OpenVAS and Nessus Tutorial

Enviroment

Attack Machine

OS: NTUT-IFM-Kali-2021-custom
IP: 10.99.154.46
AC: kali/kali

Victim Machine

OS: Metasploitable3
IP: 10.99.154.47
AC: vagrant/vagrant

Prepare

Install

sudo apt install docker.io

sudo usermod -aG docker kali

可以用docker version 檢查，如果出現Cannot connect to the Docker daemo. Is the docker daemon running on this host?
這是因為沒有把當下的使用者加入docker群組導致(確認第二個步驟有做到)

OpenVAS

OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

三大弱點測試特徵檔案資料庫(NVT、Scap、Cert)

Github

https://github.com/grafana/openvas-docker

Install

sudo docker run -d -p 80:80 --name openvas grafana/openvas

or create Volume

docker volume create openvas

docker run -d -p 80:80 -v openvas:/var/lib/gvm --name openvas grafana/openvas

–detach 在背景執行
–publish 將容器的埠發佈到主機，把主機的8080通訊埠所有流量轉發到web這個Container的9392通訊埠
–name Container名稱
-v 參數，使得 Container 裡面的檔案路徑Mapping 到實體主機的檔案路徑

Update (Option)

開源資安工具 – 弱點掃描不求人 – OpenVAS

sudo docker -it openvas bash

ne-nvt-sync 
greenbone-certdata-sync 
greenbone-scapdata-sync 
systemctl start openvas-scanner 
systemctl start openvas-manager 
openvasmd –update –verbose –progress

How To Use

先確認STATUS有Up docker ps -al
Firefox登入 127.0.0.1 (admin/admin)
Administration -> Feed Status -> 檢查特徵庫更新
SecInfo -> 確認NVT、CPE、CVE是否有資料
Scans -> Task Wizard (快速魔法棒) or New Task
New Task
- Scan Targets
  - Hosts
  - Port List
    - All IANA assigned TCP (https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml)
    - All IANA assigned TCP and UDP
    - ALL TCP and Nmap top 100 UDP
  - Alive Test
    - Scan Config Default
    - ICMP Ping
    - TCP-ACK Service Ping
    - TCP-SYN Service Ping
- Min QoD 70%
- Scanner
  - OpenVAS Default
  - CVE
- Scan Config
  - Base
  - Discovery
  - Full and fast
  - Host Discovery
  - System Discovery
Actions -> Play
Click Reports
Download PDF or TXT

Nessus

Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. Tenable.io is a subscription-based service.

Prepare

https://zh-tw.tenable.com/products/nessus/nessus-essentials
Get the Activation Code

Install

docker run --name "container name" -d -p 8834:8834  -e ACTIVATION_CODE=<activation code> -e USERNAME=<username> -e PASSWORD=<password> tenableofficial/nessus

How To Use

Login https://127.0.0.1:8843
All Scans -> New Scan
Advance Scan
Setting
- Basic
  - General
    - Name
    - Targets
  - Schedule
  - Notifcations
- Discovery
  - Host Discovery
  - Port Scanning
    - Fragile Devices
  - Service Discovery
    - SSL/TLS
    - DTLS(資料包傳輸層協定)
- Assessment
- Report
- Advanced
Check Report -> Report PDF

OpenVAS and Nessus Tutorial