upd. 29.09.2018 Unfortunately, the script does not work after Greenbone moved the sources from their internal repository to GitHub. It’s necessary to edit the script. Stay tuned.
If you will search articles about OpenVAS most of them will be about installation: installation in Kali (in 3 lines) and various bash scripts for installing it from the sources.
Pros of using installation the sources:
- It is the the fastest way to obtain current stable and beta version OpenVAS for every day use and testing.
- Security reasons. As soon as there are no official OpenVAS packages you need to rely on some individuals who provide packages for popular distributions and in some cases it is not the option.
- Some scripting for updating OpenVAS database and managing OpenVAS services will be required anyway. Starting the OpenVAS is still a quest: you need to check the statuses of database, start the services in a right order.
- This is the first step towards the full automation of OpenVAS scanning and testing.
Cons:
- You will need to install lot’s of additional packages to build OpenVAS binaries. More than 2Gb of files should be downloaded. It may take hours to install configure all this packages on a slow machine (especially all those TeX packages).
- Building all packages also takes time. It takes as much time as knowledge base update.
I wrote a small bash script to simplify OpenVAS installation and management of – openvas_commander.sh. Tested on Debian 8.5, should work on Ubuntu and Kali.
Upd 10.04.2017 Read how to use this script to install OpenVAS 9 on Debian in the post “Installing OpenVAS 9 from the sources“.
wget https://raw.githubusercontent.com/leonov-av/openvas-commander/master/openvas_commander.sh
chmod +x openvas_commander.sh
What are its advantages over other similar scripts?
1. openvas_commander gets the packages from http://openvas.org/install-source.html
So when Greenbones will release a new version of OpenVAS, it won’t be necessary to change anything in the script. Of course, if the page structure won’t change significantly (it remains the same for many years).
And yeah, I know that parsing html with regular expressions is a sin.
# ./openvas_commander.sh --show-releases OpenVAS-8 OpenVAS-9 BETA # ./openvas_commander.sh --show-sources "OpenVAS-8" http://wald.intevation.org/frs/download.php/2291/openvas-libraries-8.0.7.tar.gz http://wald.intevation.org/frs/download.php/2266/openvas-scanner-5.0.5.tar.gz http://wald.intevation.org/frs/download.php/2295/openvas-manager-6.0.8.tar.gz http://wald.intevation.org/frs/download.php/2299/greenbone-security-assistant-6.0.10.tar.gz http://wald.intevation.org/frs/download.php/2332/openvas-cli-1.4.4.tar.gz http://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz http://wald.intevation.org/frs/download.php/2177/ospd-1.0.2.tar.gz http://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2097/ospd-debsecan-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2149/ospd-paloalto-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz http://wald.intevation.org/frs/download.php/2181/ospd-acunetix-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2185/ospd-ikescan-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2204/ospd-ikeprobe-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2213/ospd-ssh-keyscan-1.0b1.tar.gz http://wald.intevation.org/frs/download.php/2219/ospd-netstat-1.0b1.tar.gz
2. Script uses “checkinstall”, not “make install”. It will create and install debian packages for openvas-smb, openvas-libraries, openvas-scanner, openvas-manager, openvas-cli and greenbone-security-assistant. These packages may be easily removed using “dpkg -r”.
# dpkg --list | egrep "(openvas|green)" ii greenbone-security-assistant 6.0.10-1 i386 Package created with checkinstall 1.6.2 ii openvas-cli 1.4.4-1 i386 Package created with checkinstall 1.6.2 ii openvas-libraries 8.0.7-1 i386 Package created with checkinstall 1.6.2 ii openvas-manager 6.0.8-1 i386 Package created with checkinstall 1.6.2 ii openvas-scanner 5.0.5-1 i386 Package created with checkinstall 1.6.2 ii openvas-smb 1.0.1-1 i386 Package created with checkinstall 1.6.2
The whole installation and configuration process (run as root):
./openvas_commander.sh --install-dependencies ./openvas_commander.sh --show-releases OpenVAS-8 OpenVAS-9 BETA ./openvas_commander.sh --download-sources "OpenVAS-8" ./openvas_commander.sh --create-folders ./openvas_commander.sh --install-all ./openvas_commander.sh --configure-all ./openvas_commander.sh --update-content ./openvas_commander.sh --rebuild-content ./openvas_commander.sh --start-all
Then go to https://<ip>/login/login.html
If something goes wrong “–check-status” (openvas-check-setup) will show the errors:
# ./openvas_commander.sh --check-status openvas-check-setup 2.3.3 Test completeness and readiness of OpenVAS-8 (add '--v6' or '--v7' or '--v9' if you want to check for another OpenVAS version) Please report us any non-detected problems and help us to improve this check routine: http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the problem. Step 1: Checking OpenVAS Scanner ... OK: OpenVAS Scanner is present in version 5.0.5. OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem. [...]
It’s also useful to check the process. openvassd need time to reload all the plugins (NVTs). BTW, I don’t know why gsad runs two processes.
# ./openvas_commander.sh --check-proc root 1570 2.3 9.2 135008 71228 pts/0 SL 12:41 0:01 openvasmd root 1572 91.9 2.2 41848 17160 ? Rs 12:41 1:02 openvassd: Reloaded 29950 of 47766 NVTs (62% / ETA: 00:39) root 1573 0.0 0.1 31716 1344 ? S 12:41 0:00 openvassd (Loading Handler) root 1575 0.1 0.7 28372 5816 pts/0 Sl 12:41 0:00 /usr/local/sbin/gsad root 1576 0.0 0.4 28372 3356 pts/0 Sl 12:41 0:00 /usr/local/sbin/gsad root 1618 0.0 0.2 4528 1696 pts/0 S+ 12:42 0:00 grep -E (openvas.d|gsad)
If you want to restart OpenVAS use “–kill-all”, than “–start-all”
Unfortunately, OSPd components are out pf scope now. But it is planned.
Couple of words about VirtualBox testing stand I used.
40 GB hard disk.
Two network interfaces: Nat and Host Only Adapter.
Host only network configuration:
File -> Preferences -> Netowork -> Host only network->new
vboxnet0 -> DHCP Server:
Standard Debian install from Debian 8.5 ISO.
Choose primary interface eth0 (NAT) cause I need to download packages
Software to install
After installation is complete you may need to add this lines to /etc/network/interfaces file:
allow-hotplug eth1 iface eth1 inet dhcp
And make
# service networking restart
Otherwise, Debian will not see Host Only Adapter.
Results:
$ ssh vmuser@192.168.56.101 The authenticity of host '192.168.56.101 (192.168.56.101)' can't be established. ECDSA key fingerprint is SHA256:TtMghC06KxQfiPVlkZHkZ9Ca5rZKK2/tGpOwt8NqrtQ. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.56.101' (ECDSA) to the list of known hosts. vmuser@192.168.56.101's password: The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Sat Jun 25 12:25:37 2016 vmuser@openvas:~$
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Tenable Nessus: registration, installation, scanning and reporting | Alexander V. Leonov
Pingback: OpenVAS plugins in Vulners.com | Alexander V. Leonov
HI, many thanks for your comprehensive article.
Do you have any ideas on using this approach to provision networked OpenVAS
servers that share a common database for example ?
Hello! Thank you for kind words, Maineffort!
Actually, I don’t see how it may be useful. If you want to use several servers to scan there is already a master-slave mechanism available http://docs.greenbone.net/GSM-Manual/gos-3.1/en/master_slave.html. Or you can manage several scanners directly and independently via API. What’s the point for scanners to use the same base?
Pingback: Nessus Manager and Agents | Alexander V. Leonov
Pingback: Seccubus installation and GUI overview | Alexander V. Leonov
Pingback: Who wants to be a PCI ASV? | Alexander V. Leonov
Pingback: Installing OpenVAS 9 from the sources | Alexander V. Leonov
Pingback: Vulnerability Management for Network Perimeter | Alexander V. Leonov
Alexander,
I get this error in Ubuntu 16.04:
root@openvas:/tmp# ./openvas_commander.sh –install-dependencies
Reading package lists… Done
Building dependency tree
Reading state information… Done
Note, selecting ‘libsql-translator-perl’ instead of ‘sqlfairy’
E: Unable to locate package mingw32