Open Source Vulnerability Scanning Tips

Preamble :

I have more experience with Nessus & Qualys than OpenVAS, being a professional Penetration tester you don't normally rely on OpenVAS much. However after becoming a freelance consultant, I'd to build my skills for Open source vulnerability scanning tools, as you Nessus licenses cost a lot.
So essentially the below may be basic for some but it might help some who are new to it. This post has two items 1st one is mainly about accessing the OpenVAS web console remotely. 2nd is about ensuring the NMAP vulnerability scanning scripts (nse) are download.

Section 1: OpenVAS quick config (assume you've already installed OpenVAS on a VM)


#1: You may want to access OpenVAS remotely or want to access OpenVAS installed on a VM from the host machine.

sed -e 's/127.0.0.1/0.0.0.0/g' greenbone-security-assistant.service openvas-manager.service openvas-scanner.service -i

The above command will replace all occurrences of 127.0.0.1 to 0.0.0.0 in the files above in the folder (/lib/systemd/system) which is needed to accept connections from any IP address. 

Further you would need to allow the VM's external IP/public IP in the host header in my case it's VM's host only interface IP address.

ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=0.0.0.0 --mport=9390 --allow-header-host


Then restart the services:

systemctl daemon-reload
systemctl restart greenbone-security-assistant.service openvas-manager.service openvas-scanner.service

#2: You may want to update the services, using a bash script, I've saved the commands in the bash script as below:

#!/bin/bash
/usr/sbin/greenbone-nvt-sync
/usr/sbin/greenbone-certdata-sync
/usr/sbin/greenbone-scapdata-sync
/usr/sbin/openvasmd --update --verbose --progress

Once it's done navigate to "SecInfo>All SecInfo" you should have the latest list of vulnerabilities.

Section 2: There are two NSE scripts that are renowned for NMAP vulnerability scanning. They are 
"Nmap-Vulners" and "Vulscan". Download these from these GIT repos respectively into the "cd /usr/share/nmap/scripts/" folder

git clone https://github.com/vulnersCom/nmap-vulners.git
git clone https://github.com/scipag/vulscan.git

Vulscan needs to be updated and in the same scripts folder cd  to "vulscan/utilities/updater/" and run the "./updateFiles.sh" 

Note: The "Nmap-Vulners" connects to vulners.com remote server (vulners.com API) to know if there are any known vulns for the service and while running you need to pass the "-sV" option. So this option would be limited if you chose to perform closed networks. 

So you could combine both the scripts to 

nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p-

....More to come.

Comments

Post a Comment

Popular posts from this blog

The correct way to install Jython (for Burpsuite)

You need to install Jython the correct way in order to ensure some of the Burp plugins work correctly. Some of these Burp plugins depend on Python libraries for e.g. requests, so installing Jython and then using  $ wget https://repo1.maven.org/maven2/org/python/jython-installer/2.7.2/jython-installer-2.7.2.jar $ java -jar jython-installer-2.7.2.jar -s -d /path/to/install/jython -t standard Further for e.g. if you need requests install it like this: Download requests-2.25.1.tar.gz from the official repo ( https://pypi.org/project/requests/#files ), then go to that directory in terminal, and type the following command, java -jar /Users/brutus/Downloads/jython-standalone-2.7.2.jar setup.py install
Read more

RFID cloning with Proxmark3 Easy

Image
In this post, I would like to explain how in a recent Red Team engagement, I successfully managed to clone an RFID Access Control card and gained entry into the premise. #TheKit The client was using HiD 125khz cards. I used "Proxmark 3 Easy" which is a low cost RFID cloning kit, is a stripped down version of the real “ Proxmark 3 RDV 2 ”. The "Proxmark3 easy" does not support several things like battery, relaying and doesn't have an amplifier, also it has a smaller memory. But the device is quite sufficient during a Red Team Physical engagement. It looks something like this when you order on Amazon. I wanted to build a mobile RFID cloning kit and use it for my Red Team engagements, but note with this setup the scanning distance of 6cm is useless in real engagements, I'm not that brave enough and you really have to get up close to clone a card so the setup initially didn't work, however I got lucky and me and my partner found a lost targe...
Read more

Extracting an IPA; App distributed through Testflight

So in one of my iOS app pentest the app was distributed on TestFlight, I needed a clean IPA to makesure, I review the app after unpacking it. The option was for me to use a Jailbroken device and use Ext3nder, which allows the app to be re-packaged. Once you do that you could use SCP to download the IPA and use it to analyse or side load through xCode.
Read more