OpenVAS in Kali Linux 1.0.8 installieren

Was ist OpenVAS? Auf der eigenen Webseite wir er als „Der weltweit fortschrittlichste Open Source Schwachstellen-Scanner und –Manager“ angepriesen.

Weiter wird erläutert: „Das Open Vulnerability Assessment System (OpenVAS) ist ein Framework aus mehreren Diensten und Werkzeugen die zusammen eine umfangreiche und mächtige Lösung für Schwachstellen-Scanning und Schwachstellen-Management darstellen.“

In einem früheren Post hatte ich die Installation von OpenVAS in Backtrack 5 erläutert. Kali Linux hat als Nachfolger auch OpenVAS integriert. Auch wenn die Herangehensweise ähnlich ist, wird hier die Installation Schritt für Schritt gezeigt.

Zunächst sollte man sich die aktuelle Version von Kali Linux von der offiziellen Webseite herunterladen und in einen Testumgebung installieren. Für diesen Test habe ich Kali Linux 32bit in der Version 1.0.8 in Virtualbox installiert.

In den nachfolgenden Erläuterungen wird davon ausgegangen, dass Kali Linux ordnungsgemäß installiert ist. Man sollte zunächst mit der Installation aktueller Pakete beginnen:

apt-get update && apt-get upgrade
									

Bei der Installation hilft uns das Skript openvas-check-setup. Es wird nun mehrmals ausgeführt und jeweils die dort mit „FIX“ aufgeführten Kommandos abgearbeitet.

root@kali32108:~# openvas-check-setup 
openvas-check-setup 2.2.3
  Test completeness and readiness of OpenVAS-6
  (add '--v4', '--v5' or '--v7'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 3.4.0.
        ERROR: No CA certificate file of OpenVAS Scanner found.
        FIX: Run 'openvas-mkcert'.

 ERROR: Your OpenVAS-6 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
									

Mit dem Befehl openvas-mkcert werden zunächst die notwendigen Zertifikate erstellt.

root@kali32108:~# openvas-mkcert
/var/lib/openvas/private/CA created
/var/lib/openvas/CA created

-------------------------------------------------------------------------------
      Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.


CA certificate life time in days [1460]: 
Server certificate life time in days [365]: 
Your country (two letter code) [DE]: 
Your state or province name [none]: 
Your location (e.g. town) [Berlin]: 
Your organization [OpenVAS Users United]: 

-------------------------------------------------------------------------------
      Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
   Certificate = /var/lib/openvas/CA/cacert.pem
   Private key = /var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server : 
    Certificate = /var/lib/openvas/CA/servercert.pem
    Private key = /var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit
									

Nächster Durchlauf des Skriptes openvas-check-setup.

root@kali32108:~# openvas-check-setup 
openvas-check-setup 2.2.3
  Test completeness and readiness of OpenVAS-6
  (add '--v4', '--v5' or '--v7'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 3.4.0.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        ERROR: The NVT collection is very small.
        FIX: Run a synchronization script like openvas-nvt-sync or greenbone-nvt-sync.

 ERROR: Your OpenVAS-6 installation is not yet complete!

Please follow the instructions marked with FIX above and run this
script again.

If you think this result is wrong, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
									

Das OpenVAS Projekt pflegt einen öffentlichen Feed von Network Vulnerability Tests (NVTs). Diese werden nun mit dem Befehl openvas-nvt-sync aktualisiert.

root@kali32108:~# openvas-nvt-sync
[i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.
[i] The 'OpenVAS NVT Feed' is provided by 'The OpenVAS Project'.
[i] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed.html'.
[i] NVT dir: /var/lib/openvas/plugins
[i] rsync is not recommended for the initial sync. Falling back on http.
[i] Will use wget
[i] Using GNU wget: /usr/bin/wget
[i] Configured NVT http feed: http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
[i] Downloading to: /tmp/openvas-nvt-sync.ESpSl5j2YN/openvas-feed-2014-07-25-9514.tar.bz2
--2014-07-25 19:10:32--  http://www.openvas.org/openvas-nvt-feed-current.tar.bz2
Resolving www.openvas.org (www.openvas.org)... 5.9.98.186
Connecting to www.openvas.org (www.openvas.org)|5.9.98.186|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 15256942 (15M) [application/x-bzip2]
Saving to: `/tmp/openvas-nvt-sync.ESpSl5j2YN/openvas-feed-2014-07-25-9514.tar.bz2'

100%[=========================================================================>] 15,256,942   938K/s   in 14s     

2014-07-25 19:10:46 (1.05 MB/s) - `/tmp/openvas-nvt-sync.ESpSl5j2YN/openvas-feed-2014-07-25-9514.tar.bz2' saved [15256942/15256942]

12planet_chat_server_xss.nasl
12planet_chat_server_xss.nasl.asc
2013/...
........

									

Nach und nach wirft das Skript nun weitere „Fehler“ aus, die jeweils  mit dem in der Zeile FIX angegebenen Kommando bereinigt werden können. Bei meiner Installation müssen folgende Kommandos ausgeführt werden.

openvas-mkcert-client -n om -i
openvassd
openvasmd --rebuild
openvas-scapdata-sync
openvas-certdata-sync
openvasad -c 'add_user' -n admin --role=Admin
openvasmd
openvasad
gsad
apt-get install rpm nsis alien

									

Mit dem Befehl openvasad wird ein Nutzer  erstellt und mit Administratorrechten versehen.  Das Passwort werden Sie später für das Login benötigen.

Der abschließende Durchlauf des Skriptes ohne Fehler sieht nun wie folgt aus:

root@kali32108:~# openvas-check-setup 
openvas-check-setup 2.2.3
  Test completeness and readiness of OpenVAS-6
  (add '--v4', '--v5' or '--v7'
   if you want to check for another OpenVAS version)

  Please report us any non-detected problems and
  help us to improve this check routine:
  http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss

  Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem.

  Use the parameter --server to skip checks for client tools
  like GSD and OpenVAS-CLI.

Step 1: Checking OpenVAS Scanner ... 
        OK: OpenVAS Scanner is present in version 3.4.0.
        OK: OpenVAS Scanner CA Certificate is present as /var/lib/openvas/CA/cacert.pem.
        OK: NVT collection in /var/lib/openvas/plugins contains 35628 NVTs.
        WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
        SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
        OK: The NVT cache in /var/cache/openvas contains 35628 files for 35628 NVTs.
Step 2: Checking OpenVAS Manager ... 
        OK: OpenVAS Manager is present in version 4.0.4.
        OK: OpenVAS Manager client certificate is present as /var/lib/openvas/CA/clientcert.pem.
        OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
        OK: Access rights for the OpenVAS Manager database are correct.
        OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
        OK: OpenVAS Manager database is at revision 74.
        OK: OpenVAS Manager expects database at revision 74.
        OK: Database schema is up to date.
        OK: OpenVAS Manager database contains information about 35628 NVTs.
        OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
        OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
        OK: xsltproc found.
Step 3: Checking OpenVAS Administrator ... 
        OK: OpenVAS Administrator is present in version 1.3.2.
        OK: At least one user exists.
        OK: At least one admin user exists.
        WARNING: Your password policy is empty.
        SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
Step 4: Checking Greenbone Security Assistant (GSA) ... 
        OK: Greenbone Security Assistant is present in version 4.0.0.
Step 5: Checking OpenVAS CLI ... 
        OK: OpenVAS CLI version 1.2.0.
Step 6: Checking Greenbone Security Desktop (GSD) ... 
        OK: Greenbone Security Desktop is present in Version 1.2.2.
Step 7: Checking if OpenVAS services are up and running ... 
        OK: netstat found, extended checks of the OpenVAS services enabled.
        OK: OpenVAS Scanner is running and listening on all interfaces.
        OK: OpenVAS Scanner is listening on port 9391, which is the default port.
        OK: OpenVAS Manager is running and listening on all interfaces.
        OK: OpenVAS Manager is listening on port 9390, which is the default port.
        OK: OpenVAS Administrator is running and listening on all interfaces.
        OK: OpenVAS Administrator is listening on port 9393, which is the default port.
        OK: Greenbone Security Assistant is running and listening on all interfaces.
        OK: Greenbone Security Assistant is listening on port 443, which is the default port.
Step 8: Checking nmap installation ...
        WARNING: Your version of nmap is not fully supported: 6.46
        SUGGEST: You should install nmap 5.51.
Step 9: Checking presence of optional tools ...
        OK: pdflatex found.
        OK: PDF generation successful. The PDF report format is likely to work.
        OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
        OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
        OK: alien found, LSC credential package generation for DEB based targets is likely to work.
        OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.

It seems like your OpenVAS-6 installation is OK.

If you think it is not OK, please report your observation
and help us to improve this check routine:
http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Please attach the log-file (/tmp/openvas-check-setup.log) to help us analyze the problem.
									

OpenVAS lässt sich über das Kali Linux Menü starten. Klicken Sie dazu einfach auf Kali Linux – Vulnerability Analysis – OpenVAS – openvas start. Alternativ dazu kann man auch im Terminal das Kommando openvas-start ausführen. Mit den Kommando openvas-stop kann man die Nutzung wieder beenden.

Start OpenVAS
openvas-start

 

Nachdem OpenVAS gestartet ist, kann das Webinterface über den Browser Iceweasel wie folgt aufgerufen werden. Nutzen sie den Usernamen admin und das von Ihnen gewählte Passwort.

http://localhost:9392

Openvast_start
OpenVAS Login
openvas_security assistant
OpenVAS Security Assistant

In einem späteren Blog werden wir den ersten Vulnerability-Scan mit OpenVAS in der Testumgebung durchführen.

 

Weitere Einstellungen:

Der OpenVAS  Security Assistant läuft standardmäßig auf localhost. Dies können wir wie folgt ändern:

nano /etc/default/greenbone-security-assistant
									

Hier ändern wir den Eintrag auf die gewünschte IP-Adresse ab.

GSA_ADDRESS=your_server_IP_address

Nachdem die Konfiguration gespeichert wurde, werden folgende Kommandos ausgeführt. Bitte beachten Sie, dass der OpenVAS Scanner einige Zeit benötigt, bis er tatsächlich beendet ist. Erst dann kann er wieder neu gestartet werden.

killall openvassd

ps aux | grep openvassd | grep -v grep

service openvas-scanner start
service openvas-manager start
service openvas-administrator restart
service greenbone-security-assistant restart
									

Schreibe einen Kommentar

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.