Accessing and Installing GSM Community Edition – OpenVAS
Version: 4.2.17 (includes OpenVAS-9)
Download: https://dl.greenbone.net/download/VM/gsm_ce_4.2.17.iso (350 MByte)
sha256sum: a4490e1c1d5b93c52b67eb533da8aa0ebe435551f89c8cea1619e6a772733a97
Compatibility: VirtualBox, ESXi, Hyper-V
Minimum requirements: 2 CPU Cores, 2 GByte RAM
The GSM Community Edition is a derivate of the GSM ONE and allows a quick and easy option on Windows, Linux or Mac to give the solution a trial. No particular know-how is needed.
In contrast to the commercial solution the Community Feed instead of the Greenbone Security Feed is used. Also some management functions like for TLS certificates are not included. Feed updates happen on a regular basis, but the system itself can not be updated. The commercial version can be updated seamless and also includes access to the Greenbone Support.
The Community Edition as well as the GSM ONE are designed for use with a laptop. The full feature set for a vulnerability management process (schedules, alarms, sensors) are only available with the bigger GSM models (see here for an overview) and can be obtained from Greenbone as an evaluation unit.
Startup Community Edition:
Create a virtual image:
VirtualBox by hand via “New”:
Type: Linux
Version: Other Linux (64bit)
Memory: 2048M
Harddisk: 9G
CPUs: 2
Create a new hard disk for the virtual machine.
Take care that the network connection works inside-out and outside-in:
The system needs access to the internet for the setup.
For using the systems’ web interface you need to access the system from where your web browser runs.
Audio, USB and Floppy should be disabled.
Now choose the downloaded ISO image as medium for the CD drive and start the virtual machine.
Hyper-V by hand via “New – Virtual Computer”:
Generation: Generation 1
Startup memory: 2048MB
Use Dynamic Memory: deactivate
Network: Select a connection that has access to the Internet. The system needs access to the internet for the setup. For using the systems’ web interface you need to access the system from where your web browser runs.
Virtual hard disk: create an new, with an minimum of 9GB
Installation Options: Now choose the downloaded iso image as medium.
After saving, change the number of processors to 2
ESXi / VMWare:
Basically follow the hints as in “VirtualBox by hand”.
In the menu choose the option “Setup” and confirm that the hard disk can be overwritten.
The installation process will now run for a while. You will be asked for a username and password for the administrative account. Notice this account because there will be no other way to administrate the system.
Follow the instructions up to the reboot. The system will automatically reboot a second time.
As soon as the login prompt “Welcome to Greenbone OS” appears, log in with the previously created administration account.
You now enter the setup wizard which guides you through the final steps:
Web-User: Creation of an administration account for the web interface. There, you can later create more account as needed.
Greenbone Subscription Key: In case you have a received an evaluation key from Greenbone, you can now upload it. If you don’t have one, the system will use the Greenbone Community Feed instead of the Greenbone Security Feed. It is possible to upload a evaluation key any time later and change the feed.
Download Feed: Without a feed you can not do any scans and the SecInfo section remains empty. So the download is highly recommended, but requires internet access.
The feed update now runs in the background and you are on the main menu of the administration. Via “About” you can have a look at the key properties of your setup, especially the address of the web interface and whether there still runs the Feed update as a system operation.
Log in to the web interface with the web administrator account. During the installation a self-signed TLS certificate was created. Your browser will regard it insecure and you need to tell your browser to accept it as an exception.
Only after the feed update completed there will be all information in the SecInfo area and first scans possible. This could take half an hour or even longer.
Documentation and guides are available at the Greenbone TechDoc Portal. However, the user interface is self-explaining. Just give it a start. The wizard will help you to create and run your first scan task.
Please note: Shutting down the virtual machine should only be done via the menu Maintenance->Power to ensure that important system processes like the Feed update are not interrupted.
Copyright, licenses and sources:
The Feed and Greenbone OS consists of various components with various Copyrights and (Open Source) Licenses. In essence the product can be used for any purpose but for re-distribution the conditions of the licenses have to be considered. Details are summarized in the License Information. There, you will also find the offer for source code access according to GNU GPL.
Reset the admin password in OpenVAS
Try this:
openvasmd –user=admin –new-password=new_password
Or you can create a new administrative account with :
openvasad -c add_user -u your_new_login_here -r Admin
Then use this account to change the default admin’s password.
5 pen testing rules of engagement: What to consider while performing Penetration testing
Penetration testing and ethical hacking are proactive ways of testing web applications by performing attacks that are similar to a real attack that could occur on any given day. They are executed in a controlled way with the objective of finding as many security flaws as possible and to provide feedback on how to mitigate the risks posed by such flaws.
Security-conscious corporations have implemented integrated penetration testing, vulnerability assessments, and source code reviews in their software development cycle. Thus, when they release a new application, it has already been through various stages of testing and remediation.
When planning to execute a penetration testing project, be it for a client as a professional penetration tester or as part of a company’s internal security team, there are aspects that always need to be considered before starting the engagement.
Rules of Engagement for Pen testing
Rules of Engagement (RoE) is a document that deals with the manner in which the penetration test is to be conducted. Some of the directives that should be clearly spelled out in RoE before you start the penetration test are as follows:
- The type and scope of testing
- Client contact details
- Client IT team notifications
- Sensitive data handling
- Status meeting and reports
Type and scope of Penetration testing
The type of testing can be black box, white box, or an intermediate gray box, depending on how the engagement is performed and the amount of information shared with the testing team.
There are things that can and cannot be done in each type of testing. With black box testing, the testing team works from the view of an attacker who is external to the organization, as the penetration tester starts from scratch and tries to identify the network map, the defense mechanisms implemented, the internet-facing websites and services, and so on.
Even though this approach may be more realistic in simulating an external attacker, you need to consider that such information may be easily gathered from public sources or that the attacker may be a disgruntled employee or ex-employee who already possess it. Thus, it may be a waste of time and money to take a black box approach if, for example, the target is an internal application meant to be used by employees only.
White box testing is where the testing team is provided with all of the available information about the targets, sometimes even including the source code of the applications, so that little or no time is spent on reconnaissance and scanning. A gray box test then would be when partial information, such as URLs of applications, user-level documentation, and/or user accounts are provided to the testing team.
Gray box testing is especially useful when testing web applications, as the main objective is to find vulnerabilities within the application itself, not in the hosting server or network. Penetration testers can work with user accounts to adopt the point of view of a malicious user or an attacker that gained access through social engineering.
Client contact details
We can agree that even when we take all of the necessary precautions when conducting tests, at times the testing can go wrong because it involves making computers do nasty stuff. Having the right contact information on the client-side really helps. A penetration test is often seen turning into a Denial-of-Service (DoS) attack. The technical team on the client side should be available 24/7 in case a computer goes down and a hard reset is needed to bring it back online.
Client IT team notifications
Penetration tests are also used as a means to check the readiness of the support staff in responding to incidents and intrusion attempts. You should discuss this with the client whether it is an announced or unannounced test. If it’s an announced test, make sure that you inform the client of the time and date, as well as the source IP addresses from where the testing (attack) will be done, in order to avoid any real intrusion attempts being missed by their IT security team. If it’s an unannounced test, discuss with the client what will happen if the test is blocked by an automated system or network administrator. Does the test end there, or do you continue testing? It all depends on the aim of the test, whether it’s conducted to test the security of the infrastructure or to check the response of the network security and incident handling team. Even if you are conducting an unannounced test, make sure that someone in the escalation matrix knows about the time and date of the test. Web application penetration tests are usually announced.
Sensitive data handling
During test preparation and execution, the testing team will be provided with and may also find sensitive information about the company, the system, and/or its users. Sensitive data handling needs special attention in the RoE and proper storage and communication measures should be taken (for example, full disk encryption on the testers’ computers, encrypting reports if they are sent by email, and so on). If your client is covered under the various regulatory laws such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), or the European data privacy laws, only authorized personnel should be able to view personal user data.
Status meeting and reports
Communication is key for a successful penetration test. Regular meetings should be scheduled between the testing team and the client organization and routine status reports issued by the testing team. The testing team should present how far they have reached and what vulnerabilities have been found up to that point. The client organization should also confirm whether their detection systems have triggered any alerts resulting from the penetration attempt. If a web server is being tested and a WAF was deployed, it should have logged and blocked attack attempts. As a best practice, the testing team should also document the time when the test was conducted. This will help the security team in correlating the logs with the penetration tests.
OWASP Top 10 Application Security Risks
A1:2017 Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
A2:2017 Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities (temporarily or permanently).
A3:2017 Sensitive Data Exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
A4:2017 XML External Entity (XXE)
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal SMB file shares on unpatched Windows servers, internal port scanning, remote code execution, and denial of service attacks, such as the Billion Laughs attack.
A5:2017 Broken Access Control
Restrictions on what authenticated users are allowed to do are not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users’ accounts, view sensitive files, modify other users’ data, change access rights, etc.
A6:2017 Security Misconfiguration
Security misconfiguration is the most common issue in the data, which is due in part to manual or ad hoc configuration (or not configuring at all), insecure default configurations, open S3 buckets, misconfigured HTTP headers, error messages containing sensitive information, not patching or upgrading systems, frameworks, dependencies, and components in a timely fashion (or at all).
A7:2017 Cross-Site Scripting (XSS)
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
A8:2017 Insecure Deserialization
Insecure deserialization flaws occur when an application receives hostile serialized objects.
Insecure deserialization leads to remote code execution. Even if deserialization flaws do not result in remote code execution, serialized objects can be replayed, tampered or deleted to spoof users, conduct injection attacks, and elevate privileges.
A9:2017 Using Components with Known Vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
A10:2017 Insufficient Logging & Monitoring
Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
OpenVAS & Metasploit Integration – How to Use OpenVAS in Metasploit
Recently during an engagement, I was able to use OpenVAS in Metasploit to scan a host and conduct a test to see if the system was indeed exploitable. Here is how it was done below:
- Issue command msfconsole to open Metasploit console.
- msfconsole
- To use the OpenVAS integration you need to load the OpenVAS module within msfconsole. Do this by running the command
- load openvas.
- Start by connecting to the server using the command openvas_connect.
- openvas_connect username password 127.0.0.1 9390
- To create a target to scan use the command openvas_target_create. If you want spaces in the name or comment then make sure you place quotations around them.
- openvas_target_create “Local Machine” 192.168.70.128 “My Local Machine”
- Create a task by specifying a target and a configuration. Use the command openvas_config_list to get a list of configurations and the command openvas_target_list to get a list of targets.
- openvas_config_list
- openvas_task_create “Local Scan” “Scan My Local Machine” 0 1
- Start the task with openvas_task_start and watch the progress using openvas_task_list.
- openvas_task_start 0
- openvas_task_list
- openvas_task_list
- Once the scan is finished, the progress is -1, list the available reports using openvas_report_list.
- openvas_report_list
If this was helpful please let me know.
WordPress 4.9.7 Security and Maintenance Release
WordPress 4.9.7 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.
Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.
Seventeen other bugs were fixed in WordPress 4.9.7. Particularly of note were:
- Taxonomy: Improve cache handling for term queries.
- Posts, Post Types: Clear post password cookie when logging out.
- Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
- Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
- Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.
Download WordPress 4.9.7 or venture over to Dashboard → Updates and click “Update Now.” Sites that support automatic background updates are already beginning to update automatically.
The previously scheduled 4.9.7 is now referred to as 4.9.8, and will follow the release schedule posted yesterday.
Thank you to everyone who contributed to WordPress 4.9.7:
