Back to all activities

Vulnerability Scanning

Summary

While much of SAFETAG focuses on digital security challenges within and around the office, remote attacks on the organization's website, extranets, and unintended information available from "open sources" all pose real threats and deserve significant attention. SAFETAG takes great care to take a very passive approach to this work, especially when done off-site, so as not to have unintended consequences on the organization's infrastructure or undermine operational security concerns.

This activity uses active research and scanning to detect known vulnerabilities in external and key internal services. Usually penetration tests exploit possible vulnerabilities to confirm their existence. nist_exploit_confirm But, the use of exploits puts the organization's systems at a level of increased risk nist_pen_test_danger that is unacceptable when neither the organization nor the auditor has the time or finances to address the issue. The SAFETAG methodology only uses relatively safe exploitation of vulnerabilities for targeted outcomes. For instance, cracking the wireless access point password allows us to demonstrate the importance of good passwords without singling out any individual's passwords. network-access

Considerations

    • Be very careful about which automated scans you run to ensure that no aggressive or potentially damaging tests are included.
    • OpenVAS saves its scan records in /var/lib/openvas/mgr/tasks.db - this file will contain sensitive data, ensure it is stored securely.
    • OpenVAS and other vulnerability scanners can be highly aggressive in their tactics. Tools like Metasploit come with a library of active, functional exploits to "prove" that a system is actively vulnerable. As such, these can be tricky to use. Even OpenVAS on a safe-only scan can appear to a host as an active attack, blocking further access from your IP (this can cause some annoyance if you are, for example, scanning your host organization's website from their network). Some of these scans and techniques -- again, even the "safe" ones -- can also be a violation of local hacking laws. Get explicit permission, give warnings, and be careful.

Walkthrough


    Vulnerability Scanning using OpenVAS

    Setting up OpenVAS in Kali

    openvas initial setup
    openvas feed update
    openvas check setup
    openvas stop
    openvas start
    

    Visit https://127.0.0.1:9392/ in a web browser and log in.

    Using OpenVAS

    Once logged in to OpenVAS, the interface is disturbingly simple to use. For most use, using the Wizard to scan the target server works best. Things to verify before doing so:

    • Check the Scan defaults for the Wizard - it should be set to run the built-in "Full and Fast" scan
    • For that scan, verify (under Configuration->Scan Configs) that the "Scan Settings" list shows "safe_checks" as "yes"

    Once you start a scan, change the display to "auto refresh" to give you more feedback on the scan process. Once the scan is completed, a report can be exported in PDF form.

    Common problems

    • Errors during openvas-start OpenVAS is a rather ... delicate program. Most often, the openvas-start script will not wait long enough between launching openvassd and openvasmd, causing openvasmd to error out. Re-running openvasmd often works, though an entire stop/start cycle seems to be slightly more reliable. Often, openvasmd will error out, but launch anyway. Checking the web interface at https://127.0.0.1:9392 to make sure that you can log in is the best way to check if it's actually successfully launched.
    • Lost admin password From a root command-line, you can reset the web interface's admin password:

      openvasmd --create-user=admin
      openvasmd --user=admin --new-password=admin
      
    • openvasmd will never launch In many fresh install cases of OpenVAS7, the openVAS self-signed CA certificate is set to an invalid date, which also causes openvasmd to error out. The check-setup script will recommend rebuilding the database, but the /var/log/openvas/openvasmd.log may have errors discussing certificate errors. If this is the case, try:

      rm /var/lib/openvas/CA/*
      rm /var/lib/openvas/private/CA/*
      openvas-mkcert
      openvas-mkcert-client -n -i
      openvas-check-setup
      openvas-start
      openvasmd --rebuild
      openvas-stop
      openvas-start
      

Recommendation

    The auditor will need to do research and compare against the organization's capacity and risks to give specific recommendations based on the vulnerabilities discovered in the process. Some common recommendations include the following: