Tag Archives: Nessus

OpenVAS

Posted on by

I’m getting fed up with Nessus 4.2.2/4.4.0 and its HTTPS timeouts, crap SSH banner handling (the $PS1/last bug) and closed-source nature meaning that we can’t use certain Linux distro’s anymore; and the fact that it uses Flash10 means we can’t use it over Citrix.

So I thought I’d give OpenVAS a try. Well all I can say is come back Nessus, all is forgiven!

For an opensource platform, OpenVAS really sucks as far as documentation and packaging goes.

Installation packages are all dealt with via odd openSUSE build servers that there are no instructions for – sorry but how do you install packages for Fedora from a SUSE build system?!

I eventually found a YUM repo file for Fedora 13, which despite being for v4 actually installed 3.2 code which didn’t work, the manager wouldn’t start and gsd required 777 permissions on /var/log/openvas/ for it to start.

On Debian 5 I found that you have to add this to your /etc/apt/source.lst, then you can install the packages, but openvas-manager won’t start and openvas-client/gsd won’t connect. After finding a post on an old mailling list archive, I found that you have to run:

apt-get install sqlite3
openvas-mkcert
openvas-mkcert-client -n om -i
openvas-adduser
openvas-nvt-sync

But that still doesn’t seem to work, so I next tried the stable v3 repository, that doesn’t seem to work either as the plugins are too new for it now!

OpenVAS bundles openvas-client its rebuild of NessusClient from Nessus 4.0 which on Nessus 4.2 or later only works on a ProFeed, and is no longer supported anyway. Also OpenVAS bundles openvas-cli which replaces nessus/nessuscmd which are deprecated in Nessus 4.2+ too.

You can check out the latest code from the SVN server, but there are no build instructions, and the preferred build environment is Debian 5 apparently, not OpenSUSE 11 at all, and 4beta2 doesn’t seem to be in SVN anyway.

You can download a prebuilt Virtual Machine which is openSUSE 11.2 with a half-arsed install of OpenVAS-3 without the desktop client, despite what it says is shipped with the desktop version.

Note that’s 3 different linux distro’s and about 5 different OpenVAS versions I’ve tried now, and none work – well the VM got the closest to it. Nice waste of 3 hours thanks!

It does seem that their NASL support is current as of about Nessus 4.0, there’s a few modifications needed to get NASL 4.2+ scripts working.

One nice thing about OpenVAS is that it uses rsync to do its plugin feed update, so in theory you could rsync from your local install to a remote server, and not have to worry about proprietary licensing. It only has half the plugins that Nessus does, at about 20,000 as opposed to 40,000.

There is some sort of commercial support from Greenbone but of course no pricing or SLA info.

I also updated the blog to WordPress 3.0.2

Password protecting files using GnuPG

Posted on by

I found a useful way of using GnuPG today when someone couldn’t decrypt a passworded zip file I sent them (probably using p7zip/infozip instead of “proper” unzip).

You can use symmetric encryption with GnuPG, i.e. just a password rather than a keypair+passphrase, and you don’t have to exchange keys or sign things etc:

gpg --symmetric myfile.pdf

Then decrpyt with simply “gpg myfile.pdf”.

I also fixed my NASL’s scripts with a bit of sed, this example replaces all the 50000 script_id()’s with 950000 ones:

for nasl in *.nasl ; do sed 's/script_id(5/script_id(95/g' $nasl > $nasl.new ; done
for nasl in *.nasl ; do mv $nasl.new $nasl ; done

Then just re-sign them and re-install them into Nessus, as root:

/etc/init.d/nessusd stop
cd /opt/nessus/lib/nessus/plugins/
for files in /git/nessus/*.nasl ; do /opt/nessus/bin/nasl -S $files > `ls $files | awk -F/  {'print $8'}` ; done
/opt/nessus/sbin/nessusd -R
/etc/init.d/nessusd start

The only problem then is that the current Nessus 4.2.2 with webserver version 2.0.0 truncates the plugin ID in the lists as the Flash needs updating to make the column wider, apparently will be fixed in 4.4

101 NASL’s

Posted on by

I’ve just finished writing some new Nessus plugins, taking my NASL count to over 100 now.

Just as I finished checking them into Git, Tenable decided to renumber the plugin ranges. Custom NASL’s were always given a range around 50000-53000, but now Tenable are up to 50321 themselves, so have decided on a new set of ranges:

Passive: 1 – 10,000
Active: 10,001 – 900,000
Custom: 900,001 – 999,999
Compliance: 1,000,000+

I’ve made some changes to my backup regime too, from now on I’m backing up my whole $HOME directory using BackInTime to an encrypted drive, rather than encrypting a tarball. This saves space as BIT uses rsync and hard links to create incremental backups. The old tar+gpg method would create a 3Gb file per backup, with BIT I’ve got 11 incremental backups totalling 9Gb.

Decrypting, decompressing and unpacking a 3.5Gb tarball to get to perhaps one file inside it is painfully slow, with BIT I can instantly restore (or just view or copy) a file at any date.

As it uses rsync as a backend its also simple to run from cron, which you can’t really do with GnuPG as you need to enter your passphrase.

I was thinking of using Deja Dup as its nicely integrated into Nautilus in Fedora/Ubuntu but its GUI is pretty minimal – literally a button or menu item for backup/restore/revert, and I’m not keen on the backend or limited use of GnuPG (passwords not keys, and no password input checking).

Bypassing firewalls

Posted on by

I’ve been experimenting with bypassing firewalls today, based on results from this Nessus plugin.

Essentially its down to misconfiguring a firewall to allow access based only on the source port. This way we can send packets to other destination ports through the firewall.

I’ve managed to exploit it on Linux by setting up these weak iptables rules:

iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT

I also managed to exploit it on Cisco IOS using these weak ACL rules:

 permit udp any eq domain any range 1 65535
 permit tcp any eq domain any range 1 65535

You then just use nmap with a modified source port flag pointing to udp/53, in this case connecting to SNMP port udp/161 which is normally filtered on the firewall:

nmap -sU --reason -v -n -PN -p161 target.ip.address -g53
...
PORT    STATE SERVICE REASON
161/udp open  snmp    udp-response

The fix is to check source port and limit the destination ports to privileged ones (and vice versa for OUTPUT) and also limit the IP’s that are allowed to connect, you could even disable DNS-over-TCP and still be able to make DNS lookups. Something like:

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -p udp -s dns.server.ip --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p udp -d dns.server.ip --dport 53 --sport 1024:65535 -j ACCEPT

You could go further and limit the network interface and check the source/destination IP matches your local IP, enable the state machine and only allow new connections etc. In IOS the fix would be something like:

permit udp dns.server.ip eq 53 local.ip gt 1023

In other news, my car has gone back to the dealership today to be repaired, I’ve currently got their C4 Grand Picasso, which is a manual and the 5-speed gearbox sounds like it needs another gear to go up to. Hopefully my car will be back by Wednesday.

My loft has been boarded out, its surprising how many struts are up there keeping the roof up, a lot of the storage space is hard to get to, so I’ve put stuff I wouldn’t need to get to very often there.

Gonna be Friday night drink and a movie tonight I think.

Bad Day

Posted on by

Bit of a bad day today overall. First off I had a mouse in my lounge, looks like the cat brought it in alive or it came as a free gift with my new sofa’s!

My cat Clio was completely useless and tried to run out the back door, ended up hiding on top of the cabinet the mouse ran under. My folks’ cat Bubbles was almost as useless as she just sat there looking at it.

Eventually Dad cornered it with a broom and I skewered it sheesh-kebab style with the fire poker! That reminds me, I must go mop up the mess.

Then my boss wants me to train the “last week we were radio hams” people who have been dumped on our team how to program. Why can’t companies hire staff qualified to do the job, or if they must recycle “waiting for retirement” staff, then at least send them on training courses?

Finally I’m having all sorts of hassles trying to get this dead hard disk refunded – the ebayer now is trying to get me to send it back directly to WDC, yeah great then I end up not getting my postage refunded and they end up keeping all of my money, plus WDC will send out a refurbished replacement instead of a refund. They can fuck right off!

On a positive note though, the Fedora 11->13 upgrade went well and the Nessus 4.2.2 F12 RPM’s work on F13, as does the latest Skype.

Right I’m off for a drink and some chocolate.