OpenVAS Open Vulnerability Scanning Free your vulnerabilities! - PowerPoint PPT Presentation

LinuxCon #1 OpenVAS – Open Vulnerability Scanning Free your vulnerabilities! Vlatko Košturjak | kost@linux.hr 1 LinuxCon #1, 2009-09-22, Portland, Oregon, USA

Agenda  Nessus  Free alternatives  Free feed(s)  Oval interpreters, Nmap  OpenVAS  OpenVAS state && differencies  OpenVAS practical tips  OpenVAS future 45 minutes in total  Q&A

Nessus? Nessus was free once...

Gartner: 80% sofware will be open source by the year 2012 http://linuxhow2.com/News/80_of_Software_Will_Be_Open_source.html 4

Nessus Free Feed

OVAL interpreters  OVAL interpreters  ovaldi  Reference implementation  OVAL  Open Vulnerability Assessment language  XML  http://oval.mitre.org  Good for local checks if you find needed definitions

Nmap  Version 5 released recently  Has scripting support  NSE = Nmap Scripting Engine  Yes, that Lua thingy  Basic misconfiguration checks  Enumeration checks  Basic vulnerabilties check  Missing reporting functions  No severities / risk ratings

OpenVAS  Nessus GPL fork, Old name: Gnessus  Continues open development of vulnerability scanner  But OpenVAS follows its own path!  Both local and remote checks are supported!  Reportings  Risk rating  ...

What's different? Organizational part  GPL (v2) license  Open development  Software in Public Interest (SPI)  Change requests  Democratic voting  Open in every sense  Your new idea?  OpenVAS DevCon  IRC

What's different Technical part  Take advantage of organization decisions/license  Tools integration  Practice what you preach!  Flawfinder, ...  Enforce security options in compiler  Versions:  1.x = Nessus compatible (NTP protocol)  2.x = Nessus incompatible (OTP protocol)  IANA

OpenVAS 2.0  Released 17 th of December, 2008  What's new? OpenVAS got from Nessus:  Initial OVAL support •nmap •hydra  NTP => OTP •nikto •...  script_id => script_oid OpenVAS additionaly  64 bit support integrates with: •ike-scan  GUI client improved •portbunny •strobe  Bugfixes •pnscan •...  Code audit  ...

Ohloh summary

OpenVAS quick facts  It's not Debian local checks only  You have checks for popular BSD Oses and Linux distros  Windows as well  Solaris (experimental?)  You miss SMB*inc checks  Smb functions are rewritten  not compatible with old ones  There is only few left which needs to be rewritten using free smb libraries  Help us to rewrite it

Look

LSC credentials manager

Severity Override

OpenVAS vulnerability checks/tests  It's not single language any more  NVT = Network Vulnerability Test  Plugins == NVTs  "Languages"  NASL (got from Nessus)  OVAL (implemented in 2.x)  NSE (planned)

NASL  Nessus Attack Script Language (NASL)  Inherited from Nessus  Language still the same  Removed plugin localization  There is few functions added  Same syntax if (description) { } # script code  script_id => script_oid

OVAL  Implemented in 2.x  Using ovaldi  OVAL checks appear in Plugins and reporting  Local checks

NSE  Nmap scripting Engine (NSE)  Lua  Phase: planning  Choose .nse you like from OpenVAS  Options  nmap=>libnmap  Not system/execve  Current / memory problem

Number of NVTs 14000 12000 10000 8000 6000 4000 2000 0 09/09/08 10/29/08 12/18/08 02/06/09 03/28/09 05/17/09 07/06/09 08/25/09 10/14/09

OpenVAS tips  Use local checks (if possible)  Use SSH keys for better security  Harden security of scanning box  Port scans  Nmap  Do port scan with nmap first  Feed it to OpenVAS (grepable results)  Portbunny  Kernel level port scanner  Not bad for internal scans

OpenVAS control tips  Full audit  1-65535 ports  Thorough tests  Report verbosity  Report paranoia  Knowledgebase (kb)  Something like --verbose  Save to disk  Analyze findings at deep tech level

OpenVAS future  Take a look at current change requests  Virtual hosts support  Windows local checks  Drop existing NASL implementation  Using WMI  Linux/Unix local checks  Drop existing NASL implementation  Using SSH library

OpenVAS Design future current

OpenVAS pkgs  OpenVAS virtual appliances  Vmware, VirtualBox, ...  OpenVAS in backtrack  http://www.openvas.org/openvas-bt.html  Backtrack 3  Not included by default  Check URL above for remastered ISO image  Backtrack 4  Beta version doesn't ship with OpenVAS  Prefinal version comes with OpenVAS

Integration  Autonessus  Diff between two scans  Supports OpenVAS and Nessus  Time for name change? :)  Metasploit  Some initial development done  OpenVAS as client  HD Moore "weekend hack"  Better: metasploit as OpenVAS client

OpenVAS + Metasploit integration

Commercial?  Ecosystem around OpenVAS  Trainings  Commercial support  Commercial NVT feeds  OIDs  Enables vendors to have different address space each  i.e. 1.2.3.4.x.x

Come and help!  Extending scanning engine  Extending vulnerability coverage  Writting Vulnerability tests (NVTs)  Write your PoC/test for OpenVAS!  Translating  Documentation writting (compendium)  Administration (web, irc, ...)  http://www.openvas.org

I'm developer... ...is there any $$$ for me?

OpenVAS contest

Initial offering: 300 EUR

Raised to 500 EUR

Raised to 600 EUR

Bug solved, money paid

Summary  Open, open and open  Multiple vulnerability tests  Open Vulnerability Assessment language (OVAL)  Nessus Attack Scripting Language (NASL)  Nmap Scripting Engine (NSE) – early dev  Integrated tools  Port scanning: portbunny, strobe, pnscan...  Enumeration: ike-scan, snmpwalk, ...  SLAD: john, chkrootkit, clamav, lsof, tripwire, ..

OpenVAS contacts  http://www.openvas.org  http://www.ohloh.net/p/openvas  http://www.twitter.com/openvas  http://www.identi.ca/openvas  openvas-announce  Openvas-discuss  Openvas-devel  irc.oftc.net #openvas