If you will search articles about OpenVAS most of them will be about installation: installation in Kali (in 3 lines) and various bash scripts for installing it from the sources.
Pros of using installation the sources:
- It is the the fastest way to obtain current stable and beta version OpenVAS for every day use and testing.
- Security reasons. As soon as there are no official OpenVAS packages you need to rely on some individuals who provide packages for popular distributions and in some cases it is not the option.
- Some scripting for updating OpenVAS database and managing OpenVAS services will be required anyway. Starting the OpenVAS is still a quest: you need to check the statuses of database, start the services in a right order.
- This is the first step towards the full automation of OpenVAS scanning and testing.
- You will need to install lot’s of additional packages to build OpenVAS binaries. More than 2Gb of files should be downloaded. It may take hours to install configure all this packages on a slow machine (especially all those TeX packages).
- Building all packages also takes time. It takes as much time as knowledge base update.
I wrote a small bash script to simplify OpenVAS installation and management of – openvas_commander.sh. Tested on Debian 8.5, should work on Ubuntu and Kali.
chmod +x openvas_commander.sh
What are its advantages over other similar scripts?
1. openvas_commander gets the packages from http://openvas.org/install-source.html
So when Greenbones will release a new version of OpenVAS, it won’t be necessary to change anything in the script. Of course, if the page structure won’t change significantly (it remains the same for many years).
And yeah, I know that parsing html with regular expressions is a sin.
# ./openvas_commander.sh --show-releases OpenVAS-8 OpenVAS-9 BETA # ./openvas_commander.sh --show-sources "OpenVAS-8" http://wald.intevation.org/frs/download.php/2291/openvas-libraries-8.0.7.tar.gz http://wald.intevation.org/frs/download.php/2266/openvas-scanner-5.0.5.tar.gz http://wald.intevation.org/frs/download.php/2295/openvas-manager-6.0.8.tar.gz http://wald.intevation.org/frs/download.php/2299/greenbone-security-assistant-6.0.10.tar.gz http://wald.intevation.org/frs/download.php/2332/openvas-cli-1.4.4.tar.gz http://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz http://wald.intevation.org/frs/download.php/2177/ospd-1.0.2.tar.gz http://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2097/ospd-debsecan-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2149/ospd-paloalto-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2181/ospd-acunetix-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2185/ospd-ikescan-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2204/ospd-ikeprobe-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2213/ospd-ssh-keyscan-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2219/ospd-netstat-1.0b1.tar.gz
2. Script uses “checkinstall”, not “make install”. It will create and install debian packages for openvas-smb, openvas-libraries, openvas-scanner, openvas-manager, openvas-cli and greenbone-security-assistant. These packages may be easily removed using “dpkg -r”.
# dpkg --list | egrep "(openvas|green)" ii greenbone-security-assistant 6.0.10-1 i386 Package created with checkinstall 1.6.2 ii openvas-cli 1.4.4-1 i386 Package created with checkinstall 1.6.2 ii openvas-libraries 8.0.7-1 i386 Package created with checkinstall 1.6.2 ii openvas-manager 6.0.8-1 i386 Package created with checkinstall 1.6.2 ii openvas-scanner 5.0.5-1 i386 Package created with checkinstall 1.6.2 ii openvas-smb 1.0.1-1 i386 Package created with checkinstall 1.6.2
The whole installation and configuration process (run as root):
./openvas_commander.sh --install-dependencies ./openvas_commander.sh --show-releases OpenVAS-8 OpenVAS-9 BETA ./openvas_commander.sh --download-sources "OpenVAS-8" ./openvas_commander.sh --create-folders ./openvas_commander.sh --install-all ./openvas_commander.sh --configure-all ./openvas_commander.sh --update-content ./openvas_commander.sh --rebuild-content ./openvas_commander.sh --start-all
Then go to https://<ip>/login/login.html
If something goes wrong “–check-status” (openvas-check-setup) will show the errors:
# ./openvas_commander.sh --check-status openvas-check-setup 2.3.3 Test completeness and readiness of OpenVAS-8 (add '--v6' or '--v7' or '--v9' if you want to check for another OpenVAS version) Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem. Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 5.0.5. OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem. [...]
It’s also useful to check the process. openvassd need time to reload all the plugins (NVTs). BTW, I don’t know why gsad runs two processes.
# ./openvas_commander.sh --check-proc root 1570 2.3 9.2 135008 71228 pts/0 SL 12:41 0:01 openvasmd root 1572 91.9 2.2 41848 17160 ? Rs 12:41 1:02 openvassd: Reloaded 29950 of 47766 NVTs (62% / ETA: 00:39) root 1573 0.0 0.1 31716 1344 ? S 12:41 0:00 openvassd (Loading Handler) root 1575 0.1 0.7 28372 5816 pts/0 Sl 12:41 0:00 /usr/local/sbin/gsad root 1576 0.0 0.4 28372 3356 pts/0 Sl 12:41 0:00 /usr/local/sbin/gsad root 1618 0.0 0.2 4528 1696 pts/0 S+ 12:42 0:00 grep -E (openvas.d|gsad)
If you want to restart OpenVAS use “–kill-all”, than “–start-all”
Unfortunately, OSPd components are out pf scope now. But it is planned.
Couple of words about VirtualBox testing stand I used.
40 GB hard disk.
Two network interfaces: Nat and Host Only Adapter.
Host only network configuration:
File -> Preferences -> Netowork -> Host only network->new
vboxnet0 -> DHCP Server:
Standard Debian install from Debian 8.5 ISO.
Choose primary interface eth0 (NAT) cause I need to download packages
Software to install
After installation is complete you may need to add this lines to /etc/network/interfaces file:
allow-hotplug eth1 iface eth1 inet dhcp
# service networking restart
Otherwise, Debian will not see Host Only Adapter.
$ ssh email@example.com The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. ECDSA key fingerprint is SHA256:TtMghC06KxQfiPVlkZHkZ9Ca5rZKK2/tGpOwt8NqrtQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. firstname.lastname@example.org's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Jun 25 12:25:37 2016 vmuser@openvas:~$