Lab 4 - Vulnerability Scanning

In this lab, you will use the OpenVAS and Nessus vulnerability scanners to probe the Metasploitable2 VM for potential weaknesses.

Tip 1: This lab has a good deal of "hurry up and wait", where you wait while the scanner is fetching the latest vulnerabilities, and wait while the scan runs. I suggest opening a second tab in your console and/or web browser so that you can start configuring the second scanner while waiting for the first to finish.

Tip 2: Your setup or scan work will complete faster if you increase your Kali resource allocation beyond two CPU cores and 2GB of RAM in your virtual machine monitor that it defaults to. Try for 3-4 CPU cores, and 4GB of RAM, assuming your host system has those resources available.

Warning: Does your computer have less than 8GB of RAM? You should carefully consider how much RAM you can afford to give to your Kali VM without going into swap. If memory is very tight, you may need to run only one scanner at a time, and ensure that the previous scanner is shut down before moving onto the next.

Activities

Part 1 - OpenVAS

OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

The scanner is accompanied by a vulnerability tests feed with a long history and daily updates. This Greenbone Community Feed includes more than 64,000 vulnerability tests.

To install OpenVAS in your Kali VM, perform the following steps:

Update Kali:

$ sudo apt update
$ sudo apt -y upgrade

Install and configure OpenVAS. Note that, as of 2020, the commands are prefixed with GVM, short for Greenbone Vulnerability Management.

$ sudo apt install openvas
$ sudo gvm-setup

The gvm-setup command will take a long time to download all the vulnerabilty definitions. Why don't you open a new terminal tab and skip ahead to the Nessus setup while this runs in the background?

Update the signatures used in OpenVAS scanning:

$ sudo greenbone-feed-sync   # Will take a while to download / check if feed is current
$ sudo gvmd --rebuild    # Required, otherwise you'll just see vulnerability IDs 
                         # and not names in the GUI  #SadOutput

The gvmd --rebuild command will take a long time to build all the vulnerability definitions. The command will return immediately, but run in the background. You can continue and launch OpenVAS.

Start OpenVAS:

$ sudo gvm-start         # Start openvas

# At this point, the following services should be running:
#  greenbone-security-assistant
#  opsd-openvas
#  gvmd

The user "admin" was created with a random password at the end of the gvm-setup process. You can save that login if you prefer, or create a new login account with a new more memorable password by the CLI:

$ sudo runuser -u _gvm -- gvmd --create-user=admin
$ sudo runuser -u _gvm -- gvmd --user=admin --new-password="XXXXXXXXX"

Open your web browser and go to https://127.0.0.1:9392 (or it will be auto-opened for you). Accept the self-signed certificate and login with the user and the password you just created.

Do not configure or initiate a scan until you see CVEs and NVTs in the scanning tool dashboard. OpenVAS is processing the newly-downloaded signatures in the background, and the scanner will not be available until that work is finished.

If you want to monitor the system status, run the top program at the command line. While the signatures are being processed, you should see several OpenVAS related programs (ospd-openvas and gvmd) and several databases (postgres and redis-server) all actively consuming CPU resources. The top program will run forever, so press q when you are finished monitoring and want to quit.
Top

When the signatures are fully processed, the Administration->Feed Status page should show your feeds as "Current", and the main Dashboard should show graphs of CVEs and NVTs.
GVM Administration->Feed Status GVM Dashboard

Now that the scanner is ready, it's time to configure a scan! Go to Scans ->Tasks, click on the "magic wand" icon, and choose task wizard. Enter the IP of the Metasploitable2 VM and choose "Start Scan". The tasks page will refresh every 30 seconds with the results of the scan.

The detailed scan will take a while to finish....

You can browse, but wait for the scan to fully complete to 100% before answering the questions...

At the menu, go to Scans->Reports and view the results for the task you just completed. Ensure its status is reported as DONE, and not ERROR. If barely any results are reported, consider that scan a failure and re-run it. Once the scan has finished, answer the Deliverables questions.

When you're finished with the OpenVAS section of the lab, you can shut the program down.

$ sudo gvm-stop

Deliverables:

  • How many high, medium, and low severity items were found?
  • In OpenVAS, go to Scans -> Results. On the "Results by Severity Class" pie chart, restrict the list to vulnerabilities scoring as "High. Find the one labeled "TWiki XSS and Command Execution Vulnerabilities". Answer the following questions just for this specific vulnerability.
    • What installed version of TWiki is Metasploitable2 using? (Note that this version string won't necessarily be valid, indicating the limitations of version detection)
    • What is the oldest version of TWiki that contains a fix to this arbitrary code execution vulnerability?
    • What are the two CVE (Common Vulnerabilities and Exposures) numbers for these related TWiki vulnerabilities?
  • Submit the Report from OpenVAS for this scan in PDF format (Go to Scans->Reports, click on the date of the scan desired, and in the toolbar choose the "Download Filtered Report" button. Change the Report Format to PDF)

Deliverable (Essay):

Pick one of the vulnerabilities scoring as MEDIUM or HIGH on the rating scale, but avoid the "End of Life Detection" reports, as those are boring. Also avoid the TWiki vulnerability we just examined. Provide the title OpenVAS gives and then explain the vulnerability in your own words, as if you were explaining to another student. Copying and pasting text from the OpenVAS report is NOT a sufficient explanation here. You may need to follow the links OpenVAS provides and/or search for additional information on your own.

In your answer, explain:

  1. What is the vulnerability?
  2. How could it be exploited?
  3. How could it be fixed?

A 2 paragraph answer is a sufficient level of detail.

OpenVAS (GVM) Troubleshooting

To do a successful scan, the GVM dashboard must show CVEs and NVTs, the Configuration->Scanners page should show two scanners (CVE and OpenVAS Default), and the Administration->Feed Status page should show all feeds either "Current" or updated within the last month. They should not say "Rebuilding".

GVM Dashboard GVM Configuration->Scanners GVM Administration->Feed Status

To verify the installation and configuration of OpenVAS:

# How much RAM does Kali have allocated to it?  4GB is a reasonable amount.
$ free -m
# Look at the MEM row, under the TOTAL column
#                total        used        free      shared  buff/cache   available
# Mem:           3909        1224         407          60        2278        2342
# Swap:           975          52         923

# Is there space left on disk? (vuln definitions are large, cumulatively)
$ df -h /
# Filesystem      Size  Used Avail Use% Mounted on
# /dev/nvme0n1p2   33G   24G  7.3G  77% /
$ sudo apt autoremove   # Might free up some disk space - removes old updates

# Is your feed up to date?
$ sudo greenbone-feed-sync

# Have you rebuilt the db after updating your feed?
$ sudo gvmd --rebuild

# Is GVM running?
$ sudo gvm-start
# Should load greenboard-sercurity-assistant.service
# Should load gvmd.service
# Should load ospd-openvas.service

# Are there scanners configured and active?
$ sudo runuser -u _gvm -- gvmd --get-scanners
# 08b69003-5fc2-4037-a479-93b440211c73  OpenVAS  /var/run/ospd/ospd.sock  0  OpenVAS Default
# 6acd0832-df90-11e4-b9d5-28d24461215b  CVE    0  CVE

# Do you have a user account to log into the web panel with?
$ sudo runuser -u _gvm -- gvmd --get-users --verbose
# admin 69431492-e29e-486d-8646-20aa0b939aef
# shafer 010eb26d-49e1-4ba3-bd17-04ead05ad161

# Does the self-checkup find anything amiss?
$ sudo gvm-check-setup
# (Lots of output...)
# (Lots of output...)
# (Lots of output...)
# It seems like your GVM-23.11.0 installation is OK.

Part 2 - Nessus

Nessus is a commercial vulnerability assessment scanner. OpenVAS is based on the original open source version of Nessus back in ~2005, but they have diverged significantly since then.

First, register for a personal activation code at https://www.tenable.com/tenable-for-education

Second, download a copy of Nessus from https://www.tenable.com/downloads/nessus. The current version of Nessus as-of Feb 2024 is 10.7.0.

  • Intel/AMD users: Look for the platform Linux - Debian - amd64 (Kali is Debian-based)
  • Apple Silicon users: Look for platform Linux - Ubuntu - aarch64 (Closest platform with an ARM build)

Accept the license agreement, and the download will begin.

To install Nessus:

# First, change directory ('cd') to wherever the .deb installer is. 
$ cd ??????

# Then, run the installer you downloaded. Note that file is slightly different depending on your architecture type:
# For Intel/AMD users:
$ sudo apt install ./Nessus-10.7.0-debian10_amd64.deb 
# For Apple Silicon users:
$ sudo apt install ./Nessus-10.7.0-ubuntu1804-aarch64.deb

# Should see the following message at the end of installation
#  - You can start Nessus Scanner by typing /bin/systemctl start nessusd.service
#  - Then go to https://localhost:8834/ to configure your scanner

# Note: 2/1/2024 - Shafer got this error message, but it can be disregarded
# N: Download is performed unsandboxed as root as file 
# '/home/shafer/Downloads/Nessus-10.7.0-ubuntu1804_aarch64.deb' 
# couldn't be accessed by user '_apt'. - pkgAcquire::Run (13: Permission denied)

Register Nessus:

Register the program with the "Nessus Essentials" activation code that was emailed to you. After activation (and only after!) will Nessus download the current set of vulnerability plugins to scan for.

$ sudo /opt/nessus/sbin/nessuscli fetch --register xxx-xxx-xxxx

Add Nessus User:

$ sudo /opt/nessus/sbin/nessuscli adduser
# Pick your username
# Pick your password
# YES we want this user to be 'system administrator'
# Blank rule set
# YES to confirm

# Note: 2/1/12024 - Shafer got "An error occurred" but the account was succesfully created, so ... shrug?

Start Nessus:

$ sudo systemctl start nessusd
$ sudo systemctl status nessusd   # Verify it's running

Access the Nessus web GUI at https://localhost:8834

  • Accept the self-signed certificate.
  • Login with the user account you previously created
  • Wait (and wait, and wait) while Nessus compiles all the plugins. You will not be able to start a scan until it tells you that "Plugins are done compiling"

Nessus External Scan: Tell Nessus to do an "Advanced Scan" of your Metasploitable2 VM:

  • Go to Scans -> New Scan
  • On the Scan Templates page under Vulnerabilities, choose the "Advanced Scan" type
    • Provide a name for your scan configuration (e.g. "External Scan")
    • Provide the target IP address (in this case, the IP address of the Metasploitable2 VM)
    • Save the scan template
  • Press the "Play" button on the My Scans page to launch the scan you just created

Once the scan has finished, answer the Deliverables questions.

Deliverables (External Scan):

  • How many vulnerabilities scored as critical, high, and medium did Nessus discover?
  • Submit the Report from Nessus for this scan (PDF format, Report->Complete List of Vulnerabilities by Host)

Nessus Internal Scan: Tell Nessus to do an "Advanced Scan" of your Metasploitable2 VM. But this time, we will also give Nessus a login (credential, in their terminology) to the target system, allowing it to perform a greater number of tests. Nessus accepts a variety of credentials, not just to the operating system (i.e. SSH or Windows login), but also to application servers like databases, virtual machine managers, etc.

  • Go to Scans -> New Scan
  • On the Scan Templates page under Vulnerabilities, choose the "Advanced Scan" type
    • Provide a name for your scan (e.g. "Internal Scan")
    • Provide the target IP address (in this case, the IP address of the Metasploitable2 VM)
    • Under Credentials -> SSH, change the authentication method to password and enter the VMs login (msfadmin / msfadmin). This will allow Nessus to ALSO do a scan from inside the system (in addition to the default external scan)
    • Save the scan template
  • Press the "Play" button on the My Scans page to launch the scan you just created

Once the scan has finished, answer the Deliverables questions.

When you're finished with the Nessus section of the lab, you can shut the program down.

$ sudo systemctl stop nessusd

Deliverables (Internal Scan):

  • How many vulnerabilities scored as critical, high, and medium did Nessus discover?
  • Submit the Report from Nessus for this scan (PDF format, Report->Detailed Vulnerabilities by Host).
    Observe that there might be a slight difference in the length of the report, compared to the earlier report type.

Deliverable (Essay):

Pick one of the vulnerabilities scoring as "Critical" by Nessus. Provide the title Nessus gives and then explain the vulnerability in your own words, as if you were explaining to another student. Copying and pasting text from the Nessus report is NOT a sufficient explanation here. You may need to follow the links Nessus provides and/or search for additional information on your own.

In your answer, explain:

  1. What is the vulnerability?
  2. How could it be exploited?
  3. How could it be fixed?

A 2 paragraph answer is a sufficient level of detail.