Metasploitable2 VM:
nmap -sS -p1-10000 <IP.addr.of.metasploitable2>
Question 3: Did you find any additional ports?
Nmap can provide additional information about open ports by interrogating the ports it finds using the “sV” flag:
nmap -sV <IP.addr.of.metasploitable2>
Note: Press the “enter” key to see a status of the NMAP scan.
You can get further information still by using the aggressive flag (“-A”), which is a kitchen-sink of sorts.
nmap -A <IP.addr.of.metasploitable2>
Question 4: What additional information about the open ports on Metasploitable2 were you able to obtain by using the -sV and -A flags?
A useful feature of nmap is operating system fingerprinting, which it accomplishes by profiling how a system responds to its scans.
nmap -O <IP.addr.of.metasploitable2>
Note: That’s a capital “oh” not a “zero.”Question 5: What operating system does nmap report Metasploitable2 to be?
Now scan for web applications on Metasploitable2. Metasploitable2 has many intentionally vulnerable web apps. A web “application” is a loose term for a distinct website, or app, that runs over http
. Applications may run off of different base URL paths, all sharing the same port, such as port 80 – but web apps can run off of any port.
nmap -sV --script=http-enum <IP.addr.of.metasploitable2>
The scan will list, for a given port, many different /paths/
that the scan found to return HTTP responses. You can browse these ports and paths in Kali’s web browser. For instance, if a scan of 192.168.56.102 reported that the path /tikiwiki/
was found running on port 4454
, then the app could be investigated by entering the following address in a web browser address bar:
192.168.56.102:4454/tikiwiki/
(Recall that specifying a :port
after an address changes the default for for a given protocol, and that the default protocol that a web browser tries is http
, which hsa a default port of 80
.)Feeling adventurous? Use a web browser to visit the /dvwa
path off of Metasploitable2’s ip address. You’ll find an intentionally vulnerable web app. Default username/password is on the bottom of the page.Question 6: What web applications are available on Metasploitable2?
Part 2. Vulnerability scanning using Nessus
In this part of the lab, you will use Nessus, a product by Tenable, to replicate what you did with nmap
using a tool used in industry. According to Tenable:
Nessus is trusted by more than 30,000 organizations worldwide as one of the most widely deployed security technologies on the planet – and the gold standard for vulnerability assessment.
Start and register the Nessus Scanner
Nessus should already be installed on your Kali-on-GCP instance. It should also already be running.
- Open Firefox on Kali and browse to https://kali:8834.
To get past the SSL warning, click ‘Advanced’ > ‘Accept the Risk and Continue’.
2. Select “Nessus Essentials”
3. Get a free registration activation code.
The prompt on the https://kali:8834 webpage seems to never send a registration link when an email is submitted. Instead, get a registration code by visiting the following tenable.com webpage: https://www.tenable.com/products/nessus/nessus-essentials
Submit your registration code on the https://kali:8834 page.
4. Choose any username:password
you prefer for use with nessus. For instance, you could use user root
password toor
when prompted by Nessus. Click “reload” if the page fails to load.
Run a Nessus Scan
- Click the “Scans” tab and press the “New Scan” button.
- Choose “Basic Network Scan”
- In the “Name” field, enter “Metasploitable2” or something more cool-sounding. In the “Targets” field, enter the IP address of the MetaSploitable2 VM.
- Under the category “Discovery,” change the “Scan Type” to “All ports.”
- Under “Assessment”, change the dropdown to “Scan for known web vulnerabilities.”
- Under “Advanced”, select Scan Type “Custom”. Then select “General” on the left. Uncheck “Enable safe checks,” and (Important!) set “Max number of concurrent TCP sessions per host” to 100.
Disabling “Safe Checks” tells Nessus that it’s okay to run scans that might crash the systems being scanned. A user would want to leave safe checks enabled if they were scanning a production network!
The latter setting about limit number of concurrent TCP sessions prevents Nessus from crashing the infosec-net virtual network adapter (see this Nessus forum post for amusing anecdotes about Nessus scans crashing corporate firewalls).
7. Click the “Save” button, then click the “Scans” tab at the top of the web page. Next, on row of the Metasploitable2 scan you just created, click the triangle “play” symbol to launch the scan .
8. In the Scans tab you should see the scan job running. This should take about 10 minutes to complete. In the meantime, you can click the job to see the vulnerabilities that Nessus has found so far. Vulnerabilities can be sorted by severity.
As I website possessor I think the subject material here is real great, thanks for your efforts.