Vulnerability Scanning

Table of contents:

 Activity

OpenVAS

In this lab, you will use the OpenVAS and Nessus vulnerability scanners to probe the Metasploitable2 VM for
potential weaknesses.

Tip 1: This lab has a good deal of "hurry up and wait", where you wait while the scanner is fetching the latest
vulnerabilities, and wait while the scan runs. I suggest opening a second tab in your console and/or web
browser so that you can start configuring the second scanner while waiting for the first to finish.

Tip 2: Your setup or scan work will complete faster if you increase your Kali resource allocation beyond two
CPU cores and 2GB of RAM in your virtual machine monitor that it defaults to. Try for 3-4 CPU cores, and 4GB
of RAM, assuming your host system has those resources available.

Warning: Does your computer have less than 8GB of RAM? You should carefully consider how much RAM you
can afford to give to your Kali VM without going into swap. If memory is very tight, you may need to run only
one scanner at a time, and ensure that the previous scanner is shut down before moving onto the next.

Activities

Part 1 - OpenVAS

OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated
testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale
scans and a powerful internal programming language to implement any type of vulnerability test.

The scanner is accompanied by a vulnerability tests feed with a long history and daily updates. This Greenbone
Community Feed includes more than 64,000 vulnerability tests.

To install OpenVAS in your Kali VM, perform the following steps:

Update Kali:

$ sudo apt update

$ sudo apt -y upgrade

Install and configure OpenVAS. Note that, as of 2020, the commands are prefixed with GVM, short for
Greenbone Vulnerability Management.

$ sudo apt install openvas

$ sudo gvm-setup

The gvm-setup command will take a long time to download all the vulnerabilty definitions. Why don't you open
a new terminal tab and skip ahead to the Nessus setup while this runs in the background?

Update the signatures used in OpenVAS scanning:

$ sudo gvm-feed-update # Should see a long list scroll past your screen!

$ sudo gvmd --rebuild # Required, otherwise you'll just see vulnerability IDs

# and not names in the GUI #SadOutput

The gvmd --rebuild command will take a long time to build all the vulnerability definitions. The command will
return immediately, but run in the background. You can continue and launch OpenVAS.

Start OpenVAS:

$ sudo gvm-start # Start openvas

# At this point, the following services should be running:

# greenbone-security-assistant

# opsd-openvas

# gvmd

The user "admin" was created with a random password at the end of the gvm-setup process. You can save that
login if you prefer, or create a new login account with a new more memorable password by the CLI:

$ sudo runuser -u _gvm -- gvmd --create-user=admin

$ sudo runuser -u _gvm -- gvmd --user=admin --new-password="XXXXXXXXX"

Open your web browser and go to https://127.0.0.1:9392 (or it will be auto-opened for you). Accept the self-
signed certificate and login with the user and the password you just created.

Do not configure or initiate a scan until you see CVEs and NVTs in the scanning tool dashboard. OpenVAS is
processing the newly-downloaded signatures in the background, and the scanner will not be available until
that work is finished.

If you want to monitor the system status, run the top program at the command line. While the signatures are
being processed, you should see several OpenVAS related programs (ospd-openvas and gvmd) and several
databases (postgres and redis-server) all actively consuming CPU resources. The top program will run forever,
so press q when you are finished monitoring and want to quit.
When the signatures are fully processed, the Administration->Feed Status page should show your feeds as
"Current", and the main Dashboard should show graphs of CVEs and NVTs.

Now that the scanner is ready, it's time to configure a scan! Go to Scans ->Tasks, click on the "magic wand"
icon, and choose task wizard. Enter the IP of the Metasploitable2 VM and choose "Start Scan". The tasks page
will refresh every 30 seconds with the results of the scan.

The detailed scan will take a while to finish....

You can browse, but wait for the scan to fully complete to 100% before answering the questions...

At the menu, go to Scans->Reports and view the results for the task you just completed. Ensure its status is
reported as DONE, and not ERROR. If barely any results are reported, consider that scan a failure and re-run it.
Once the scan has finished, answer the Deliverables questions.

When you're finished with the OpenVAS section of the lab, you can shut the program down.

$ sudo gvm-stop

Deliverables:

 How many high, medium, and low severity items were found?
  In OpenVAS, go to Scans -> Results. On the "Results by Severity Class" pie chart, restrict the list to
vulnerabilities scoring as "High. Find the one labeled "TWiki XSS and Command Execution
Vulnerabilities". Answer the following questions just for this specific vulnerability.

o What installed version of TWiki is Metasploitable2 using? (Note that this version string won't
necessarily be valid, indicating the limitations of version detection)

o What is the oldest version of TWiki that contains a fix to this arbitrary code execution
vulnerability?

o What are the two CVE (Common Vulnerabilities and Exposures) numbers for these related
TWiki vulnerabilities?

 Submit the Report from OpenVAS for this scan in PDF format (Go to Scans->Reports, click on the date
of the scan desired, and in the toolbar choose the "Download Filtered Report" button. Change the
Report Format to PDF)

Deliverable (Essay):

Pick one of the vulnerabilities scoring as MEDIUM or HIGH on the rating scale, but avoid the "End of Life
Detection" reports, as those are boring. Also avoid the TWiki vulnerability we just examined. Provide the title
OpenVAS gives and then explain the vulnerability in your own words, as if you were explaining to another
student. Copying and pasting text from the OpenVAS report is NOT a sufficient explanation here. You may need
to follow the links OpenVAS provides and/or search for additional information on your own.

In your answer, explain:

1. What is the vulnerability?

2. How could it be exploited?

3. How could it be fixed?

A 2 paragraph answer is a sufficient level of detail.

OpenVAS (GVM) Troubleshooting

To do a successful scan, the GVM dashboard must show CVEs and NVTs, the Configuration->Scanners page
should show two scanners (CVE and OpenVAS Default), and the Administration->Feed Status page should show
all feeds either "Current" or updated within the last month. They should not say "Rebuilding".
To verify the installation and configuration of OpenVAS:

# How much RAM does Kali have allocated to it? 4GB is a reasonable amount.

$ free -m

# Look at the MEM row, under the TOTAL column

# total used free shared buff/cache available

# Mem: 3909 1224 407 60 2278 2342

# Swap: 975 52 923

# Is there space left on disk? (vuln definitions are large, cumulatively)

$ df -h /

# Filesystem Size Used Avail Use% Mounted on

# /dev/sda2 28G 22G 5.3G 81% /

$ sudo apt autoremove # Might free up some disk space - removes old updates

# Is your feed up to date?

$ sudo gvm-feed-update

# Have you rebuilt the db after updating your feed?

$ sudo gvmd --rebuild

# Is GVM running?

$ sudo gvm-start

# Should load greenboard-sercurity-assistant.service

# Should load gvmd.service

# Should load ospd-openvas.service

# Are there scanners configured and active?

$ sudo runuser -u _gvm -- gvmd --get-scanners

# 08b69003-5fc2-4037-a479-93b440211c73 OpenVAS /var/run/ospd/ospd.sock 0 OpenVAS Default

# 6acd0832-df90-11e4-b9d5-28d24461215b CVE 0 CVE

# Do you have a user account to log into the web panel with?
$ sudo runuser -u _gvm -- gvmd --get-users --verbose

# admin 69431492-e29e-486d-8646-20aa0b939aef

# shafer 010eb26d-49e1-4ba3-bd17-04ead05ad161

# Does the self-checkup find anything amiss?

$ sudo gvm-check-setup

# (Lots of output...)

# (Lots of output...)

# (Lots of output...)

# It seems like your GVM-22.4.1 installation is OK.

OpenVAS bug in Kali (affected subset of students in 2023 - Likely fixed soon?)

Symptom: NVTs never initialize in the dashboard. /var/log/gvm/ospd-openvas.log shows:

OSPD[13696] 2023-01-26 20:20:22,033: WARNING: (gnupg) potential problem: ERROR: keydb_search

33554445

OSPD[13696] 2023-01-26 20:20:22,033: WARNING: (gnupg) potential problem: ERROR: keydb_search

33554445

OSPD[13696] 2023-01-26 20:20:22,033: WARNING: (gnupg) gpg returned a non-zero error code: 2

OSPD[13696] 2023-01-26 20:20:22,044: INFO: (ospd.main) Shutting-down server …

 Method 1 to fix: https://bugs.kali.org/view.php?id=8186

 Method 2 to fix: echo "disable_notus_hashsum_verification = True" >> /etc/gvm/ospd-openvas.conf

o See https://forum.greenbone.net/t/2023-still-failed-to-find-config-daba56c8-73ec-11df-
a475-002264764cea/13914/4 and https://forum.greenbone.net/t/kali-ospd-openvas-not-
staring-with-mqtt-broker-errors/13920/8