LinuxCon #1 OpenVAS Open Vulnerability Scanning Free your vulnerabilities!

LinuxCon #1 OpenVAS Open Vulnerability Scanning Free your vulnerabilities! Vlatko Košturjak kost@linux.hr LinuxCon #1, 2009 09 22, Portland, Oregon, USA 1

Agenda Nessus Free alternatives Free feed(s) Oval interpreters, Nmap OpenVAS OpenVAS state && differencies OpenVAS practical tips OpenVAS future Q&A 45 minutes in total

Nessus was free once... Nessus?

Gartner: 80% sofware will be open source by the year 2012 http://linuxhow2.com/news/80_of_software_will_be_open_source.html 4

Nessus Free Feed

OVAL interpreters OVAL interpreters ovaldi Reference implementation OVAL Open Vulnerability Assessment language XML http://oval.mitre.org Good for local checks if you find needed definitions

Nmap Version 5 released recently Has scripting support NSE = Nmap Scripting Engine Yes, that Lua thingy Basic misconfiguration checks Enumeration checks Basic vulnerabilties check Missing reporting functions No severities / risk ratings

OpenVAS Nessus GPL fork, Old name: Gnessus Continues open development of vulnerability scanner But OpenVAS follows its own path! Both local and remote checks are supported! Reportings Risk rating...

What's different? Organizational part GPL (v2) license Open development Software in Public Interest (SPI) Change requests Democratic voting Open in every sense Your new idea? OpenVAS DevCon IRC

What's different Technical part Take advantage of organization decisions/license Tools integration Practice what you preach! Flawfinder,... Enforce security options in compiler Versions: 1.x = Nessus compatible (NTP protocol) 2.x = Nessus incompatible (OTP protocol) IANA

OpenVAS 2.0 Released 17 th of December, 2008 What's new? Initial OVAL support NTP => OTP script_id => script_oid 64 bit support GUI client improved Bugfixes Code audit... OpenVAS got from Nessus: nmap hydra nikto... OpenVAS additionaly integrates with: ike-scan portbunny strobe pnscan...

Ohloh summary

OpenVAS quick facts It's not Debian local checks only You have checks for popular BSD Oses and Linux distros Windows as well Solaris (experimental?) You miss SMB*inc checks Smb functions are rewritten not compatible with old ones There is only few left which needs to be rewritten using free smb libraries Help us to rewrite it

Look

LSC credentials manager

Severity Override

OpenVAS vulnerability checks/tests It's not single language any more NVT = Network Vulnerability Test Plugins == NVTs "Languages" NASL (got from Nessus) OVAL (implemented in 2.x) NSE (planned)

NASL Nessus Attack Script Language (NASL) Inherited from Nessus Language still the same Removed plugin localization There is few functions added Same syntax if (description) { } # script code script_id => script_oid

OVAL Implemented in 2.x Using ovaldi OVAL checks appear in Plugins and reporting Local checks

NSE Nmap scripting Engine (NSE) Lua Phase: planning Choose.nse you like from OpenVAS Options nmap=>libnmap Not system/execve Current / memory problem

Number of NVTs 14000 12000 10000 8000 6000 4000 2000 0 09/09/08 10/29/08 12/18/08 02/06/09 03/28/09 05/17/09 07/06/09 08/25/09 10/14/09

OpenVAS tips Use local checks (if possible) Use SSH keys for better security Harden security of scanning box Port scans Nmap Do port scan with nmap first Feed it to OpenVAS (grepable results) Portbunny Kernel level port scanner Not bad for internal scans

OpenVAS control tips Full audit 1-65535 ports Thorough tests Report verbosity Report paranoia Knowledgebase (kb) Something like --verbose Save to disk Analyze findings at deep tech level

OpenVAS future Take a look at current change requests Virtual hosts support Windows local checks Drop existing NASL implementation Using WMI Linux/Unix local checks Drop existing NASL implementation Using SSH library

OpenVAS Design current future

OpenVAS pkgs OpenVAS virtual appliances Vmware, VirtualBox,... OpenVAS in backtrack http://www.openvas.org/openvas-bt.html Backtrack 3 Not included by default Check URL above for remastered ISO image Backtrack 4 Beta version doesn't ship with OpenVAS Prefinal version comes with OpenVAS

Integration Autonessus Diff between two scans Supports OpenVAS and Nessus Time for name change? :) Metasploit Some initial development done OpenVAS as client HD Moore "weekend hack" Better: metasploit as OpenVAS client

OpenVAS + Metasploit integration

Commercial? Ecosystem around OpenVAS Trainings Commercial support Commercial NVT feeds OIDs Enables vendors to have different address space each i.e. 1.2.3.4.x.x

Come and help! Extending scanning engine Extending vulnerability coverage Writting Vulnerability tests (NVTs) Write your PoC/test for OpenVAS! Translating Documentation writting (compendium) Administration (web, irc,...) http://www.openvas.org

I'm developer......is there any $$$ for me?

OpenVAS contest

Initial offering: 300 EUR

Raised to 500 EUR

Raised to 600 EUR

Bug solved, money paid

Summary Open, open and open Multiple vulnerability tests Open Vulnerability Assessment language (OVAL) Nessus Attack Scripting Language (NASL) Nmap Scripting Engine (NSE) early dev Integrated tools Port scanning: portbunny, strobe, pnscan... Enumeration: ike-scan, snmpwalk,... SLAD: john, chkrootkit, clamav, lsof, tripwire,..

OpenVAS contacts http://www.openvas.org http://www.ohloh.net/p/openvas http://www.twitter.com/openvas http://www.identi.ca/openvas openvas-announce Openvas-discuss Openvas-devel irc.oftc.net #openvas