OpenVAS 8.0 in Kali Linux installieren

Das Open Vulnerability Assessment System (OpenVAS) ist in der Version 8.0 erschienen. Nun sind auch aktualisierte Pakete für Kali-Linux vorhanden. Dieser Beitrag zeigt die schrittweise Installation. Ich habe mich entschieden, die Installation mit dem Kommando openvas-check-setup durchzuführen. Das Programm geht somit schrittweise vor. Es muss immer der als „FIX“ angegebene  Befehl als nächstes ausgeführt werden bis die Installation komplett abgeschlossen ist. Dies ist nach 10 Prüfungen der Fall.

Die offizielle Webseite beschreibt eine andere Lösung, die auch funktionieren könnte.

Am Anfang der Installation steht, wie immer, ein Update auf die aktuelle Version.

apt-get update && apt-get dist-upgrade

openvas-setup

openvas-check-setup

root@kali32109a:~# openvas-check-setup 
openvas-check-setup 2.3.0
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.0.1.
        ERROR: No CA certificate file of OpenVAS Scanner found.
        FIX: Run 'openvas-mkcert'.

 ERROR: Your OpenVAS-8 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
									

openvas-mkcert

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
   Certificate = /var/lib/openvas/CA/cacert.pem
   Private key = /var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server : 
    Certificate = /var/lib/openvas/CA/servercert.pem
    Private key = /var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit
									

Ja, man sollte etwas Geduld haben. Der Befehl openvas-check-setup wird nun noch mehrere Male ausgeführt werden müssen.

root@kali32109a:~# openvas-check-setup 
openvas-check-setup 2.3.0
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.0.1.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: OpenVAS Scanner server certificate is valid and present as /var/lib/openvas/CA/servercert.pem.
        ERROR: The NVT collection is very small.
        FIX: Run a synchronization script like openvas-nvt-sync or greenbone-nvt-sync.

 ERROR: Your OpenVAS-8 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
									

openvas-nvt-sync

root@kali32109a:~# openvas-nvt-sync
[i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.
[i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'.
[i] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed.html'.
[i] NVT dir: /var/lib/openvas/plugins
[w] Could not determine feed version.
[i] rsync is not recommended for the initial sync. Falling back on http.
[i] Will use wget
[i] Using GNU wget: /usr/bin/wget
[i] Configured NVT http feed: http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
[i] Downloading to: /tmp/openvas-nvt-sync.LJNdJZXGVF/openvas-feed-2015-05-01-18942.tar.bz2
--2015-05-01 18:42:21--  http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
Resolving www.openvas.org (www.openvas.org)... 5.9.98.186
Connecting to www.openvas.org (www.openvas.org)|5.9.98.186|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 16610339 (16M) [application/x-bzip2]
Saving to: `/tmp/openvas-nvt-sync.LJNdJZXGVF/openvas-feed-2015-05-01-18942.tar.bz2'
									

openvas-mkcert-client -n -i

root@kali32109a:~# openvas-mkcert-client -n -i
Generating RSA private key, 4096 bit long modulus
.............................................................................................++
.......................................................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:State or Province Name (full name) [Some-State]:Locality Name (eg, city) []:Organization Name (eg, company) [Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section) []:Common Name (eg, your name or your server's hostname) []:Email Address []:Using configuration from /tmp/openvas-mkcert-client.19408/stdC.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
localityName          :PRINTABLE:'Berlin'
commonName            :PRINTABLE:'om'
Certificate is to be certified until Apr 30 22:52:26 2016 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

									

Die schrittweise Ausführung zeigt deutlich, das einiges tu tun ist, bis OpenVAS tatsächlich ordnungsgemäß funktioniert.

root@kali32109a:~# openvas-check-setup 
openvas-check-setup 2.3.0
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.0.1.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: OpenVAS Scanner server certificate is valid and present as /var/lib/openvas/CA/servercert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 38570 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        WARNING: The initial NVT cache has not yet been generated.
        SUGGEST: Start OpenVAS Scanner for the first time to generate the cache.
        OK: redis-server is present in version 2.4.14.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/lib/redis/redis.sock
        OK: redis-server is running and listening on socket: /var/lib/redis/redis.sock.
        OK: redis-server configuration is OK and redis-server is running.
Step 2: Checking OpenVAS Manager ... 
        OK: OpenVAS Manager is present in version 6.0.1.
        OK: OpenVAS Manager client certificate is valid and present as /var/lib/openvas/CA/clientcert.pem.
        ERROR: No OpenVAS Manager database found. (Tried: /var/lib/openvas/mgr/tasks.db)
        FIX: Run 'openvasmd --rebuild' while OpenVAS Scanner is running.
        WARNING: OpenVAS Scanner is NOT running!
        SUGGEST: Start OpenVAS Scanner (openvassd).

 ERROR: Your OpenVAS-8 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

									

openvasmd –rebuild

openvasmd –create-user=admin –role=Admin && openvasmd –user=admin –new-password=YourPasswordHere

root@kali32109a:~# openvasmd --create-user=admin --role=Admin && openvasmd --user=admin --new-password=YourPasswordHere
User created with password '4f5a4604-2c0a-4242-bf9c-b91cee602b28'.

									

openvas-scapdata-sync

root@kali32109a:~# openvas-scapdata-sync
[i] This script synchronizes a SCAP data directory with the OpenVAS one.
[i] This script is for the SQLite3 backend.
[i] SCAP dir: /var/lib/openvas/scap-data
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured SCAP data rsync feed: rsync://feed.openvas.org:/scap-data
OpenVAS feed server - http://www.openvas.org/
This service is hosted by Intevation GmbH - http://intevation.de/
All transactions are logged.

Please report synchronization problems to openvas-feed@intevation.de.
If you have any other questions, please use the OpenVAS mailing lists
or the OpenVAS IRC chat. See http://www.openvas.org/ for details.

receiving incremental file list
./
COPYING
        1493 100%  729.00kB/s    0:00:00 (xfer#1, to-check=63/65)
COPYING.asc
         198 100%   11.37kB/s    0:00:00 (xfer#2, to-check=62/65)
									

openvas-certdata-sync

root@kali32109a:~# openvas-check-setup 
openvas-check-setup 2.3.0
  Test completeness and readiness of OpenVAS-8
  (add '--v6' or '--v7' or '--9'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 5.0.1.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: OpenVAS Scanner server certificate is valid and present as /var/lib/openvas/CA/servercert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 38570 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        OK: The NVT cache in /var/cache/openvas contains 38570 files for 38570 NVTs.
        OK: redis-server is present in version 2.4.14.
        OK: scanner (kb_location setting) is configured properly using the redis-server socket: /var/lib/redis/redis.sock
        OK: redis-server is running and listening on socket: /var/lib/redis/redis.sock.
        OK: redis-server configuration is OK and redis-server is running.
Step 2: Checking OpenVAS Manager ... 
        OK: OpenVAS Manager is present in version 6.0.1.
        OK: OpenVAS Manager client certificate is valid and present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: At least one user exists.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 146.
        OK: OpenVAS Manager expects database at revision 146.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 38570 NVTs.
        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
        OK: xsltproc found.
Step 3: Checking user configuration ... 
        WARNING: Your password policy is empty.
        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ... 
        OK: Greenbone Security Assistant is present in version 6.0.1.
Step 5: Checking OpenVAS CLI ... 
        OK: OpenVAS CLI version 1.4.0.
Step 6: Checking Greenbone Security Desktop (GSD) ... 
        SKIP: Skipping check for Greenbone Security Desktop.
Step 7: Checking if OpenVAS services are up and running ... 
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on all interfaces.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        WARNING: OpenVAS Manager is running and listening only on the local interface.
        This means that you will not be able to access the OpenVAS Manager from the
        outside using GSD or OpenVAS CLI.
        SUGGEST: Ensure that OpenVAS Manager listens on all interfaces unless you want
        a local service only.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        WARNING: Greenbone Security Assistant is running and listening only on the local interface.
        This means that you will not be able to access the Greenbone Security Assistant from the
        outside using a web browser.
        SUGGEST: Ensure that Greenbone Security Assistant listens on all interfaces.
        OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation ...
        WARNING: Your version of nmap is not fully supported: 6.47
        SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
Step 10: Checking presence of optional tools ...
        OK: pdflatex found.
        OK: PDF generation successful. The PDF report format is likely to work.
        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
        WARNING: Could not find rpm binary, LSC credential package generation for RPM and DEB based targets will not work.
        SUGGEST: Install rpm.
        WARNING: Could not find makensis binary, LSC credential package generation for Microsoft Windows targets will not work.
        SUGGEST: Install nsis.

It seems like your OpenVAS-8 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
									

Der OpenVAS-Manager, -Scanner und der GSAD-Service sollten nun gestartet sein und auf dem entsprechenden Port „horchen“. Wir testen dies mit folgendem Kommando:

root@kali32109a:~# netstat -antp | grep -iE "(openvas|gsad)"

tcp        0      0 127.0.0.1:9390          0.0.0.0:*               LISTEN      21061/openvasmd 
tcp        0      0 0.0.0.0:9391            0.0.0.0:*               LISTEN      20935/openvassd: Wa
tcp        0      0 127.0.0.1:9392          0.0.0.0:*               LISTEN      21041/gsad   
									

Nachdem die Installation abgeschlossen ist, kann nun der erste Login in die Weboberfläche erfolgen. Hier sind die Zugangsdaten zu nutzen, die im Befehl openvasmd –create-user festgelegt wurden. in unserem Beispiel admin und YourPasswordHere.

https://127.0.0.1:9392

Die Weboberfläche zeigt sich im bekannten Look. Unter der „Haube“ hat sich aber einiges getan.

OpenVAS8_1

OpenVAS8_2

9 Gedanken zu “OpenVAS 8.0 in Kali Linux installieren”

  1. Hallo Frank,
    danke für deine ausführliche Anleitung.

    Wir haben OpenVAS8 auf einer virtuellen Debian8-Maschine installiert.
    Wir können damit Scan’s durchführen, aber nach einer Stunde
    schließt sich die GSA-Session.
    Wenn wir dann einen Scan starten, bleibt der Fortschrittsmelder bei „1%“ stehen.
    Erst wenn wir Debian booten, können wir den Scan weiterlaufen lassen.
    Gibt es in OpenVAS8 eine Session-Timeout-Variable,
    oder woran könnte das liegen?

    Herzliche Grüße aus München
    Werner

    • Hallo Werner,

      Aus meiner Sicht hier nur soviel:

      OpenVAS ist, aus meiner Sicht, sehr Ressourcen-hungrig. Das fällt gerade bei virtuellen Maschinen schnell auf. Hast Du schon mal die Systemauslastung (CPU, RAM, HDD) während eines Scans testen können?

  2. Hallo Frank,
    die VM ist folgendermaßen konfiguriert:
    RAM: 8GB
    CPU: 4 Kerne
    HDD: 30 GB (bereitgestellt), 70 GB (belegt), 107 GB (max verfügbar).

    Das gesamte openVAS, auch der GSA-Web-Login, sind in der Debian-VM installiert.

    Nach ca. 1h, ist das Scannen nicht mehr möglich.
    Der Zeitraum von „1h“ ist reproduzierbar.
    Man kann Scan’s starten, die dann bei „1%“ stehen bleiben.
    Nach drücken des Refresh-Icons erscheint die Meldung „Warten auf localhost“.
    Nach dem Booten von Debian,
    dem Einloggen als User=Netchecker und
    dem Einloggen in das Root-Terminal und
    dem Starten der Dämonen (opanvas-start.sh)
    dem Einloggen in das grafische GSA-Web-Login
    (angezeigte Meldung „Sitzung ist abgelaufen. Bitte melden Sie sich erneut an“)
    kann man die Scan’s mit Resume fortsetzen.

    Ich habe keine GSA-Session-Timeout-Variable in /etc/openvas/openvasd.conf gefunden.

    Vielleicht hast du noch eine Idee, wo ich suchen soll?

    Herzliche Grüße
    Werner

    • Schwer zu sagen. Geben die Logfiles keine Hinweise? Vielleicht liegt es an den Zertifikaten oder der Datenbank? Ich würde jeweils nach Hinweisen oder Fehlermeldungen suchen. Keine große Hilfe, ich weiss.
      Hast Du openvas-check-setup schon mal laufen lassen?

  3. Hallo Frank,
    ich habe innerhalb openVAS schon alle üblichen Möglichkeiten untersucht.
    Ich versuche einfach mal OpenVAS9 auf einem neuen, selbst installierten, Debian zu installieren.
    Das Debian, das ich bisher verwendet habe, wurde von einem Ex-Kollegen
    installiert, der leider nicht mehr zur Verfügung steht.

    Danke für die Hilfe.

    Schöne Tage
    Werner

  4. Habe versucht openvas auf Kali zu istallieren .Ab hier komme ich nicht weiter.Versuche die Beispiele aus eurem Buch Hacking & Security nachzuvollziehen
    root@kali:~# apt-get install openvas
    Paketlisten werden gelesen… Fertig
    Abhängigkeitsbaum wird aufgebaut.
    Statusinformationen werden eingelesen…. Fertig
    Probieren Sie »apt –fix-broken install«, um dies zu korrigieren.
    Die folgenden Pakete haben unerfüllte Abhängigkeiten:
    default-mysql-server : Hängt ab von: mariadb-server-10.3 soll aber nicht installiert werden
    mariadb-server-10.1 : Hängt ab von: mariadb-client-10.1 (>= 1:10.1.29-6) ist aber nicht installierbar
    openvas : Hängt ab von: openvas-manager (>= 7.0.2-4) soll aber nicht installiert werden
    Hängt ab von: openvas-scanner (>= 5.1.1-4) soll aber nicht installiert werden
    Hängt ab von: greenbone-security-assistant (>= 7.0.0) soll aber nicht installiert werden
    Hängt ab von: openvas-cli (>= 1.4.5) soll aber nicht installiert werden

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.