Vulnerability Assessment without Vulnerability Scanner. This will be a practical confirmation of my thesis from “Vulnerability scanners: a view from the vendor and end user side“: the scanner for one operating system is easy to make. I also want to demonstrate that data collection and data analysis for Vulnerability Assessment may be successfully performed separately. There is no need to take the data directly from the vulnerable hosts, when it is already stored somewhere else, for example in IT monitoring systems.

Assessment without vulnerability scanner

The opacity of data collection and the need to have a privileged account on the remote host, traditionally causes conflicts between IS and IT departments and complicates implementation of VM process.

So, to detect vulnerabilities on our Linux host we need to know what version of the packages contain vulnerabilities, which versions of packages are installed on our hosts, and learn how to compare versions.

How do I know which versions of packages are vulnerable?

Vulnerable versions of packages are listed in official security bulletins:
RHEL – https://access.redhat.com/errata/RHSA-2016:0304
CentOS – https://lists.centos.org/pipermail/centos-announce/2015-April/021064.html
Debian – http://www.debian.org/security/2015/dsa-3197
Ubuntu – http://www.ubuntu.com/usn/usn-2537-1/

CESA bulletin example

Of course, you will need to parse them first. Or you can just download the same content already parsed and presented in JSON format with Vulners.
download CESA bulletins from Vulners
Continue reading →

Vulners – Google for hacker. How the best vulnerability search engine works and how to use it. Original article was published in Xakep Magazine #06/2016 (in Russian)

The common task. Уou need to find all information about some vulnerability: how critical the bug is, whether there is a public exploit, which vendors already released patches, which vulnerability scanner can detect this bug in the system. Previously, you had to search it all manually in dozens of sources (CVEDetails, SecurityFocus, Rapid7 DB, Exploit-DB, CVEs from MITRE / NIST, vendor newsletters, etc.) and analyze the collected data. Today, this routine can be (and should be!) automated with specialized services. One of these services – Vulners.com, the coolest search engine for bugs. And what is the most important – it’s free and has an open API. Let’s see how it can be useful for us.

What is it?

Vulners is a very large constantly updating database of Information Security content. This site lets you search for vulnerabilities, exploits, patches, bug bounty programs the same way a web search engine lets you search for websites. Vulners aggregates and presents in convenient form seven major types of data:

Popular vulnerability databases, containing general descriptions of vulnerabilities and links. For example, well-known NVD CVEs of MITRE US agency and NIST Institute. In addition to this, Vulners supports vulnerability descriptions from various research centers and response teams: Vulnerability Lab, XSSed, CERT, ICS, Zero Day Initiative, Positive Technologies, ERPScan.
Vendor’s security bulletins. This bug-reports are published by software vendors and contain information about vulnerabilities in their own products. At current moment Vulners supports various Linux distributions (Red Hat, CentOS, Oracle Linux, Arch Linux, Debian, Ubuntu, SUSE), FreeBSD, network devices (F5 Networks, Cisco, Huawei, Palo Alto Networks), popular and critical software (OpenSSL, Samba, nginx, Mozilla, Opera), including CMS (WordPress, Drupal).
Exploits from Exploit-DB, Metasploit and 0day.today. Exploits are parsed and stored in full-text form and you can read the sources in a convenient text editor.
Nessus plugins for vulnerability detection. It makes easy to find out whether a particular vulnerability can be detected using this popular network scanner. Why is it important? Read in my article “When a free scanning service detects vulnerabilities better“.
Bug disclousers for bug bounty programs. At current moment Vulners supports HackerOne and Open Bug Bounty.
Potential vulnerabilities of mobile applications and CMS. It is possible in cooperation with the static application security testing (SAST) vendors Hackapp and InfoWatch APPERCUT.
Posts from hacking resources. Vulners collects Threatpost and rdot.org publications, which often cover vulnerability related topics.

All this information is handled, cataloged, structured and is always available for the search.

Continue reading →

openvas_commander for OpenVAS installation and management. upd. 29.09.2018 Unfortunately, the script does not work after Greenbone moved the sources from their internal repository to GitHub. It’s necessary to edit the script. Stay tuned.

If you will search articles about OpenVAS most of them will be about installation: installation in Kali (in 3 lines) and various bash scripts for installing it from the sources.

OpenVAS commander

Pros of using installation the sources:

It is the the fastest way to obtain current stable and beta version OpenVAS for every day use and testing.
Security reasons. As soon as there are no official OpenVAS packages you need to rely on some individuals who provide packages for popular distributions and in some cases it is not the option.
Some scripting for updating OpenVAS database and managing OpenVAS services will be required anyway. Starting the OpenVAS is still a quest: you need to check the statuses of database, start the services in a right order.
This is the first step towards the full automation of OpenVAS scanning and testing.

Cons:

You will need to install lot’s of additional packages to build OpenVAS binaries. More than 2Gb of files should be downloaded. It may take hours to install configure all this packages on a slow machine (especially all those TeX packages).
Building all packages also takes time. It takes as much time as knowledge base update.

I wrote a small bash script to simplify OpenVAS installation and management of – openvas_commander.sh. Tested on Debian 8.5, should work on Ubuntu and Kali.

Upd 10.04.2017 Read how to use this script to install OpenVAS 9 on Debian in the post “Installing OpenVAS 9 from the sources“.

wget https://raw.githubusercontent.com/leonov-av/openvas-commander/master/openvas_commander.sh chmod +x openvas_commander.sh

What are its advantages over other similar scripts?

Continue reading →

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: Debian

Vulnerability Assessment without Vulnerability Scanner

Vulners – Google for hacker. How the best vulnerability search engine works and how to use it

What is it?

openvas_commander for OpenVAS installation and management