Script install OpenVAS 8, DB Redis and Debian 8.1 (Jessie) x86_64

#!/bin/bash
#OpenVAS 8
#version 8.0.4
#Debian 8.1
#Script
#Mauro Risonho de Paula Assumpção aka firebits mauro.risonho@gmail.com
#11.12.2015 17:51:03

apt-get install -y build-essential devscripts dpatch libassuan-dev libglib2.0-dev libgpgme11-dev libpcre3-dev libpth-dev libwrap0-dev libgmp-dev libgmp3-dev libgpgme11-dev libpcre3-dev libpth-dev quilt cmake pkg-config libssh-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev doxygen sqlfairy xmltoman sqlite3 libsqlite3-dev wamerican redis-server libhiredis-dev libsnmp-dev libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc libssh2-1-dev libldap2-dev autoconf nmap libgnutls28-dev libpopt-dev heimdal-dev heimdal-multidev libpopt-dev mingw32 texlive-full rpm alien nsis rsync python2.7 python-setuptools

cp /etc/redis/redis.conf /etc/redis/redis.orig
echo “unixsocket /tmp/redis.sock” >> /etc/redis/redis.conf
service redis-server restart

mkdir openvas8
cd openvas8/

wget –no-check-certificate http://wald.intevation.org/frs/download.php/2191/openvas-libraries-8.0.5.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2129/openvas-scanner-5.0.4.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2195/openvas-manager-6.0.6.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2200/greenbone-security-assistant-6.0.6.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2209/openvas-cli-1.4.3.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2177/ospd-1.0.2.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2097/ospd-debsecan-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2149/ospd-paloalto-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2181/ospd-acunetix-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2185/ospd-ikescan-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2204/ospd-ikeprobe-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2213/ospd-ssh-keyscan-1.0b1.tar.gz
wget –no-check-certificate http://wald.intevation.org/frs/download.php/2219/ospd-netstat-1.0b1.tar.gz

find | grep “.tar.gz$” | xargs -i tar zxvfp ‘{}’

###############################################

cd openvas-smb*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-libraries-*
mkdir build
cd build
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-scanner-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-manager-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-cli-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd greenbone-security-assistant-*
mkdir build
cd build/
cat ../src/xslt_i18n.h | sed ‘s///’ > test; cat test > ../src/xslt_i18n.h
cmake ..
make
make doc-full
make install
cd ../../

###

cd ospd-1*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ancor-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-debsecan-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ovaldi-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-paloalto-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-w3af-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-acunetix-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ikescan-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ikeprobe-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-ssh-keyscan-*
python setup.py install –prefix=/usr/local
cd ../

cd ospd-netstat-&
python setup.py install –prefix=/usr/local
cd ../

#reload libraries
ldconfig

###############################################

#create cert
openvas-mkcert
openvas-mkcert-client -n -i

#create user
openvasmd –create-user=admin –role=Admin && openvasmd –user=admin –new-password=admin
#(write down the password)

####

echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-nvt-sync’ >> /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-scapdata-sync’ >> /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-certdata-sync’ >> /usr/local/sbin/openvas-update
chmod +x /usr/local/sbin/openvas-update

echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvasmd –rebuild’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvasmd’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvassd’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/gsad’ >> /usr/local/sbin/openvas-start
chmod +x /usr/local/sbin/openvas-start

echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-kill
echo “ps aux | egrep \”(openvas.d|gsad)\” | awk ‘{print \$2}’ | xargs -i kill ‘{}'” >> /usr/local/sbin/openvas-kill
chmod +x /usr/local/sbin/openvas-kill

rclocal=`cat /etc/rc.local | grep -v “exit 0” | grep -v “openvas”`
echo “$rclocal” > /etc/rc.local
echo “date >> /var/log/openvas_init” >> /etc/rc.local
echo “echo ‘openvas init started’ >> /var/log/openvas_init” >> /etc/rc.local
echo “/usr/local/sbin/openvas-kill >> /var/log/openvas_init || /bin/true” >> /etc/rc.local
echo “/usr/local/sbin/openvas-start >> /var/log/openvas_init || /bin/true” >> /etc/rc.local
echo “echo ‘openvas init finished’ >> /var/log/openvas_init” >> /etc/rc.local
echo “exit 0” >> /etc/rc.local

####

/usr/local/sbin/openvas-kill
/usr/local/sbin/openvas-update
/usr/local/sbin/openvas-start

# check installation
wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup –no-check-certificate
chmod 0755 openvas-check-setup
./openvas-check-setup –v8 –server

April 2nd, 2015 – OpenVAS-8 released: Charts, Quality of Detection and PostgreSQL-Support –

http://www.openvas.org/news_archive.html

Following the annual release cycle, the new generation of OpenVAS [1] has been released. The new version of the open framework for vulnerability scanning and management, OpenVAS-8, introduces a comprehensively extended and improved feature set. Advances and improvements were achieved in virtually all areas.

Highlights of this new release are the chart module for a variety of graphical representation, the Quality of Detection (QoD) concept and the optional support of PostgreSQL as database backend. Major advances were also achieved for the access control management: more roles, group admins and super-admin to name just a few. Notable as well is the introduction of the optional multi-scanner support via the new protocol OSP (OpenVAS Scanner Protocol) for which a growing number of servers is expected for the future. Last but not least, the OpenVAS Scanner now requires less ressources and uses redis[2] for the inter-process communication.

All in all OpenVAS-8 ships 28 new and improved features, accompanied with countless smaller changes. The systematic improvements and reliable release of one major update every twelve months once again underlines the position of OpenVAS as the most advanced Open Source solution for vulnerability management. The new version can be downloaded free and is available as Free Software under the GNU GPL license.

The company Greenbone Networks [3] develops and uses OpenVAS as a base for its appliance product family for vulnerability scanning and management. Together with the company SecPod [4] and the growing community, new vulnerability tests and feature improvements are developed on a daily basis. The German Federal Office for Information Security (BSI) [5] supports and utilizes OpenVAS, together with many other federal agencies, as part of their IT security framework.

Vulnerability Management:

Access Control:
The access control features were comprehensively extended.
Roles can now be dynamically configured.
New default roles “Monitor”, “Guest” and “Super Admin”.
New Permissions “Super” that allows for example to define an administrator for a group.
Results are now an explicit part of the scan management.
The new section “Results” under menu “Scan Management” offers an object management for all of the scan results in the database a user has permission for. In other words, searching and filtering for results is now possible independent of a scan report.
Solution Type:
NVTs are now associated with a solution type like for example “VendorFix”. This allows to group or identify NVTs or results where for example a simple solution exists or no solution is currently available.
The Feed content is updated over time to add a solution type for all of the NVTs. At the time of writing, 3.6% of the NVTs own a Solution Type.
Quality of Detection (QoD):
The QoD is a value between 0% and 100% describing the reliability of the executed vulnerability detection or product detection.
One of the main reasons to introduce this concept was to handle the challenge of potential vulnerabilities properly. The goal was to keep such in the results database but only visible on demand.
While the QoD range allows to express the quality pretty refined, in fact most of the test routines use a standard methodology. Therefore the QoD Types were introduced of which each is associated with a QoD value.
The Feed content is updated over time to add a QoD for all NVTs. Any NVT not explicitly assigned will apply 75% and therefore visible by default in order to not change the default behavior compared to OpenVAS-7. However, meanwhile any NVTs formerly requiring the “paranoid” setting in the scan configuration is now reporting always but stay invisible in the database until the user decides to view results with a lower quality of detection.
At the time of writing, 2.7% of the NVTs own a QoD Type.
New SecInfo object type “CERT-Bund” introduced: These are advisories published by the German federal CERT.
Vulnerability Scanning:

Credentials:
The public key of SSH credentials is not required anymore because it is extracted from the private key.
Credentials for ESXi target systems can now be configured directly with the Target object instead of in the Scan Configuration object.
When a task is requested to stop, the scanner will now be advised to switch immediately into the final phase of scanning. With OpenVAS-7 the scanner immediately stopped activity and did not return so far collected host details. With OpenVAS-8 this is now transferred to the the database.
Dropped support for pausing of tasks entirely (was removed from GUI before, now removed from OMP level).
OpenVAS Scanning Protocol (OSP):
This new protocol allows to control a vulnerability scanner. The main elements are to set parameters, start a scan and retrieve results. OSP is designed in the same way as OMP, therefore it is a non-permanent request-response connection based on XML.
It is possible to configure and control OSP-compliant Scanner via the user interface.
OpenVAS-8 offers some pilot OSP scanners in order to provide examples for this technology. Users and developers are encouraged to wrap more vulnerability scanner with OSP and provide feedback on missing features in the OSP protocol.
The OpenVAS Scanner itself is still OTP-based and the integration with OpenVAS Manager works like before with the slight difference that it is now possible to define more than one OpenVAS Scanner to be controlled by OpenVAS Manager.
This new concepts introduces various changes in the user interface but defaults are set to keep the same behavior as in OpenVAS-7 if user decides not to deal with OSP. In other words: OSP is entirely optional.
Graphical User Interface:

Dynamic charts are introduced, using the Javascript library “d3”. The first chart types (bar, donut, bubbles, line) are used for the SecInfo section in order to demonstrate some of the capabilities.
The chart objects allow to download the data as CSV table or SVG graphics. Also, a HTML table can be opened and some of the charts are interactive.
The underlying data aggregation technology is generically integrated into the protocol OMP. This allows to add more charts during the lifecycle of the OpenVAS release because no API changes are required.
For the SecInfo Management, a first dashboard is integrated which assembles four of the charts and can be configured individually.
The charting feature is entirely optional: Without enabling Javascript support in the browser no core functionality is lost. Also, the chart view can be collapsed so that only the traditional table view is shown.
Bulk actions are introduced. For example this allows to remove or download many objects within a single action.
The powerfilter was simplified to carry only the essential filter elements. The standard ones are displayed below and of course it is possible to apply any of them in the text entry field.
Timezones:
The configuration of timezones was changed so that now there is offered a drop down list of available timezones instead of a entry field for specifying the timezone in text form.
Users are now allowed to have multiple simultaneous sessions, as long as the sessions are on different browsers. Up-to OpenVAS-7, a second session always invalidated the previous one regardless of which browser is used.
For any web interface page, the duration of the backend operation will be shown at the bottom.
The filenames for downloads can now be configured via “My Settings”.
New wizard for modifying a task.
Protocols:

OMP now in version 6.0
The new OSP for controlling arbitrary scanners is at version 1.0.
The OTP protocol was further reduced. It is not recommended to use it to communicate with the OpenVAS Scanner because it will eventually be dropped in favor of OSP. For the time being OMP should be used to control a OpenVAS Scanner.
Architecture:

redis (mandatory):
The OpenVAS Scanner now uses a redis backend to share the knwoledge base among the scanning processes.
PostgreSQL (optional):
OpenVAS Manager now allows to use PostgreSQL as an alternative for the file-based SQLite. Everything should work, but this new database backend has seen little testing so far.
The OpenVAS development team is prepared to fix any issues promptly as it is desired to make this database eventually the new default backend.
openvas-smb (optional):
The new module “openvas-smb” is used for WMI support. This is the former externally maintained wmi client library. Since it was actually not maintained anymore, the module was cut down to the essentials and furnished with a “cmake” build environment.
OSP (optional):
For the new OSP, a base module “OSPd” written in Python is made available. The actual wrappers for vulnerability scanners are collected as “osp-scanners” and the name of the modules is prefixed with “OSPd-“. “OSPd” is a mandatory requirement for each OSP scanner module.
All sample OSP scanners are writtin in Python. Currently the C-library API only supports OSP client functionality, not server functionality.
The memory consumption of the OpenVAS Scanner was reduced by about 50%.
References:

[1] OpenVAS: http://www.openvas.org/
[2] redis: http://redis.io/
[3] Greenbone: http://www.greenbone.net/
[4] SecPod: http://www.secpod.com/
[5] BSI: https://www.bsi.bund.de//

@firebitsbr

HowTo- Instalando OpenVAS8 + Debian 8 + Redis

Olá.

Segue mais um HowTo- Instalando OpenVAS8 + Debian 8 + Redis by @firebitsbr 😉

No caso é só fazer download de um debian 8 x64 bits – netinstall e depois criar um shell script (*.sh) após a instalação total do Debian (maquina fisica ou virtual) e executá-lo:

chmod -x 755 openvas8_debian.sh

Abaixo, o openvas8_debian.sh (completo):

#!/bin/bash
#OpenVAS 8 Installer Debian 8
#Mauro Risonho de Paula Assumpção aka firebits
#download do debian 8 x64 bits
#http://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-8.0.0-amd64-netinst.iso

# Passo 1 – pacotes requeridos para instalação
apt-get install -y build-essential devscripts dpatch libassuan-dev libglib2.0-dev libgpgme11-dev libpcre3-dev libpth-dev libwrap0-dev libgmp-dev libgmp3-dev libgpgme11-dev libpcre3-dev libpth-dev quilt cmake pkg-config libssh-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev doxygen sqlfairy xmltoman sqlite3 libsqlite3-dev wamerican redis-server libhiredis-dev libsnmp-dev libmicrohttpd-dev libxml2-dev libxslt1-dev xsltproc libssh2-1-dev libldap2-dev autoconf nmap libgnutls-dev libpopt-dev heimdal-dev heimdal-multidev libpopt-dev mingw32 texlive-full rpm alien nsis

# Passo 2 – Copiar arquivo de config para backup, setar unixsocket e subir o database redis
cp /etc/redis/redis.conf /etc/redis/redis.orig
echo “unixsocket /tmp/redis.sock” >> /etc/redis/redis.conf
service redis-server restart

# Passo 3 – Criar pasta openvas8 e download dos sources codes
mkdir openvas8
cd openvas8/

wget –no-check-certificate https://wald.intevation.org/frs/download.php/2015/openvas-libraries-8.0.1.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/2016/openvas-scanner-5.0.1.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/2017/openvas-manager-6.0.1.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/2018/greenbone-security-assistant-6.0.1.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/1987/openvas-cli-1.4.0.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/1975/openvas-smb-1.0.1.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/1999/ospd-1.0.0.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/2005/ospd-ancor-1.0.0.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/2003/ospd-ovaldi-1.0.0.tar.gz
wget –no-check-certificate https://wald.intevation.org/frs/download.php/2004/ospd-w3af-1.0.0.tar.gz

# Passo 4 – Extrair em lote os sources codes compactados
find | grep “.tar.gz$” | xargs -i tar zxvfp ‘{}’

# Passo 5 – Compilação de cada pacote de source codes – OBS: Sempre nesta ordem ou haverá quebra de compilação.
cd openvas-smb*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-libraries-*
mkdir build
cd build
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-scanner-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-manager-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd openvas-cli-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

cd greenbone-security-assistant-*
mkdir build
cd build/
cmake ..
make
make doc-full
make install
cd ../../

# Recarregar as bibliotecas
ldconfig

# Criar CA para o client
openvas-mkcert
openvas-mkcert-client -n -i

# Criar usuario admin / anote a senha hash a ser criada, pois sera usada posteriormente
openvasmd –create-user=admin –role=Admin && openvasmd –user=admin –new-password=1

# Criar shell script para atualização de plugins, scap e informações do cert.
echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-nvt-sync’ >> /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-scapdata-sync’ >> /usr/local/sbin/openvas-update
echo ‘/usr/local/sbin/openvas-certdata-sync’ >> /usr/local/sbin/openvas-update
chmod +x /usr/local/sbin/openvas-update

# Criar shell script para inicialização dos daemons. OBS: Sempre nesta ordem, senão não carrega corretamente.
echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvasmd –rebuild’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvasmd’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/openvassd’ >> /usr/local/sbin/openvas-start
echo ‘/usr/local/sbin/gsad’ >> /usr/local/sbin/openvas-start
chmod +x /usr/local/sbin/openvas-start

# Criar shell script para matar dos daemons, caso seja necessario reiniciar todos os daemons corretamente . OBS: Sempre nesta ordem, senão não carrega corretamente.
echo ‘#!/bin/bash’ > /usr/local/sbin/openvas-kill
echo “ps aux | egrep \”(openvas.d|gsad)\” | awk ‘{print \$2}’ | xargs -i kill ‘{}'” >> /usr/local/sbin/openvas-kill
chmod +x /usr/local/sbin/openvas-kill

# Criar shell script para inicializar os daemons logo após a inicialização do SO, mediante rc.local . OBS: Sempre nesta ordem, senão não carrega corretamente.
rclocal=`cat /etc/rc.local | grep -v “exit 0” | grep -v “openvas”`
echo “$rclocal” > /etc/rc.local
echo “date >> /var/log/openvas_init” >> /etc/rc.local
echo “echo ‘openvas init started’ >> /var/log/openvas_init” >> /etc/rc.local
echo “/usr/local/sbin/openvas-kill >> /var/log/openvas_init || /bin/true” >> /etc/rc.local
echo “/usr/local/sbin/openvas-start >> /var/log/openvas_init || /bin/true” >> /etc/rc.local
echo “echo ‘openvas init finished’ >> /var/log/openvas_init” >> /etc/rc.local
echo “exit 0” >> /etc/rc.local

# Scripts acima, ja no formato de shellscript sendo validados e carregados
/usr/local/sbin/openvas-kill
/usr/local/sbin/openvas-update
/usr/local/sbin/openvas-start

# Verificando se a instalação foi feita corretamente para OpenVAS8
wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup –no-check-certificate
chmod 0755 openvas-check-setup
./openvas-check-setup –v8 –server

Por enquanto, só testei em Debian 8 x64 bits, mas acho que pode funcionar em Ubuntu e derivados e com um pouco de adaptação em outros linux (Redhat, Fedora, Slackware e outros).

Ultimamente está bem corrido, meu dia-a-dia, mas poste nos comentários do meu blog, qualquer dúvida, se houver e com um pouco de tempo, eu retorno.

Espero ter ajudado!;)

@firebitsbr

Localizando Plugins no OpenVAS para criação

Estava desenvolvendo plugins para OpenVAS, quando reparei que em algumas situações que eu estava “reinventando a roda”.

Então comecei a analisar manualmente plugin a plugin nos exemplos que vem no Openvas através do OpenVAS NVT Feed, mas é cansativo fazer manualmente:

http://www.openvas.org/openvas-nvt-feed.html

Mais de 33k em plugins, até o momento deste artigo na época!

http://www.openvas.org/openvas-nvt-feed-current.tar.bz2

No caso é só extrair em uma pasta qualquer e descompactar e deplois executar esse comando:

find <caminho dos plugins> | xargs grep -s -a -i <expressão de busca>

Como estava procurando plugins que faça menção a conexão à SSH fiz assim:

find /home/firebits/openvas-plugins/ | xargs grep -s -a -i ssh

Poderíamos canalizar para um artigo TXT para usarmos como referência depois:

find /home/firebits/openvas-plugins/ | xargs grep -s -a -i ssh >> txt-ssh-openvas.txt

Ou mover para outra pasta, mas como muitos plugins dependem um dos outros para serem executados, não recomendo move e sim copiar.

@firebitsbr

 

Desabilitar o RC4 do Chrome – Attack of the week: RC4 is kind of broken in TLS

Desabilitar o RC4 do Chrome

Saiu na CISSP.

http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

http://cr.yp.to/talks/2013.03.12/slides.pdf

http://www.ietf.org/rfc/rfc2246.txt

Rafael Koike koike.rafael  @  gmail.com por  yahoogroups.com
10 de jul (2 dias atrás)

para cisspBR
Pessoal,

Depois das noticias da NSA e da sensação que de as conversas podem ser
monitoradas não só por tap nas fibras, mas quem sabe por falhas nos
protocolos de segurança implementados nos navegadores resolvi pesquisar um
pouco.
Com as divulgações de que o RC4 pode ser quebrado com TLS eu fiquei de cuca
quente e resolvi olhar qual criptografia estava usando nas paginas HTTPS e
eis que meu default de negociação com os sites que mais uso como GMAIL e
FACEBOOK eram RC4 com SHA!
Ai o próximo passo era ver como desabilitar o RC4 para negociar um
protocolo mais seguro.
Usando o Chrome e buscando no google não achei nada!
Eis que analisando o código fonte do google vi que os desenvolvedores
deixaram o seguinte parâmetro para remover cifras do
navegador: –cipher-suite-blacklist
O duro foi descobrir como este parâmetro funciona porque na internet e no
google não diz.
Depois de alguma horas olhando o codigo fonte do chrome descobri.

Para quem quiser desabilitar o RC4 do Chrome o parâmetro no atalho é:
–cipher-suite-blacklist=0x0005,0x0004
Sendo que:
0x0004 = TLS_RSA_WITH_RC4_128_MD5
0x0005 = TLS_RSA_WITH_RC4_128_SHA

Os codigos das cifras podem ser encontradas em:
http://www.ietf.org/rfc/rfc2246.txt

Infos do possivel ataque:
http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html

Vou tentar criar um plugin para OpenVAS que possa detectar se o Google Chrome está com LS_RSA_WITH_RC4 ou não.
@firebitsbr

OpenVAS: RHEL 4 Update for Samba CVE-2010-0547 – DRAFT

###############################################################################
# OpenVAS Vulnerability Test
#
# RHEL 4 Update for Samba CVE-2010-0547 – DRAFT
# firebits_CVE_2010_0547_samba_RHEL4_all.nasl
#
#
# Authors:
# System Generated Check
# Mauro Risonho de Paula Assumpção aka firebits
# mauro.risonho@gmail.com
# firebitsbr@wald.intevation.org
#
# Copyright:
# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net
# Copyright (c) 2013 NONAMESEC Security Systems, http://www.nonamesec.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

desc = ”

Vulnerability Insight:

CVE-2010-0547 samba: mount.cifs improper device name and mountpoint
strings sanitization
The MITRE CVE dictionary describes this issue as:

client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier
does not verify that the (1) device name and (2) mountpoint strings are
composed of valid characters, which allows local users to cause a
denial of service (mtab corruption) via a crafted string.

Affected Software/OS:
cifs on Red Hat Enterprise Linux version 4 (samba)

Fix: Please Install the Updated Packages.

References:
https://access.redhat.com/security/cve/CVE-2010-0547
http://rpmfind.net/linux/rpm2html/search.php?query=samba&#8221;;

if(description)
{
script_id(880323);
script_version(“$Revision: 12798 $”);
script_tag(name:”check_type”, value:”authenticated package test”);
script_tag(name:”last_modification”, value:”$Date: 2013-07-11 18:03:54 GMT-03:00 0 Brazil, São Paulo (Thu, 11 Jul 2013) $”);
script_tag(name:”creation_date”, value:”2009-02-27 08:31:09 +0100 (Fri, 27 Feb 2009)”);
script_tag(name:”cvss_base”, value:”2.6″);
script_tag(name:”cvss_base_vector”, value:”AV:N/AC:L/Au:N/C:N/I:N/A:P”);
script_tag(name:”risk_factor”, value:”Low”);
script_xref(name: “CVE”, value: “2010-0547”);
script_cve_id(“CVE-2010-0547”);
script_name( “Red Hat Enterprise Linux version 4 Update for samba CVE-2010-0547 RHEL4”);

script_description(desc);
script_summary(“Check for the Version of Samba”);
script_category(ACT_GATHER_INFO);
script_copyright(“Copyright (C) 2009 Greenbone Networks GmbH / Copyright (C) 2013 NoNameSEC Security Systems, Ltd”);
script_family(“RHEL Local Security Checks”);
script_dependencies(“gather-package-list.nasl”);
script_mandatory_keys(“HostDetails/OS/cpe:/o:redhat:redhat”, “login/SSH/success”, “ssh/login/release”);
exit(0);
}
include(“pkg-lib-rpm.inc”);
include(“revisions-lib.inc”);

release = get_kb_item(“ssh/login/release”);
res = “”;
if(release == NULL){
exit(0);
}

if(release == “Nahant”)
{

if ((res = isrpmvuln(pkg:”samba”, rpm:”samba-3.0.33-3.36.el4″, rls:”Nahant”)) != NULL)

{
security_warning(data:res + ‘\n’ + desc);
exit(0);
}

if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}

Pedido de integração à equipe de desenvolvimento do OpenVAS

Puxa…estou emocionado!

Hoje aceitaram meu pedido oficial de integração à equipe de desenvolvimento do OpenVASVenho desde de sei lá, 2001 eu acho ou 2003 brincando com código do Nessus e depois que fecharam o código-fonte (nem me lembro a data).
Em 2008 conheci o OpenVAS2 http://www.openvas.org/announcement-openvas-2.html e curti, na verdade eu achei bem melhor que o Nessus Community (GPL) na época.

Me lembro da época que eu palestrava sobre OpenVAS e o espreto falava sobre Metasploit, bem antes disso, já curtia Análise em vulnerabilidades e agora essa notícia maravilhosa!

OpenVAS

Agora, bora desenvolver!

Tem uns plugins aqui (quick and dirty) https://github.com/firebitsbr/OpenVAS-Plugins-hardening mais focado em Hardening (apenas scanning), mas já estou codando vários sobre WordPress, Drupal e Joomla que vou disponibilizar para comunidade.

Obrigado pelo apoio de todos!

@firebitsbr