Packages oficiais OpenVAS6 for Debian7

All packages except gsd are successfully built now on OBS
Here a are the links to the repositories:
and
Here is a how to for Debian 7.0 (wheezy)
Step 1: Configure OBS Repository
(as user root, only once)
apt-key add ./Release.key
sudo apt-get update
Step 2: Quick-Install OpenVAS
(as user root, only once)
apt-get -y install greenbone-security-assistant openvas-cli openvas-manager openvas-scanner openvas-administrator sqlite3 xsltproc rsync
To install support packages for report generation (downloads around 30 MB of additional packages):
apt-get -y install texlive-latex-base texlive-latex-extra texlive-latex-recommended htmldoc
To install support for autogenerated LSC credential packages:
apt-get -y install alien rpm nsis fakeroot
Step 3: Quick-Start OpenVAS
(copy and paste whole block as user root, during first time you will be asked to set a password for user “admin”)
test -e /var/lib/openvas/CA/cacert.pem  || openvas-mkcert -q
openvas-nvt-sync
test -e /var/lib/openvas/users/om || openvas-mkcert-client -n om -i
/etc/init.d/openvas-manager stop
/etc/init.d/openvas-scanner stop
openvassd
openvasmd –rebuild
openvas-scapdata-sync
openvas-certdata-sync
test -e /var/lib/openvas/users/admin || openvasad -c add_user -n admin -r Admin
killall openvassd
sleep 15
/etc/init.d/openvas-scanner start
/etc/init.d/openvas-manager start
/etc/init.d/openvas-administrator restart
/etc/init.d/greenbone-security-assistant restart
Step 4: Log into OpenVAS as “admin”
By

@openvas @gustavorobertux @firebitsbr

Compilando e Instalando – OpenVAS6 packages + Debian 7

Neste post vou demonstrar como fazer uma instalação a partir do zero, sem ser por svn e sim por packages.

Antes, no entanto, é preciso concluir a instalação do Debian 7 com alguns pacotes necessários para compilar e executar OpenVAS 6.

$ sudo apt-get install nsis alien rpm texlive-latex-extra libqt4-dev g++ libmicrohttpd-dev libxml2-dev libxslt1-dev libxml2-dev libsqlite3-dev doxygen sqlfairy xmltoman sqlite3 gcc make cmake pkg-config libssh-dev gnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libmicrohttpd5 -y

Depois, precisamos baixar os packages do Openvas6.

$ wget http://wald.intevation.org/frs/download.php/1159/openvas-libraries-5.0.3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1092/openvas-scanner-3.3.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1112/openvas-manager-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1140/openvas-administrator-1.2.1.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1116/greenbone-security-assistant-4.0+beta3.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1084/gsd-1.2.2.tar.gz
$ wget http://wald.intevation.org/frs/download.php/1131/openvas-cli-1.1.5.tar.gz

E na sequencia:

1 openvas-libraries
2 openvas-scanner
3 openvas-manager
4 openvas-administrator
5 gsad (greenbone-security-assistant)
6 gsd (greenbone-security-desktop)
7 openvas-cli

1 openvas-libraries

# tar xzvf openvas-libraries-5.0.3.tar.gz
# cd openvas-libraries-5.0.3/
# cmake .
– Configuring the Libraries…
– Install prefix: /usr/local
– checking for module ‘wmiclient>=1.3.14′
– package ‘wmiclient>=1.3.14′ not found
– checking for module ‘libssh>=0.4.5′
– package ‘libssh>=0.4.5′ not found
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for libldap…
– No ldap library found – ldap support disabled
– Did not find libssh via pkg-config, trying alternative approach …
– Found libssh 0.4.5.
– Looking for uuid…
– Looking for uuid… /usr/lib/libuuid.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-libraries-5.0.3

# make install
# cd ..

2 openvas-scanner

# tar xzvf openvas-scanner-3.3.1.tar.gz
# cd openvas-scanner-3.3.1/
# cmake .

– Configuring the Scanner…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Found Doxygen: /usr/bin/doxygen
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-scanner-3.3.1
# make
# make install
# cd ..

3 openvas-manager

# tar xzvf openvas-manager-4.0+beta3.tar.gz
# cmake .
– Configuring the Manager…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Looking for SQLFairy…
– Looking for SQLFairy… /usr/bin/sqlt-diagram, /usr/bin/sqlt
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-manager-4.0+beta3

# make
# make install
# cd ..

4 openvas-administrator

# tar xzvf openvas-administrator-1.2.1.tar.gz
# cd openvas-administrator-1.2.1/
# cmake .
– Configuring the OpenVAS Administrator…
– Install prefix: /usr/local
– Looking for pcap…
– Looking for pcap… /usr/lib/libpcap.so
– Looking for gpgme…
– Looking for gpgme… /usr/lib/libgpgme.so
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-administrator-1.2.1

# make
# make install
# cd ..

5 gsad (greenbone-security-assistant)

# tar xzvf greenbone-security-assistant-4.0+beta3.tar.gz
# cd greenbone-security-assistant-4.0+beta3/
# cmake .
– Configuring greenbone-security-assistant…
– Looking for pkg-config… /usr/bin/pkg-config
– Install prefix: /usr/local
– External XSL transformations, with xsltproc.
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/greenbone-security-assistant-4.0+beta3

# make
# make install
# cd ..

6 gsd (greenbone-security-desktop)

# tar gsd-1.2.2.tar.gz
# cd gsd-1.2.2
# cmake .
– Configuring gsd …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/gsd-1.2.2
# make
# make install
# cd ..

7 openvas-cli

# tar xzvf openvas-cli-1.1.5.tar.gz
# cd openvas-cli-1.1.5
# cmake .
– Configuring openvas-cli …
– Install prefix: /usr/local
– Looking for xmltoman…
– Looking for xmltoman… /usr/bin/xmltoman
– Looking for xmlmantohtml… /usr/bin/xmlmantohtml
– Configuring done
– Generating done
– Build files have been written to: /home/test/openvas/openvas-cli-1.1.5
# make
# make install
# cd ..

Quando a instalação estiver completa, vamos configurar OpenVAS 6, atualizar primeiro o banco de dados com todos os testes e plugins de vulnerabilidades (NVT):

# openvas-nvt-sync

[i] This script synchronizes an NVT collection with the ‘OpenVAS NVT Feed’.
[i] The ‘OpenVAS NVT Feed’ is provided by ‘The OpenVAS Project’.
[i] Online information about this feed: ‘http://www.openvas.org/openvas-nvt-feed.html’.
[i] NVT dir: /usr/local/var/lib/openvas/plugins
[i] Will use rsync
[i] Using rsync: /usr/bin/rsync
[i] Configured NVT rsync feed: rsync://feed.openvas.org:/nvt-feed
OpenVAS feed server – http://openvas.org/
This service is hosted by Intevation GmbH – http://intevation.de/
All transactions are logged.
Please report problems to admin@intevation.de
receiving incremental file list
[…]

Vamos gerar um usuário com privilégios de administrador (para o OpenVAS, não do SO):

# openvasad -c ‘add_user’ -n admin –role=Admin
Enter password: <digite uma senha segura aqui>

Como OpenVAS protege a comunicação entre o scanner e o cliente usando SSL, você deve gerar os certificados usando o script openvas-mkcert que gera uma autoridade de certificação (se já não estiver lá) e o certificado do lado do scanner. Neste caso, ele vai configurar um CA da Alemanha, com informações do projeto OpenVAS e GreenBone (uma das empresas que tem serviços profissionais e pagos, além de contribuir com a comunidade open source com código-fonte e plugins).

# openvas-mkcert
/usr/local/var/lib/openvas/private/CA created
/usr/local/var/lib/openvas/CA created

——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.

CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [DE]:
Your state or province name [none]:
Your location (e.g. town) [Berlin]:
Your organization [OpenVAS Users United]:

——————————————————————————-
Creation of the OpenVAS SSL Certificate
——————————————————————————-

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

Agora vamos gerar o CA no lado do client:

# openvas-mkcert-client -n om -i
Generating RSA private key, 1024 bit long modulus
……………..++++++
…….++++++
e is 65537 (0×10001)

[…]

Vamos inicializar o scanner, pode demorar alguns minutos para carregar todos os plugins de vulnerabilidades – NVT.

# openvassd

Depois de ter concluído o carregamento dos plugins, precisamos para reconstruir o banco de dados com o openvas-manager, para isso, usamos os seguintes comandos:

# touch /usr/local/var/lib/openvas/mgr/tasks.d
# openvasmd –backup
# openvasmd –rebuild

O Openvas 6 usa nmap 5.51:

# wget http://nmap.org/dist/nmap-5.51.6.tgz
# tar xzvf nmap-5.51.6.tg
# cd nmap-5.51.6
# ./configure
# make
# make install

Precisamos verificar se a versão é correta do NMAP:

# nmap -V
Nmap version 5.51.6 ( http://nmap.org )

Agora, vamos inicializar o Openvas modo Administrador:

# openvasad

E depois, vamos inicializar o Openvas modo Manager:

# openvasmd

Também vamos inicializar o GSA (greenbone-security-assistant) para administrar nossa instalação OpenVAS6:

# gsad –http-only –listen=0.0.0.0 -p 9392

Verificando se foi instalado corretamente, através deste script:

# chmod 755 openvas-check-setup
# ./openvas-check-setup –v6

[…]
Step 1: Checking OpenVAS Scanner …
OK: OpenVAS Scanner is present in version 3.3.1.
OK: OpenVAS Scanner CA Certificate is present as /usr/local/var/lib/openvas/CA/cacert.pem.
OK: NVT collection in /usr/local/var/lib/openvas/plugins contains 28194 NVTs.
WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
SUGGEST: Enable signature checking (see http://www.openvas.org/trusted-nvts.html).
Step 2: Checking OpenVAS Manager …
OK: OpenVAS Manager is present in version 4.0+beta3.
OK: OpenVAS Manager client certificate is present as /usr/local/var/lib/openvas/CA/clientcert.pem.
OK: OpenVAS Manager database found in /usr/local/var/lib/openvas/mgr/tasks.db.
OK: Access rights for the OpenVAS Manager database are correct.
OK: sqlite3 found, extended checks of the OpenVAS Manager installation enabled.
OK: OpenVAS Manager database is at revision 58.
OK: OpenVAS Manager expects database at revision 58.
OK: Database schema is up to date.
OK: OpenVAS Manager database contains information about 28194 NVTs.
OK: xsltproc found.
Step 3: Checking OpenVAS Administrator …
OK: OpenVAS Administrator is present in version 1.2.1.
OK: At least one user exists.
OK: At least one admin user exists.
Step 4: Checking Greenbone Security Assistant (GSA) …
OK: Greenbone Security Assistant is present in version 4.0+beta3.
Step 5: Checking OpenVAS CLI …
OK: OpenVAS CLI version 1.1.5.
Step 6: Checking Greenbone Security Desktop (GSD) …
OK: Greenbone Security Desktop is present in Version 1.2.2.
Step 7: Checking if OpenVAS services are up and running …
OK: netstat found, extended checks of the OpenVAS services enabled.
OK: OpenVAS Scanner is running and listening on all interfaces.
OK: OpenVAS Scanner is listening on port 9391, which is the default port.
OK: OpenVAS Manager is running and listening on all interfaces.
OK: OpenVAS Manager is listening on port 9390, which is the default port.
OK: OpenVAS Administrator is running and listening on all interfaces.
OK: OpenVAS Administrator is listening on port 9393, which is the default port.
OK: Greenbone Security Assistant is running and listening on all interfaces.
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.
Step 8: Checking nmap installation …
OK: nmap is present in version 5.51.6.
Step 9: Checking presence of optional tools …
OK: pdflatex found.
OK: PDF generation successful. The PDF report format is likely to work.
OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is likely to work.
OK: rpm found, LSC credential package generation for RPM based targets is likely to work.
OK: alien found, LSC credential package generation for DEB based targets is likely to work.
OK: nsis found, LSC credential package generation for Microsoft Windows targets is likely to work.[…]

Vamos conectar à porta 9392 via browser, através da URL http://localhost:9392:

OpenVAS6 + Debian 7

E por último, ter acesso ao nome de usuário e senha previamente criado no OpenVAS6.

OpenVAS6 - gsad

Referências:

http://www.openvas.org/
http://www.openvas.org/setup-and-start.html
http://www.debian.org/

Desabilitar o RC4 do Chrome – Attack of the week: RC4 is kind of broken in TLS

Desabilitar o RC4 do Chrome

Saiu na CISSP.

http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

http://cr.yp.to/talks/2013.03.12/slides.pdf

http://www.ietf.org/rfc/rfc2246.txt

Rafael Koike koike.rafael  @  gmail.com por  yahoogroups.com
10 de jul (2 dias atrás)

para cisspBR
Pessoal,

Depois das noticias da NSA e da sensação que de as conversas podem ser
monitoradas não só por tap nas fibras, mas quem sabe por falhas nos
protocolos de segurança implementados nos navegadores resolvi pesquisar um
pouco.
Com as divulgações de que o RC4 pode ser quebrado com TLS eu fiquei de cuca
quente e resolvi olhar qual criptografia estava usando nas paginas HTTPS e
eis que meu default de negociação com os sites que mais uso como GMAIL e
FACEBOOK eram RC4 com SHA!
Ai o próximo passo era ver como desabilitar o RC4 para negociar um
protocolo mais seguro.
Usando o Chrome e buscando no google não achei nada!
Eis que analisando o código fonte do google vi que os desenvolvedores
deixaram o seguinte parâmetro para remover cifras do
navegador: –cipher-suite-blacklist
O duro foi descobrir como este parâmetro funciona porque na internet e no
google não diz.
Depois de alguma horas olhando o codigo fonte do chrome descobri.

Para quem quiser desabilitar o RC4 do Chrome o parâmetro no atalho é:
–cipher-suite-blacklist=0x0005,0x0004
Sendo que:
0x0004 = TLS_RSA_WITH_RC4_128_MD5
0x0005 = TLS_RSA_WITH_RC4_128_SHA

Os codigos das cifras podem ser encontradas em:
http://www.ietf.org/rfc/rfc2246.txt

Infos do possivel ataque:
http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

Vou tentar criar um plugin para OpenVAS que possa detectar se o Google Chrome está com LS_RSA_WITH_RC4 ou não.
@firebitsbr

OpenVAS: RHEL 4 Update for Samba CVE-2010-0547 – DRAFT

###############################################################################
# OpenVAS Vulnerability Test
#
# RHEL 4 Update for Samba CVE-2010-0547 – DRAFT
# firebits_CVE_2010_0547_samba_RHEL4_all.nasl
#
#
# Authors:
# System Generated Check
# Mauro Risonho de Paula Assumpção aka firebits
# mauro.risonho@gmail.com
# firebitsbr@wald.intevation.org
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
# Copyright (c) 2013 NONAMESEC Security Systems, http://www.nonamesec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

desc = ”

Vulnerability Insight:

CVE-2010-0547 samba: mount.cifs improper device name and mountpoint
strings sanitization
The MITRE CVE dictionary describes this issue as:

client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier
does not verify that the (1) device name and (2) mountpoint strings are
composed of valid characters, which allows local users to cause a
denial of service (mtab corruption) via a crafted string.

Affected Software/OS:
cifs on Red Hat Enterprise Linux version 4 (samba)

Fix: Please Install the Updated Packages.

References:
https://access.redhat.com/security/cve/CVE-2010-0547
http://rpmfind.net/linux/rpm2html/search.php?query=samba&#8221;;

if(description)
{
script_id(880323);
script_version(“$Revision: 12798 $”);
script_tag(name:”check_type”, value:”authenticated package test”);
script_tag(name:”last_modification”, value:”$Date: 2013-07-11 18:03:54 GMT-03:00 0 Brazil, São Paulo (Thu, 11 Jul 2013) $”);
script_tag(name:”creation_date”, value:”2009-02-27 08:31:09 +0100 (Fri, 27 Feb 2009)”);
script_tag(name:”cvss_base”, value:”2.6″);
script_tag(name:”cvss_base_vector”, value:”AV:N/AC:L/Au:N/C:N/I:N/A:P”);
script_tag(name:”risk_factor”, value:”Low”);
script_xref(name: “CVE”, value: “2010-0547”);
script_cve_id(“CVE-2010-0547”);
script_name( “Red Hat Enterprise Linux version 4 Update for samba CVE-2010-0547 RHEL4”);

script_description(desc);
script_summary(“Check for the Version of Samba”);
script_category(ACT_GATHER_INFO);
script_copyright(“Copyright (C) 2009 Greenbone Networks GmbH / Copyright (C) 2013 NoNameSEC Security Systems, Ltd”);
script_family(“RHEL Local Security Checks”);
script_dependencies(“gather-package-list.nasl”);
script_mandatory_keys(“HostDetails/OS/cpe:/o:redhat:redhat”, “login/SSH/success”, “ssh/login/release”);
exit(0);
}
include(“pkg-lib-rpm.inc”);
include(“revisions-lib.inc”);

release = get_kb_item(“ssh/login/release”);
res = “”;
if(release == NULL){
exit(0);
}

if(release == “Nahant”)
{

if ((res = isrpmvuln(pkg:”samba”, rpm:”samba-3.0.33-3.36.el4″, rls:”Nahant”)) != NULL)

{
security_warning(data:res + ‘\n’ + desc);
exit(0);
}

if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}

Problemas em Compilar o IronWASP (C#.net – Windows) no Mono.net (Linux)

Estou tentando portar IronWASP para linux e encontrei problemas em compilar o IronWASP (C#.net – Windows) no Mono.net (Linux), claro porque o projeto foi desenvolvido para Windows, mesmo.
Quero tentar portar e ter mais uma tool para análise em vulnerabilidades web, principalmente poder contribuir com o projeto.

Screenshot - 07052013 - 06:20:32 PM

Screenshot - 07052013 - 06:19:25 PM

 

Screenshot - 07052013 - 06:19:39 PM

Screenshot - 07052013 - 06:17:22 PMUma coisa que eu achei interessante, é que aparentemente essa tool já verifica vulnerabilidades,:

SSRF – Server Side Request Forgery attacks

https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit?pli=1#

XXE – XML External Entity (XXE) Processing

https://www.owasp.org/index.php/Testing_for_XML_Injection_%28OWASP-DV-008%29

E outras vulnerabilidades mais novas e específicas.

Em março/2013 estava estudando e verificando vulnerabilidades para SAP/R3 numa demanda e encontrei comentários na internet sobre essas vulnerabilidades.

Hoje, falei com Maximiliano Soller, amigo de longa data (de internet) e ele me falou que vai palestrar sobre isso, no http://www.valesecconf.com.br/ este ano de 2013.

Pelas buscas que venho fazendo, este tipo de vulnerabilidade, pode simplesmente dar bypass em alguns WAFs.

@firebitsbr

 

Pedido de integração à equipe de desenvolvimento do OpenVAS

Puxa…estou emocionado!

Hoje aceitaram meu pedido oficial de integração à equipe de desenvolvimento do OpenVASVenho desde de sei lá, 2001 eu acho ou 2003 brincando com código do Nessus e depois que fecharam o código-fonte (nem me lembro a data).
Em 2008 conheci o OpenVAS2 http://www.openvas.org/announcement-openvas-2.html e curti, na verdade eu achei bem melhor que o Nessus Community (GPL) na época.

Me lembro da época que eu palestrava sobre OpenVAS e o espreto falava sobre Metasploit, bem antes disso, já curtia Análise em vulnerabilidades e agora essa notícia maravilhosa!

OpenVAS

Agora, bora desenvolver!

Tem uns plugins aqui (quick and dirty) https://github.com/firebitsbr/OpenVAS-Plugins-hardening mais focado em Hardening (apenas scanning), mas já estou codando vários sobre WordPress, Drupal e Joomla que vou disponibilizar para comunidade.

Obrigado pelo apoio de todos!

@firebitsbr