OpenVAS Open Vulnerability Scanning Free your vulnerabilities! - - PowerPoint PPT Presentation

1

OpenVAS – Open Vulnerability Scanning

Free your vulnerabilities!

Vlatko Košturjak | kost@linux.hr LinuxCon #1, 2009-09-22, Portland, Oregon, USA

LinuxCon #1

Agenda

 Nessus  Free alternatives

 Free feed(s)  Oval interpreters, Nmap  OpenVAS

 OpenVAS state && differencies  OpenVAS practical tips  OpenVAS future  Q&A

45 minutes in total

Nessus?

Nessus was free once...

4

Gartner: 80% sofware will be

• pen source by the year 2012

http://linuxhow2.com/News/80_of_Software_Will_Be_Open_source.html

Nessus Free Feed

OVAL interpreters

 OVAL interpreters  ovaldi

 Reference implementation

 OVAL

 Open Vulnerability Assessment language  XML  http://oval.mitre.org

 Good for local checks if you find needed

definitions

Nmap

 Version 5 released recently  Has scripting support

 NSE = Nmap Scripting Engine  Yes, that Lua thingy  Basic misconfiguration checks  Enumeration checks  Basic vulnerabilties check

 Missing reporting functions  No severities / risk ratings

 Nessus GPL fork, Old name: Gnessus  Continues open development of

vulnerability scanner

 But OpenVAS follows its own path!

 Both local and remote checks are

supported!

 Reportings  Risk rating  ...

OpenVAS

What's different? Organizational part

 GPL (v2) license  Open development  Software in Public Interest (SPI)  Change requests  Democratic voting  Open in every sense

 Your new idea?  OpenVAS DevCon  IRC

What's different Technical part

 Take advantage of organization

decisions/license

 Tools integration

 Practice what you preach!

 Flawfinder, ...  Enforce security options in compiler

 Versions:

 1.x = Nessus compatible (NTP protocol)  2.x = Nessus incompatible (OTP protocol)

 IANA

 Released 17th of December, 2008  What's new?

 Initial OVAL support  NTP => OTP  script_id => script_oid  64 bit support  GUI client improved  Bugfixes  Code audit  ...

OpenVAS 2.0

OpenVAS got from Nessus:

• nmap
• hydra
• nikto
• ...

OpenVAS additionaly integrates with:

• ike-scan
• portbunny
• strobe
• pnscan
• ...

Ohloh summary

 It's not Debian local checks only

 You have checks for popular BSD Oses and

Linux distros

 Windows as well  Solaris (experimental?)

 You miss SMB*inc checks

 Smb functions are rewritten

 not compatible with old ones

 There is only few left which needs to be

rewritten using free smb libraries

 Help us to rewrite it

OpenVAS quick facts

Look

LSC credentials manager

Severity Override

OpenVAS vulnerability checks/tests

 It's not single language any more  NVT = Network Vulnerability Test  Plugins == NVTs  "Languages"

 NASL (got from Nessus)  OVAL (implemented in 2.x)  NSE (planned)

NASL

 Nessus Attack Script Language (NASL)  Inherited from Nessus  Language still the same

 Removed plugin localization  There is few functions added  Same syntax

if (description) { } # script code

 script_id => script_oid

OVAL

 Implemented in 2.x  Using ovaldi  OVAL checks appear in Plugins and

reporting

 Local checks

NSE

 Nmap scripting Engine (NSE)  Lua  Phase: planning

 Choose .nse you like from OpenVAS

 Options

 nmap=>libnmap  Not system/execve

 Current / memory problem

Number of NVTs

09/09/08 10/29/08 12/18/08 02/06/09 03/28/09 05/17/09 07/06/09 08/25/09 10/14/09 2000 4000 6000 8000 10000 12000 14000

OpenVAS tips

 Use local checks (if possible)

 Use SSH keys for better security  Harden security of scanning box

 Port scans

 Nmap

 Do port scan with nmap first  Feed it to OpenVAS (grepable results)

 Portbunny

 Kernel level port scanner  Not bad for internal scans

OpenVAS control tips

 Full audit

 1-65535 ports  Thorough tests

 Report verbosity  Report paranoia  Knowledgebase (kb)

 Something like --verbose  Save to disk  Analyze findings at deep tech level

OpenVAS future

 Take a look at current change requests  Virtual hosts support  Windows local checks

 Drop existing NASL implementation  Using WMI

 Linux/Unix local checks

 Drop existing NASL implementation  Using SSH library

OpenVAS Design

current future

OpenVAS pkgs

 OpenVAS virtual appliances

 Vmware, VirtualBox, ...

 OpenVAS in backtrack

 http://www.openvas.org/openvas-bt.html  Backtrack 3

 Not included by default  Check URL above for remastered ISO image

 Backtrack 4

 Beta version doesn't ship with OpenVAS  Prefinal version comes with OpenVAS

Integration

 Autonessus

 Diff between two scans  Supports OpenVAS and Nessus  Time for name change? :)

 Metasploit

 Some initial development done  OpenVAS as client

 HD Moore "weekend hack"

 Better: metasploit as OpenVAS client

OpenVAS + Metasploit integration

Commercial?

 Ecosystem around OpenVAS

 Trainings  Commercial support  Commercial NVT feeds

 OIDs

 Enables vendors to have different address

space each

 i.e. 1.2.3.4.x.x

Come and help!

 Extending scanning engine  Extending vulnerability coverage  Writting Vulnerability tests (NVTs)

 Write your PoC/test for OpenVAS!

 Translating  Documentation writting (compendium)  Administration (web, irc, ...)  http://www.openvas.org

I'm developer...

...is there any $$$ for me?

OpenVAS contest

Initial offering: 300 EUR

Raised to 500 EUR

Raised to 600 EUR

Bug solved, money paid

Summary

 Open, open and open  Multiple vulnerability tests  Open Vulnerability Assessment language

(OVAL)

 Nessus Attack Scripting Language (NASL)  Nmap Scripting Engine (NSE) – early dev  Integrated tools  Port scanning: portbunny, strobe, pnscan...  Enumeration: ike-scan, snmpwalk, ...  SLAD: john, chkrootkit, clamav, lsof, tripwire, ..

OpenVAS contacts

 http://www.openvas.org  http://www.ohloh.net/p/openvas  http://www.twitter.com/openvas  http://www.identi.ca/openvas  openvas-announce  Openvas-discuss  Openvas-devel  irc.oftc.net #openvas