What Is OpenVAS
From the OpenVAS website, “OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. The framework is part of Greenbone Networks‘ commercial vulnerability management solution from which developments are contributed to the Open Source community since 2009.” I personally, want to utilize this tool for performing a vulnerability test of my personal network. As a software engineer, I have implemented a relatively extensive home network. Because these days security is paramount, I felt as though I needed verification my network is as secure as possible.
For testing my network , the idea is installing the OpenVAS vulnerability scanner on an external network and then testing my network by scanning a site hosted within. The first step is installing the scanner. This would be accomplished by installing it on a CentOS 7 virtual machine (VM) hosted within the Linode cloud. CentOS was the chosen flavor of Linux due to its closeness to Red Hat Enterprise Linux (RHEL). Since RHEL is used in many corporate environments, I wanted to install the scanner on a similar operating system.
Installation and Verification of OpenVAS
For the purposes of this test, the VM was not secured and only has a root account. A minimal installation of CentOS was performed by deploying the CentOS 7 image within Linode. Once the operating system was installed, the following steps were carried out installing the OpenVAS vulnerability scanner.
1) yum update -y 2) yum install wget -y 3) wget -q -O - http://www.atomicorp.com/installers/atomic |sh 4) wget http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-10.noarch.rpm 5) rpm -ivh epel-release-7-10.noarch.rpm 6) yum install xalan-c 7) yum install openvas 8) yum install bzip2 9) openvas-setup 10) Accept default rsync 11) Enter username and password 12) echo "unixsocket /tmp/redis.sock" >> /etc/redis.conf 13) sed -i 's/enforcing/disabled/g' /etc/selinux/config /etc/selinux/config 14) systemctl enable redis.service 15) shutdown -r now
Once the installation is complete and the VM has rebooted you can verify the installation by accessing the following URL:
https://<IP Address of VM>:9392
The certificate is not trusted so you will have to create an exception within your browser and you will log in with the username and password created during installation. The next step is verifying the installation against some known vulnerable website. The site, 15 Vulnerable Sites To (Legally) Practice Your Hacking Skills , contained various sites listed as having vulnerabilities which you could practice your hacking skills. I chose to use the site named, Hack This Site (www.hackthissite.org) as the scanning target. The task wizard was used for starting the scan using the fully qualified domain name (FQDN) as the scanning target.
Initially, I thought the scanner may have had some issues because the status seemed stuck at 1% and after performing some searches on the web this seemed to be a problem which people have asked about. However, I found that I just needed to give the scanner more time for it to increase the percent complete. The scan of the test site took 7 hours 51 minutes and 12 seconds to complete and a total of 43 vulnerabilities were identified.
Scanning A Personal Target
Now that I know the scanner is able to scan a target, I decided to point the scanner at a domain which I maintain. One of the software development tools I use is the Redmine issue tracker. My tracker is located at redmine.theparhams.net. So, again, I used the wizard and attempted a scan using the FQDN of my site. This time, the scan only took 21 seconds to complete. However, no vulnerabilities were reported and OpenVAS reported my site may be dead.
I performed some research about this finding where OpenVAS says the site may be dead and have found other users also reporting this. Because the site is being scanned from an outside network, I am going to assume the scanner couldn’t reach my site. Because of the techniques involved in scanning the target, my ISP may be blocking the scanning altogether. If so, this is a good thing because adversarial scanning would be getting blocked. For now, I am going to assume the site is relatively secure, but additional steps should be made to verify.
Additional Steps for Security and Sanity
Because the OpenVAS utility is new to me, I want to take additional steps ensuring accurate results are achieved. In my research on OpenVAS, I found other users reporting dead sites who said these problems were resolved with OpenVAS 9. It was not until I found these posts, that I realized I was using an older version of OpenVAS. I had installed OpenVAS 7 on my external network. That being said, the next steps will be performing a version 9 installation and verifying its functionality against the same two sites and comparing the results.
I hope you have enjoyed reading this post and I look forward to any comments you may provide. If you have had some of these same experiences please let me know. If you have found this content helpful, again, please let me know. I welcome any and all feedback!