¶ Lab 3 - Vulnerability Scan
- [previously] “ Lab 1 - Introduction to the Internet and the OSI-model ” Addressing, Addresses,
- [previously] “ Lab 2 - Reconnaissance Phase"
- [now] “ Lab 3 - Vulnerability Scan ”- Use OpenVAS and Nessus to scan for vulnerabilities in the networks found in Lab 2.
¶ Read in the book
- Read “VULNERABILITY ASSESSMENT TOOLS. ” and “OS Fingerprinting” in chapter 11.3 in the book Paul C. van Oorschot, Computer Security and the Internet: Tools and Jewels from Malware to Bitcoin
- Read “… Categorizing Malware” in chapter 7.8
¶ Already prepared for campus students
- Task 0: Abroad students only !
* This requires a PC with at least 16 GB of RAM
* Not for campus-students: Buy a USB memory stick, at least 16GB big
* Not for campus-students: Download Torrent software like https://www.qbittorrent.org/download required
* Not for campus-students: Download ISO of Live Kali-USB Everything ( ~12gig, a very big file) .
* Not for campus-students: Download ISO to USB burning software - Example GOOD: https://etcher.balena.io/ BAD: https://rufus.ie/en/
* Not for campus-students: Burn the ISO to USB and reBOOT
¶ Using free OpenVAS (gvm) Vulnerability Scanner
Task 1: Using OpenVAS
1a/ Scan different networks and find the most interesting one
1b/ Submit a PDF-report (auto-generated) of the most "interesting" (one net only) with many CVE's and Vulnerabilities to Canvas
Start a command shell in Kali/Linux
-
sudo chmod 777 /home/kali -
sudo gvm-setup
< downloading stuff takes a loooooooooong time >
< Notus file: 10 minutes, NASL files: 10 minutes, SCAP files: 20mins *-data: 20 mins > -
MAKE A COPY OF THE PASSWORD !!!
Meanwhile you MUST update your photo on mittkonto.hv.se -
sudo gvm-check-setup
<output omitted for clarity>
It seems like your GVM-22.5.0 installation is OK. -
sudo gvm-start
. If you get errors from "task" saving inside the web-browser, fix it with:
sudo chmod -R 777 /var/lib/gvm -
If you get "Failed to find config ‘daba56c8-73ec-11df-a475-002264764cea’" when creating a new Scan, fix it with
sudo greenbone-feed-sync -
https://127.0.0.1:9392 ← Use Firefix App, remember the port-number
Scan full NETWORKS with OpenVAS, that is /24's etc HOSTS (/32's) are for NESSUS due to license restrictions -
Create a target under Configuration->Target menu. Use "Square with star" icon to create a new one.
-
Create a new Task under Scans->Tasks menu. Use "Square with star" icon to create a new one.
'
Question 1 What chapters in the book from P.C. von Oorschot does the vulnerabilities found, fall under? Make a list of chapter titles!
Question 2 Make a list of vulnerability types and map two or three of the discovered vulnerabilities to these classes?
Question 3 2a/ What is CVE? 2b/ What is CVSS? 2c/ Explain what it has to do with vulnerabilites found by OpenVAS!
¶ Using NESSUS, demo version of commercial software
(this is probably more easy in Windows, not Kali-Linux)
Only scan HOSTS (/32's), not networks, since NESSUS demo
have license restrictions
Task 2: Using Nessus Professional
A. Using the information from the previous LAN-scans :
Scan three different interesting hosts and generate one PDF-report (auto-generated)
B. Submit the PDF-report (auto-generated) of the most "interesting" (one host only) with many CVE's and Vulnerabilities to Canvas
Some hints:
- https://www.tenable.com/tenable-for-education/nessus-essentials Free version for students, untested
- https://www.tenable.com/downloads/nessus?utm_source=nessus-trial-thank-you-update&loginAttempted=true
- I guess that the "Nessus Professional" is the version that we want (Trial)
- Activation Code: 6EH8-NKTE-JEH8-LCXL ( This is my personal code /RA )
- If it asks for “Upgrade …” close the window with X (top right corner)
- Wait for “Compiling Plugin” before scanning – look for the rotating arrows, hoover over them to see percentage
Scan only HOSTS (full IP address) with NESSUS *NOT* NETWORKS due to license restrictions
Question 4 Why does the findings from Nessus differ from OpenVAS?
Question 5 From what sources does OpenVAS download "signatures"? Where does Nessus get its "feeds"?
Question 6 Why can you feed OpenVAS and Nessus with login credentials?? What is the use of that?
Question 7 Mitigation: 7a/ How does Nessus help you to fix vulnerabilities? 7b/ Can this be automated, so problems can be fixed automatically? if so, how??
¶ Send in reports
Upload 2 different PDF-reports, and one document
- One generated from OpenVAS (most interesting network i.e. one with many servers)
- One generated from Nessus (most interesting host i.e. a very bad server or network device)
- Another report/document; This document contains your answers to the 7 Question above
¶ Random screenshots
sdf
After Scan
asd
