# OpenVAS and Nessus Tutorial ## Enviroment ### Attack Machine OS: NTUT-IFM-Kali-2021-custom IP: 10.99.154.46 AC: kali/kali ### Victim Machine OS: Metasploitable3 IP: 10.99.154.47 AC: vagrant/vagrant ## Prepare ### Install ``` sudo apt-get update sudo apt install docker.io sudo usermod -aG docker kali ``` > 可以用docker version 檢查，如果出現Cannot connect to the Docker daemo. Is the docker daemon running on this host? > 這是因為沒有把當下的使用者加入docker群組導致(確認第二個步驟有做到) ## OpenVAS OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. > 三大弱點測試特徵檔案資料庫(NVT、Scap、Cert) ### Github https://github.com/grafana/openvas-docker ### Structure  #### Vulnerability/Information Feed (NVT, SCAP CERT, User Data, Community Feed) This section will contain all information and vulnerability tests that come from the Greenbone Community Feed that will be the main baseline for testing against systems. This can also include User Data provided by the user in place of Greenbone NVTs and SCAP CERTs. #### Back-End (OSP, OpenVAS, Targets) The back-end infrastructure is what will be actually conducting all of the vulnerability scanning and processing data and NVTS through OpenVAS and GVM. Greenbone Vulnerability Manager will be the middle man between the scanners and the front-end user interfaces. #### Front-End (GSA, Web Interfaces) This is what you interact with when you navigate to OpenVAS in your browser. The web interfaces are built off of the Greenbone Security Assistant and make life easier for an analyst or operator when working with OpenVAS or other forms of scanners through the GVM. ### Install <code>sudo docker run -d -p 80:80 --name openvas grafana/openvas</code> #### or create Volume ``` docker volume create openvas docker run -d -p 80:80 -v openvas:/var/lib/gvm --name openvas grafana/openvas ``` > --detach 在背景執行 > --publish 將容器的埠發佈到主機，把主機的8080通訊埠所有流量轉發到web這個Container的9392通訊埠 > --name Container名稱 > -v 參數，使得 Container 裡面的檔案路徑Mapping 到實體主機的檔案路徑 ### Update (Option) https://sectools.tw/openvas ``` sudo docker -it openvas bash ne-nvt-sync greenbone-certdata-sync greenbone-scapdata-sync systemctl start openvas-scanner systemctl start openvas-manager openvasmd –update –verbose –progress ``` ### How To Use 1. 先確認STATUS有Up <code>docker ps -al</code> 2. Firefox登入 127.0.0.1 (admin/admin) 3. Administration -> Feed Status -> 檢查特徵庫更新 4. SecInfo -> 確認NVT、CPE、CVE是否有資料 5. Scans -> Task Wizard (快速魔法棒) or New Task 6. New Task * Scan Targets * Hosts * Port List * All IANA assigned TCP (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml) * All IANA assigned TCP and UDP * ALL TCP and Nmap top 100 UDP * Alive Test * Scan Config Default * ICMP Ping * TCP-ACK Service Ping * TCP-SYN Service Ping * Min QoD 70% * Scanner * OpenVAS Default * CVE * Scan Config * Base * Discovery * Full and fast * Host Discovery * System Discovery 7. Actions -> Play 8. Click Reports 9. Download PDF or TXT ## Nessus Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Tenable.io is a subscription-based service. ### Prepare 1. https://zh-tw.tenable.com/products/nessus/nessus-essentials 2. Get the Activation Code ### Install ``` docker run --name "container name" -d -p 8834:8834 -e ACTIVATION_CODE=<activation code> -e USERNAME=<username> -e PASSWORD=<password> tenableofficial/nessus ```  ### How To Use 1. Login https://127.0.0.1:8843 2. All Scans -> New Scan 3. Advance Scan 4. Setting * Basic * General * Name * Targets * Schedule * Notifcations * Discovery * Host Discovery * Port Scanning * Fragile Devices * Service Discovery * SSL/TLS * DTLS(資料包傳輸層協定) * Assessment * Report * Advanced 5. Check Report -> Report PDF  同步發文至 https://sectools.tw/openvas-and-nessus-tutorial/ ## 其他類似工具 * Qualys FreeScan (https://freescan.qualys.com) * Acunetix Web Vulnerability Scanner (https://www.acunetix.com) * Nexpose (https://www.rapid7.com) * Network Security Scanner (https://www.beyondtrust.com) * SAINT (https://www.saintcorporation.com) * Microsoft Baseline Security Analyzer (MBSA) (https://www.microsoft.com) * beSECURE (AVDS) (https://www.beyondsecurity.com) * Core Impact Pro (https://www.coresecurity.com) * N-Stalker Web Application Security Scanner (https://www.nstalker.com) * ManageEngine Vulnerability Manager Plus (https://www.manageengine.com) ## 練習題 ### openVAS Case 001: MS00-What? https://1drv.ms/u/s!Am8nri-_Ee13gyqM5Xo2iuce6tWD?e=w01qnQ In this scenario, you are assigned to a routine vulnerability management pipeline as a SOC analyst. Your automated pipeline has already pulled a scan on the server, it is up to you to analyze and identify risk in this report. 1. When did the scan start in Case 001? 2. When did the scan end in Case 001? 3. How many ports are open in Case 001? 4. How many total vulnerabilities were found in Case 001? 5. What is the highest severity vulnerability found? (MSxx-xxx) 6. What is the first affected OS to this vulnerability? 7. What is the recommended vulnerability detection method? ### Nessus 1. What is the name of the button which is used to launch a scan? 2. What side menu option allows us to create custom templates? 3. What menu allows us to change plugin properties such as hiding them or changing their severity? 4. In the 'Scan Templates' section after clicking on 'New Scan', what scan allows us to see simply what hosts are alive? 5. One of the most useful scan types, which is considered to be 'suitable for any host'? 6. What scan allows you to 'Authenticate to hosts and enumerate missing updates'? 7. What scan is specifically used for scanning Web Applications?