¶ Lab 3 - Vulnerability Scan
- [previously] “ Lab 1 - Introduction to the Internet and the OSI-model ” Addressing, Addresses,
- [previously] “ Lab 2 - Reconnaissance Phase" Find networks, that include hosts
- [now] “ Lab 3 - Vulnerability Scan ”- Use OpenVAS and Nessus to scan for vulnerabilities in the networks found in Lab 2.
¶ Read in the book
- Read “VULNERABILITY ASSESSMENT TOOLS. ” and “OS Fingerprinting” in chapter 11.3 in the book Paul C. van Oorschot, Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin
- *Read “… Categorizing Malware” in chapter 7.8
¶ Lab Setup
Two persons in each group.
Three computers from the same POD.
Only computers marked with green tape have 32GB RAM.
¶ Already prepared for campus students
- Task 0: Abroad students only !\* This requires a PC with at least 32 GB of RAM (due to large RAMdisk requirement)
\* Not for campus-students: Buy a USB memory stick, at least 16GB big
\* Not for campus-students: Download Torrent software like https://www.qbittorrent.org/download required
\* Not for campus-students: Download ISO of Live [Kali-USB **Everything**](https://www.kali.org/get-kali/#kali-live) ( ~13gig, a *very* big file) .
\* Not for campus-students: Download ISO to USB burning software - **Example** GOOD: https://etcher.balena.io/ BAD: https://rufus.ie/en/
\* Not for campus-students: Burn the ISO to USB and reBOOT :-)
¶ Boot Kali from USB
- grab one white USB-stuck per group
- Insert the USB-stick in a fast (blue) port and reboot
- Press F12 repeatedly to get into the boot menu
- If you see windows booting yo have failed. Go back to step 2 (reboot again)
- Select the "UEFI: <name of USB-stick>" from the boot menu and start Kali Linux according to instructions
¶ Using free OpenVAS (gvm) Vulnerability Scanner
Task 1: Using OpenVAS
1a/ Scan different networks and find the most interesting one
1b/ Question 0 Submit a PDF-report (auto-generated) of the most "interesting" (one network only) with many CVE's and Vulnerabilities to Canvas
Start a command shell in Kali/Linux
10. OpenVAS does not fit in current RAMdisk< change to 32G
df -h /
sudo mount -o remount,size=32G /run/live/overlay
df -h /
-
sudo chmod 777 /home/kali -
sudo gvm-setup
< downloading stuff takes a loooooooooong time >
< Notus file: 10 minutes, NASL files: 10 minutes, SCAP files: 20mins *-data: 20 mins > -
MAKE A COPY OF THE PASSWORD !!!
-
sudo gvm-check-setup
<output omitted for clarity>
It seems like your GVM-22.5.0 installation is OK. -
sudo gvm-start
. If you get errors from "task" saving inside the web-browser, fix it with:
sudo chmod -R 777 /var/lib/gvm -
https://127.0.0.1:9392 ← Use Firefox App, remember the port-number
-
Start a new CLI shell window, and run the command
tail -f /var/log/gvm/* -
Go back to GUI and select "Administration" -> "Feed Status"
watch both CLI & GUI simultaneously. Wait for "Status" to become "Current"
Meanwhile you MUST update your photo on mittkonto.hv.se
- AVOID: If updating stops for a very loong time AND you get "Failed to find config ‘daba56c8-73ec-11df-a475-002264764cea’" when creating a new Scan, you can manually fix it with
sudo greenbone-feed-sync(requires that gvm is stopped, remember start afterwards)
Inside the OpenVAS application (via web-browser)
Scan full NETWORKS with OpenVAS, that is /24's etc HOSTS (/32's) are for NESSUS due to license restrictions
- Create a Target under Configuration->Target menu. Use "Square with plus" icon to create a new one.
- Create a new Task under Scans->Tasks menu. Use "Square with plus" icon to create a new one.
Question 1 What chapters in the book from P.C. von Oorschot does the vulnerabilities found, fall under? Make a list of chapter titles!
Question 2 Make a list of vulnerability types and map two or three of the discovered vulnerabilities to these classes?
Question 3 2a/ What is CVE? 2b/ What is CVSS? 2c/ Explain what it has to do with vulnerabilites found by OpenVAS!
2d/ What is the current status of cve and cvss in europe and usa regarding Trump administration?
Question 4 Why is nmap not a tool for cybersecurity, only good for old network security, compared to OpenVAS & Nessus?
¶ Using NESSUS, demo version of commercial software
This is probably more easy in Windows, not Kali-Linux. Switch to the middle computer, PC-B)
Only scan HOSTS (/32's), not networks, since NESSUS demo
have license restrictions
Task 2: Using Nessus Professional
A. Using the information from the previous LAN-scans :
Scan three different interesting hosts and generate one PDF-report (auto-generated)
B. Submit the PDF-report (auto-generated) of the most "interesting" (one host only) with many CVE's and Vulnerabilities to Canvas
Some hints:
- https://www.tenable.com/tenable-for-education/nessus-essentials Free version for students, untested
- https://www.tenable.com/downloads/nessus?utm_source=nessus-trial-thank-you-update&loginAttempted=true
- I guess that the "Nessus Professional" is the version that we want (Trial)
- Activation Code: RZQK-NKWQ-XHNT-4XFD-HC95 ( This is my personal code 2025 /Robert )
- If it asks for “Upgrade …” close the window with X (top right corner)
- Wait for “Compiling Plugin” before scanning – look for the rotating arrows, hoover over them to see percentage
Scan only HOSTS (full IP address) with NESSUS *NOT* NETWORKS due to license restrictions
Question 5 Why does the findings from Nessus differ from OpenVAS?
Question 6 From what sources does OpenVAS download "signatures"? Where does Nessus get its "feeds"?
Question 7 Why can you feed OpenVAS and Nessus with login credentials?? What is the use of that?
Question 8 Mitigation: 8a/ How does Nessus help you to fix vulnerabilities? 8b/ Can this be automated, so problems can be fixed automatically? if so, how??
Task X eXtra: Try you luck with the scanner "Nikto" , or "Vuls", and scan the most interesting IP (one host), the same as you choose above. Does it give the same report? What differs??
¶ Send in reports
Upload 2 different PDF-reports, and one PDF-document with your answers (total: 3 PDFs)
- One generated from OpenVAS (most interesting network i.e. one with many servers)
- One generated from Nessus (most interesting host i.e. a very bad server or network device)
- Another report/document; This document contains your answers to all the Question above (total 8)
¶ Random screenshots
After Scan
