PRACTICAL:-7

AIM:- Securing Your Network: Network Vulnerability Assessment with

OpenVAS/Necuss Framework.

Theory:

Introduction to OpenVAS:
OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated
and authenticated testing, various high-level and low-level internet and industrial
protocols, performance tuning for large-scale scans and a powerful internal
programming language to implement any type of vulnerability test.

The scanner obtains the tests for detecting vulnerabilities from a feed that has a long
history and daily updates.

OpenVAS has been developed and driven forward by the company Greenbone since
2006. As part of the commercial vulnerability management product family Greenbone
Enterprise Appliance, the scanner forms the Greenbone Community Edition together
with other open-source modules.

OpenVAS scan result:

URL used for scan: http://testasp.vulnweb.com/

Host High Medium Low Log False Positive

44.238.29.244 0 0 2 10 0
Total: 1 0 0 2 10 0

Vendor security updates are not trusted.

Overrides are o . Even when a result has an override, this report uses the actual threat of the result.
Information on overrides is included in the report.
Notes are included in the report.
This report might not show details of all issues that were found. Only
results with a minimum QoD of 70 are shown.

This report contains all 12 results selected by the ltering described above. Before ltering there were 13
results.
1 Results per Host

1.1 44.238.29.244

Host scan start Mon Aug 14 08:21:22 2023 UTC

Host scan end Mon Aug 14 08:42:04 2023 UTC
Service (Port) Threat Level
general/icmp Low
general/tcp Low
80/tcp Log
general/CPE-T Log
general/tcp Log
1.1.1 Low general/icmp

Low (CVSS: 2.1)

NVT: ICMP Timestamp Reply Information Disclosure

Summary
The remote host responded to an ICMP timestamp request.

Vulnerability Detection Result

The following response / ICMP packet has been received: - ICMP Type:
14
- ICMP Code: 0
...continues on next page ...
...continued from previous page ...

Impact
This information could theoretically be used to exploit weak time-based random number generators in
other services.

Solution:
Solution type: Mitigation Various
mitigations are possible:
- Disable the support for ICMP timestamp on the remote host completely
- Protect the remote host by a rewall, and block ICMP packets passing through the
rewall in either direction (either completely or only for untrusted networks)

Vulnerability Insight
The Timestamp Reply is an ICMP message which replies to a Timestamp message. It consists of the
originating timestamp sent by the sender of the Timestamp as well as a receive timestamp and a
transmit timestamp.
 Vulnerability Detection Method
Sends an ICMP Timestamp (Type 13) request and checks if a Timestamp Reply (Type 14) is received.
Details: ICMP Timestamp Reply Information Disclosure
OID:1.3.6.1.4.1.25623.1.0.103190
Version used: 2023-05-11T09:09:33Z

References cve: CVE-

1999-0524
url: https://datatracker.ietf.org/doc/html/rfc792 url:
https://datatracker.ietf.org/doc/html/rfc2780 cert-bund: CB-
K15/1514 cert-bund: CB-K14/0632 dfn-cert: DFN-CERT-2014-
0658
[ return to 44.238.29.244 ]

1.1.2 Low general/tcp

Low (CVSS: 2.6)

NVT: TCP Timestamps Information Disclosure

Summary
The remote host implements TCP timestamps and therefore allows to compute the uptime.

Vulnerability Detection Result

It was detected that the host implements RFC1323/RFC7323.
The following timestamps were retrieved with a delay of 1 seconds in-between:
...continues on next page ...
...continued from previous page ...
Packet 1: 533083295
Packet 2: 533083409

Impact
A side e ect of this feature is that the uptime of the remote host can sometimes be computed.

Solution:
Solution type: Mitigation
To disable TCP timestamps on linux add the line ’net.ipv4.tcp_timestamps = 0’ to
/etc/sysctl.conf. Execute ’sysctl -p’ to apply the settings at runtime.
To disable TCP timestamps on Windows execute ’netsh int tcp set global timestamps=disabled’ Starting
with Windows Server 2008 and Vista, the timestamp can not be completely disabled. The default
behavior of the TCP/IP stack on this Systems is to not use the Timestamp options when initiating TCP
connections, but use them if the TCP peer that is initiating communication includes them in their
synchronize (SYN) segment.
See the references for more information.
 A ected Software/OS
TCP implementations that implement RFC1323/RFC7323.

Vulnerability Insight
The remote host implements TCP timestamps, as de ned by RFC1323/RFC7323.

Vulnerability Detection Method

Special IP packets are forged and sent with a little delay in between to the target IP. The responses are
searched for a timestamps. If found, the timestamps are reported.
Details: TCP Timestamps Information Disclosure
OID:1.3.6.1.4.1.25623.1.0.80091
Version used: 2023-08-01T13:29:10Z

References
url: https://datatracker.ietf.org/doc/html/rfc1323 url:
https://datatracker.ietf.org/doc/html/rfc7323
url: https://web.archive.org/web/20151213072445/http://www.microsoft.com/en-us/d
,→ownload/details.aspx?id=9152
[ return to 44.238.29.244 ]

1.1.3 Log 80/tcp

Log (CVSS: 0.0)

NVT: CGI Scanning Consolidation

Summary
The script consolidates various information for CGI scanning.
...continues on next page ...

...continued from previous page ...

This information is based on the following scripts / settings:
- HTTP-Version Detection (OID: 1.3.6.1.4.1.25623.1.0.100034)
- No 404 check (OID: 1.3.6.1.4.1.25623.1.0.10386)
- Web mirroring / webmirror.nasl (OID: 1.3.6.1.4.1.25623.1.0.10662)
- Directory Scanner / DDI_Directory_Scanner.nasl (OID: 1.3.6.1.4.1.25623.1.0.11032)
- The con gured ’cgi_path’ within the ’Scanner Preferences’ of the scan con g in use
- The con gured ’Enable CGI scanning’, ’Enable generic web application scanning’ and ’Add
historic /scripts and /cgi-bin to directories for CGI scanning’ within the ’Global variable settings’ of the
scan con g in use
If you think any of this information is wrong please report it to the referenced community forum.
 Vulnerability Detection Result
The Hostname/IP "44.238.29.244" was used to access the remote host.
Generic web application scanning is disabled for this host via the "Enable gener ,→ic web application
scanning" option within the "Global variable settings" of t ,→he scan config in use.
Requests to this service are done via HTTP/1.1.
This service seems to be able to host PHP scripts.
This service seems to be able to host ASP scripts.
The User-Agent "Mozilla/5.0 [en] (X11, U; OpenVAS-VT 21.4.3)" was used to access ,→ the remote host.
Historic /scripts and /cgi-bin are not added to the directories used for CGI sca
,→nning. You can enable this again with the "Add historic /scripts and /cgi-bin ,→to directories for CGI
scanning" option within the "Global variable settings" ,→of the scan config in use.
The following directories were used for CGI scanning:
http://44.238.29.244/
While this is not, in and of itself, a bug, you should manually inspect these di
,→rectories to ensure that they are in compliance with company security standard ,→s

Solution:

Log Method
Details: CGI Scanning Consolidation
OID:1.3.6.1.4.1.25623.1.0.111038
Version used: 2023-06-22T10:34:15Z

References url: https://forum.greenbone.net/c/vulnerability-tests/7

Log (CVSS: 0.0)
NVT: HTTP Security Headers Detection

Summary
All known security headers are being checked on the remote web server.
...continues on next page ...
...continued from previous page ... On
completion a report will hand back whether a speci c security header has been implemented (including
its value and if it is deprecated) or is missing on the target.

Vulnerability Detection Result

Missing Headers | More Information
--------------------------------------------------------------------------------
,→------------------------------------------------------------------------------
,→------------------------------------------------
Content-Security-Policy | https://owasp.org/www-project-secure-headers ,→/#content-security-policy
Cross-Origin-Embedder-Policy | https://scotthelme.co.uk/coop-and-coep/, Not ,→e: This is an
upcoming header
 Cross-Origin-Opener-Policy | https://scotthelme.co.uk/coop-and-coep/, Not ,→e: This is an
upcoming header
Cross-Origin-Resource-Policy | https://scotthelme.co.uk/coop-and-coep/, Not ,→e: This is an
upcoming header
Document-Policy | https://w3c.github.io/webappsec-feature-poli
,→cy/document-policy#document-policy-http-header
Feature-Policy | https://owasp.org/www-project-secure-headers ,→/#feature-policy, Note: The
Feature Policy header has been renamed to Permissi ,→ons Policy
Permissions-Policy | https://w3c.github.io/webappsec-feature-poli
,→cy/#permissions-policy-http-header-field
Referrer-Policy | https://owasp.org/www-project-secure-headers
,→/#referrer-policy
Sec-Fetch-Dest | https://developer.mozilla.org/en-US/docs/Web
,→/HTTP/Headers#fetch_metadata_request_headers, Note: This is a new header suppo
,→rted only in newer browsers like e.g. Firefox 90
Sec-Fetch-Mode | https://developer.mozilla.org/en-US/docs/Web
,→/HTTP/Headers#fetch_metadata_request_headers, Note: This is a new header suppo
,→rted only in newer browsers like e.g. Firefox 90
Sec-Fetch-Site | https://developer.mozilla.org/en-US/docs/Web
,→/HTTP/Headers#fetch_metadata_request_headers, Note: This is a new header suppo
,→rted only in newer browsers like e.g. Firefox 90
Sec-Fetch-User | https://developer.mozilla.org/en-US/docs/Web
,→/HTTP/Headers#fetch_metadata_request_headers, Note: This is a new header suppo
,→rted only in newer browsers like e.g. Firefox 90
X-Content-Type-Options | https://owasp.org/www-project-secure-headers ,→/#x-content-type-options
X-Frame-Options | https://owasp.org/www-project-secure-headers
,→/#x-frame-options
X-Permitted-Cross-Domain-Policies | https://owasp.org/www-project-secure-headers
,→/#x-permitted-cross-domain-policies
X-XSS-Protection | https://owasp.org/www-project-secure-headers ,→/#x-xss-protection, Note:
Most major browsers have dropped / deprecated suppor ,→t for this header in 2020.

...continues on next page ...

...continued from previous page ...

Solution:

Log Method
Details: HTTP Security Headers Detection
OID:1.3.6.1.4.1.25623.1.0.112081
Version used: 2021-07-14T06:19:43Z

References
url: https://owasp.org/www-project-secure-headers/ url:
https://owasp.org/www-project-secure-headers/#div-headers url:
https://securityheaders.com/
Log (CVSS: 0.0)
NVT: HTTP Server Banner Enumeration

Summary
This script tries to detect / enumerate di erent HTTP server banner (e.g. from a frontend, backend or
proxy server) by sending various di erent HTTP requests (valid and invalid ones).

Vulnerability Detection Result

It was possible to enumerate the following HTTP server banner(s):
Server banner | Enumeration technique
-------------------------------------------------------------------------------,→----------------
Server: Microsoft-HTTPAPI/2.0 | Invalid HTTP 00.5 GET request (non-existent HTTP
,→ version) to ’/’
Server: Microsoft-IIS/8.5 | Valid HTTP 1.0 GET request to ’/index.htm’ X-Powered-By: ASP.NET |
Valid HTTP 1.0 GET request to ’/index.htm’

Solution:

Log Method
Details: HTTP Server Banner Enumeration
OID:1.3.6.1.4.1.25623.1.0.108708
Version used: 2022-06-28T10:11:01Z
Log (CVSS: 0.0)
NVT: HTTP Server type and version

Summary
This script detects and reports the HTTP Server’s banner which might provide the type and version of it.

...continues on next page ...

...continued from previous page ...

Vulnerability Detection Result The remote
HTTP Server banner is: Server: Microsoft-
IIS/8.5

Solution:

Log Method
Details: HTTP Server type and version
OID:1.3.6.1.4.1.25623.1.0.10107
Version used: 2023-08-01T13:29:10Z
Log (CVSS: 0.0)
NVT: Microsoft Internet Information Services (IIS) Detection (HTTP)
 Summary
HTTP based detection of Microsoft Internet Information Services (IIS).

Vulnerability Detection Result

Detected Microsoft Internet Information Services (IIS)
Version: 8.5
Location: 80/tcp
CPE: cpe:/a:microsoft:internet_information_services:8.5 Concluded from version/product
identification result:
Server: Microsoft-IIS/8.5

Solution:

Log Method
Details: Microsoft Internet Information Services (IIS) Detection (HTTP)
OID:1.3.6.1.4.1.25623.1.0.900710
Version used: 2023-06-23T16:09:17Z
Log (CVSS: 0.0) NVT:
Services

Summary
This plugin performs service detection.

Vulnerability Detection Result

A web server is running on this port

Solution:

...continues on next page ...

...continued from previous page ...

Vulnerability Insight
This plugin attempts to guess which service is running on the remote port(s). For instance, it searches
for a web server which could listen on another port than 80 or 443 and makes this information available
for other check routines.

Log Method
Details: Services
OID:1.3.6.1.4.1.25623.1.0.10330
Version used: 2023-06-14T05:05:19Z
[ return to 44.238.29.244 ]

1.1.4 Log general/CPE-T

Log (CVSS: 0.0)

NVT: CPE Inventory
 Summary
This routine uses information collected by other routines about CPE identities of operating systems,
services and applications detected during the scan.
Note: Some CPEs for speci c products might show up twice or more in the output. Background: After a
product got renamed or a speci c vendor was acquired by another one it might happen that a product
gets a new CPE within the NVD CPE Dictionary but older entries are kept with the older CPE.

Vulnerability Detection Result

44.238.29.244|cpe:/a:microsoft:internet_information_services:8.5
44.238.29.244|cpe:/o:microsoft:windows

Solution:

Log Method
Details: CPE Inventory
OID:1.3.6.1.4.1.25623.1.0.810002
Version used: 2022-07-27T10:11:28Z

References url:
https://nvd.nist.gov/products/cpe
[ return to 44.238.29.244 ]

1.1.5 Log general/tcp

Log (CVSS: 0.0)

NVT: Hostname Determination Reporting

Summary
The script reports information on how the hostname of the target was determined.

Vulnerability Detection Result

Hostname determination for IP 44.238.29.244:
Hostname|Source
44.238.29.244|IP-address

Solution:

Log Method
Details: Hostname Determination Reporting
OID:1.3.6.1.4.1.25623.1.0.108449
Version used: 2022-07-27T10:11:28Z
Log (CVSS: 0.0)
NVT: OS Detection Consolidation and Reporting
Summary
This script consolidates the OS information detected by several VTs and tries to nd the best matching OS.
Furthermore it reports all previously collected information leading to this best matching OS. It also
reports possible additional information which might help to improve the OS detection. If any of this
information is wrong or could be improved please consider to report these to the referenced community
forum.

Vulnerability Detection Result

Best matching OS:
OS: Microsoft Windows Server 2012 R2 or Microsoft Windows 8.1
CPE: cpe:/o:microsoft:windows
Found by VT: 1.3.6.1.4.1.25623.1.0.111067 (Operating System (OS) Detection (HTT ,→P))
Concluded from HTTP Server banner on port 80/tcp: Server: Microsoft-IIS/8.5
Setting key "Host/runs_windows" based on this information

Solution:

Log Method
Details: OS Detection Consolidation and Reporting
OID:1.3.6.1.4.1.25623.1.0.105937
Version used: 2023-08-11T05:05:41Z

...continues on next page ...

...continued from previous page ...
References url: https://forum.greenbone.net/c/vulnerability-tests/7

Log (CVSS: 0.0) NVT:

Traceroute

Summary
Collect information about the network route and network distance between the scanner host and the
target host.
 Vulnerability Detection Result
Network route from scanner (10.88.0.2) to target (44.238.29.244):
10.88.0.2
10.206.6.172
10.206.35.31
10.206.32.1
173.255.239.101
23.203.154.22
23.203.154.38
23.32.63.48
23.32.63.38
23.32.63.231
23.209.163.41 52.95.52.165
44.238.29.244
Network distance between scanner and target: 13

Solution:

Vulnerability Insight
For internal networks, the distances are usually small, often less than 4 hosts between scanner and
target. For public targets the distance is greater and might be 10 hosts or more.

Log Method
A combination of the protocols ICMP and TCP is used to determine the route. This method is applicable
for IPv4 only and it is also known as ’traceroute’.
Details: Traceroute
OID:1.3.6.1.4.1.25623.1.0.51662
Version used: 2022-10-17T11:13:19Z

References:

https://hostedscan.com/openvas-vulnerability-scan/

https://openvas.org/