5.1.2.7 Lab – Use OpenVAS for Vulnerability Assessment (Instructor Version)
Addressing Table
| Device | IP Address | Subnet Mask |
|---|---|---|
| Kali | 203.0.113.1 | 255.255.255.0 |
| Metasploitable | 203.0.113.5 | 255.255.255.0 |
Objectives
- Part 1: Exploring OpenVAS
- Part 2: Configuring a Vulnerability Scan
- Part 3: Reviewing the Results
Background / Scenario
Open Vulnerability Assessment System (OpenVAS) is a framework that provides services and tools for vulnerability scanning and management. Network Vulnerability Tests (NVT) are used by OpenVAS to checking existing security issues. NVTs are developed based on Common Vulnerabilities and Exposures (CVE).
CVE is a category of known security threats. The threats are divided into two categories: vulnerabilities and exposures. The entries provide an identification number, a description, and public references regarding the cybersecurity vulnerabilities. The goal of the CVE is to allow the sharing of data easier across different vulnerability tools, repositories, and services. A CVE is associated with a Common Vulnerability Scoring System (CVSS).
The CVSS provides an open and standardized way for scoring. The scoring system allows an organization to prioritize which vulnerabilities to fix and access the impact of the vulnerabilities on their systems.
In this lab, you will use OpenVAS to perform a vulnerability scan on the Metasploitable VM and review the vulnerability assessment report from the scan.
Required Resources
- Host computer with at least 4 GB of RAM and 15 GB of free disk space
- Oracle VirtualBox
- IoT Security Kali and Metasploitable VMs
Part 1: Exploring OpenVAS
a. Start Metasploitable and Kali VMs.
b. Log into Metasploitable VM.
username: msfadmin
password: msfadmin
c. Enter the command ifconfig at the prompt to determine the IP address of Metasploitable VM.
What is the IP address? ________________________________
203.0.113.5
d. Log into IoTSec Kali VM.
e. Open a terminal in IoTSec Kali VM and ping Metasploitable VM to verify connectivity. If it is not successful, verify that both the Metasploitable and Kali VMs are using the same VM network.
f. In a terminal, enter the command openvas-start to start OpenVAS service.
root@kali:~# openvas-start [*] Please wait for the OpenVAS services to start. [*] [*] You might need to refresh your browser once it opens. [*] [*] Web UI (Greenbone Security Assistant): https://127.0.0.1:9392 <some output omitted.>
g. In a terminal, enter the command more lab_support_files/openvas_info to view the content in the file openvas-info for the username and password info to access OpenVAS in the web browser.
root@kali:~# more lab_support_files/openvas_info User: admin Pass: b0b22778-f1d5-459f-8320-4c47bad49942 Greenbone Web Interface: https://127.0.0.1:9392 or https://localhost:9392
h. After you have logged into OpenVAS, notice that the Dashboard provides with Information regarding the tasks, CVEs, hosts topology and NVTs at a glance.
How many total CVEs are loaded into OpenVAS? _______________________________107824
How many total NVT are loaded into OpenVAS? _______________________________45368
You can also click the different parts of the graphs to review the CVE or NVT details.
Now you are ready to start a vulnerability scan.
Part 2: Configuring a Vulnerability Scan
Step 1: Create the target.
In this step, you will configure Metasploitable VM as the target of your vulnerability scan.
a. Click Configuration -> Targets.
b. Click the white star in the blue box icon in the upper left-hand corner below the Dashboard menu.
c. When the New Target dialog box appears, enter the following information:
Name: Metasploitable VM
Manual: 203.0.113.5
Alive Test: Consider Alive.
d. Click Create.
Step 2: Create a task.
In this step, you will configure a task to perform a vulnerability scan on Metasploitable VM.
a. Click Scans -> Tasks.
b. You will see a welcome page if this is the first visit to the Tasks page.
c. Click the white star in the blue box icon in the upper left-hand corner below the Dashboard menu. Select New Task.
d. Name it Metasploitable. Verify Metasploitable VM is selected in the Scan Targets field. Click Create to a new task. Leave the other settings as is.
e. The new Metasploitable is listed in the Tasks list. Click the Start button under the Actions menu associated with Task1.
f. The status for Metasploitable has been changed to Requested.
g. Verify that the web page will be refreshed automatically in the dropdown menu in the green banner at the top of the page. Choose the desired refresh rate in the dropdown menu.
Part 3: Reviewing the Results
While the scanning toward Metasploitable VM continues, you can review reports that have been previously generated. The entire scan toward Metasploitable VM will take about 40 minutes to finish.
a. Click Scans > Results to review previously generated reports.
b. Locate the Filter field in the upper right of the results page. Click the blue wrench icon next to the Filter field. OpenVAS can return many results. Filtering helps make scan results easier to read. This box allows you to specify how many results you want to see, the vulnerability severity, and the number of results per page. In addition columns can be sorted by clicking the column heading.
c. Review the list of vulnerabilities. They are rated by severity as Log, Low, Medium, and High. Explore information about the discovered vulnerabilities for the different levels of severity. To start, locate a vulnerability at the Log level of severity. Find one that makes sense to you and answer the questions below. Repeat the process for the other levels of severity.
Severity: Log
What is the vulnerability and its impact?
__________________________________________________________
Answers will vary. Example: TCP timestamps allows a user to determine the uptime of a computer.
What is the provided solution?
__________________________________________________________
Answers will vary. The TCP timestamps can be disabled.
Linux: add the line ‘net.ipv4.tcp_timestamps = 0’ to /etc/sysctl.conf. Execute ‘sysctl -p’ to apply the settings at runtime.
Windows (excluding Server 2008 and Vista): execute ‘netsh int tcp set global timestamps=disabled’
Severity: Low
What is the IP address and port number on the host? ________________________Answers will vary.
What is the vulnerability and its impact?
____________________________________________________________
Answers will vary.
What is the provided solution?
____________________________________________________________
Answers will vary.
Severity: Medium
What is the IP address and port number on the host? ________________________Answers will vary.
What is the vulnerability and its impact?
_____________________________________________________________
Answers will vary.
What is the provided solution?
_____________________________________________________________
Answers will vary.
Severity: High
What is the IP address and port number on the host? ________________________Answers will vary.
What is the vulnerability and its impact?
____________________________________________________________
Answers will vary.
What is the provided solution?
____________________________________________________________
Answers will vary.
Part 4: The Metasploitable Scan Results
In this part of the lab, you will return to the Metasploitable scan task and review the results.
a. Go to the Scans menu at the top of OpenVAS page and select Tasks.
b. Verify that the status of the Metasploitable task is Done. If it is not done, continue investigating the OpenVAS tool and vulnerabilities until the scan has completed.
c. Click the Done button in the Status column of the tasks table for the Metasploitable task that you created. This will display the report for the Metasploitable scan task.
How many vulnerabilities did OpenVAS find?
__________________________________________________
Answers may vary. The result should be approximately 260.
d. OpenVAS filters the results of a scan to vulnerabilities that have a QoD of 70% or higher. QoD is a measure of the reliability of the scan result.
Click the Severity column header in the report to sort the results based on Severity.
e. Locate the OS End of Life Detection vulnerability. Investigate this vulnerability by clicking it and exploring the explanation. What is this vulnerability and why is it a security vulnerability?
____________________________________________________
The OS running on Metasploitable is Ubuntu 8.04. This OS went end of life in May of 2013. This means that security patches for the OS are not being created and distributed. This means that vulnerabilities for this version that have been discovered since it went EOL could be exploited by hackers.
f. Investigate the vulnerability called phpinfo() output accessible. Open the Metasploitable phpinfo page in your Kali browser. What kind of information contained on that page could be used by hackers?
___________________________________________________
A large amount of information about PHP is displayed on this page including PHP and module versions, configuration information, internal IP addresses, etc. This is information that shouldn’t be available to users on the open web.
g. Investigate the vulnerability called /doc directory browsable. Open the /doc directory in your browser.
How could a hacker use this access to attack a system?
_____________________________________________________
They could find out what software and software versions are running on the server.