LinuxCon #1 OpenVAS Open Vulnerability Scanning Free your vulnerabilities!

Transcription

1 LinuxCon #1 OpenVAS Open Vulnerability Scanning Free your vulnerabilities! Vlatko Košturjak LinuxCon #1, , Portland, Oregon, USA 1

2 Agenda Nessus Free alternatives Free feed(s) Oval interpreters, Nmap OpenVAS OpenVAS state && differencies OpenVAS practical tips OpenVAS future Q&A 45 minutes in total

3 Nessus was free once... Nessus?

4 Gartner: 80% sofware will be open source by the year

5 Nessus Free Feed

6 OVAL interpreters OVAL interpreters ovaldi Reference implementation OVAL Open Vulnerability Assessment language XML Good for local checks if you find needed definitions

7 Nmap Version 5 released recently Has scripting support NSE = Nmap Scripting Engine Yes, that Lua thingy Basic misconfiguration checks Enumeration checks Basic vulnerabilties check Missing reporting functions No severities / risk ratings

8 OpenVAS Nessus GPL fork, Old name: Gnessus Continues open development of vulnerability scanner But OpenVAS follows its own path! Both local and remote checks are supported! Reportings Risk rating...

9 What's different? Organizational part GPL (v2) license Open development Software in Public Interest (SPI) Change requests Democratic voting Open in every sense Your new idea? OpenVAS DevCon IRC

10 What's different Technical part Take advantage of organization decisions/license Tools integration Practice what you preach! Flawfinder,... Enforce security options in compiler Versions: 1.x = Nessus compatible (NTP protocol) 2.x = Nessus incompatible (OTP protocol) IANA

11 OpenVAS 2.0 Released 17 th of December, 2008 What's new? Initial OVAL support NTP => OTP script_id => script_oid 64 bit support GUI client improved Bugfixes Code audit... OpenVAS got from Nessus: nmap hydra nikto... OpenVAS additionaly integrates with: ike-scan portbunny strobe pnscan...

12 Ohloh summary

13 OpenVAS quick facts It's not Debian local checks only You have checks for popular BSD Oses and Linux distros Windows as well Solaris (experimental?) You miss SMB*inc checks Smb functions are rewritten not compatible with old ones There is only few left which needs to be rewritten using free smb libraries Help us to rewrite it

14 Look

15 LSC credentials manager

16 Severity Override

17 OpenVAS vulnerability checks/tests It's not single language any more NVT = Network Vulnerability Test Plugins == NVTs "Languages" NASL (got from Nessus) OVAL (implemented in 2.x) NSE (planned)

18 NASL Nessus Attack Script Language (NASL) Inherited from Nessus Language still the same Removed plugin localization There is few functions added Same syntax if (description) { } # script code script_id => script_oid

19 OVAL Implemented in 2.x Using ovaldi OVAL checks appear in Plugins and reporting Local checks

20 NSE Nmap scripting Engine (NSE) Lua Phase: planning Choose.nse you like from OpenVAS Options nmap=>libnmap Not system/execve Current / memory problem

21 Number of NVTs /09/08 10/29/08 12/18/08 02/06/09 03/28/09 05/17/09 07/06/09 08/25/09 10/14/09

22 OpenVAS tips Use local checks (if possible) Use SSH keys for better security Harden security of scanning box Port scans Nmap Do port scan with nmap first Feed it to OpenVAS (grepable results) Portbunny Kernel level port scanner Not bad for internal scans

23 OpenVAS control tips Full audit ports Thorough tests Report verbosity Report paranoia Knowledgebase (kb) Something like --verbose Save to disk Analyze findings at deep tech level

24 OpenVAS future Take a look at current change requests Virtual hosts support Windows local checks Drop existing NASL implementation Using WMI Linux/Unix local checks Drop existing NASL implementation Using SSH library

25 OpenVAS Design current future

26 OpenVAS pkgs OpenVAS virtual appliances Vmware, VirtualBox,... OpenVAS in backtrack Backtrack 3 Not included by default Check URL above for remastered ISO image Backtrack 4 Beta version doesn't ship with OpenVAS Prefinal version comes with OpenVAS

27 Integration Autonessus Diff between two scans Supports OpenVAS and Nessus Time for name change? :) Metasploit Some initial development done OpenVAS as client HD Moore "weekend hack" Better: metasploit as OpenVAS client

28 OpenVAS + Metasploit integration

29 Commercial? Ecosystem around OpenVAS Trainings Commercial support Commercial NVT feeds OIDs Enables vendors to have different address space each i.e x.x

30 Come and help! Extending scanning engine Extending vulnerability coverage Writting Vulnerability tests (NVTs) Write your PoC/test for OpenVAS! Translating Documentation writting (compendium) Administration (web, irc,...)

31 I'm developer......is there any $$$ for me?

32 OpenVAS contest

33 Initial offering: 300 EUR

34 Raised to 500 EUR

35 Raised to 600 EUR

36 Bug solved, money paid

37 Summary Open, open and open Multiple vulnerability tests Open Vulnerability Assessment language (OVAL) Nessus Attack Scripting Language (NASL) Nmap Scripting Engine (NSE) early dev Integrated tools Port scanning: portbunny, strobe, pnscan... Enumeration: ike-scan, snmpwalk,... SLAD: john, chkrootkit, clamav, lsof, tripwire,..

38 OpenVAS contacts openvas-announce Openvas-discuss Openvas-devel irc.oftc.net #openvas