So you want to build a Security Program? Part 1 - Vulnerability Scanning
-
In this day and age, vulnerability scans should be a part of every network including SMB. Especially when you consider the risks today. Is vulnerability scanning expensive? well it can be, but there are some open-source and low cost options.
OpenVAS
OpenVAS is a fork of the opensource nessus project. Nessus shutdown their opensource program in 2005. After that OpenVAS was born. I have seen OpenVAS packaged with other tools and sold such as AlienVault. Even though the GUI looks different the backend is OpenVAS.
Pros
- open-source (free)
- reliable updates and lots of forum style support
- Quick and Easy to setup
Cons
- Slow. An OpenVAS scans take longer to run and use more resources compared to paid solutions
- Weekly updates vs daily updates (like paid solutions)
- Resource intensive. Small networks (50 servers) may need a dedicated server with 8GB-16GB RAM
How to start your first scan
Ok so step one is to go to Configuration > Targets
Click the Star (top left) to Add A new Target
Let's just use one target for now. Name it whatever you want and just type in IP in manually
Otherwise I would use a text file
Then go to Configuration > Credentials
Add a credential and save it
Now go back to Configuration > Targets and edit the one you already made and go to SMB and select the credential you just made
Next go to Scan Management > Tasks
Then click the star to create a new task
Name it whatever you want and select the scan target you just created
Once you are finished with the task click the green play button to start the scan
-
Is OpenVAS intuitive to use and pickup? Does it have built in scans and reporting that are easily assessed (read).
-
What kinds of things are found with OpenVAS, and what are the things you generally chase once you've completed a scan?
-
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
Is OpenVAS intuitive to use and pickup? Does it have built in scans and reporting that are easily assessed (read).
The GUI and reporting are not good. In fact the GUI is one of the ugliest GUIs I have ever seen, but you will get the same data as you would with paid solutions.
-
@IRJ So what good is the reporting, if its no good?
How do you interpret the information you receive?
-
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@IRJ So what good is the reporting, if its no good?
How do you interpret the information you receive?
The reporting is fine for a technical person. It is not great for managment. You can get CVS files of all the vulnerabilities found with references and solutions how to fix them. So for a technical person you have 100% what you need.
-
@IRJ ok so then the reports are fine for someone who knows what they are reading.
All I needed to know.
-
With Nessus, I am able to pull reports for specific groups of assets. Like I can just say give me all web servers, Server 2008 R2, database servers, or citrix. You can also create custom groups based on applications or whatever else like location etc.
-
But Nessus is a paid for solution, correct?
-
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
But Nessus is a paid for solution, correct?
Correct.
-
I am just highlighting that the reporting in OpenVAS does not compare to Nessus. Let me grab an OpenVAS sample report for you @DustinB3403
-
I am also interested in this @IRJ, so I'll be following your topics with interest even if I don't have specific questions.
-
@Kelly said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
I am also interested in this @IRJ, so I'll be following your topics with interest even if I don't have specific questions.
@DustinB3403 and I working on setting his up through chat. I will share details in this thread when we are done
-
Key note, once installed and you're able to access the web console, you need to enable the root account get to a shell command and run
openvasmd --update && openvasmd --rebuildto download the NVTs and other SecInfo.This has taken about 5 minutes so far, but could take longer still.
-
I remember trying to get OpenVAS set up once.
(Shudders...)
-
@BRRABill So the setup its self so far hasn't seemed to difficult.
The GUI sucks though, and isn't intuitive. Adding targets is awkward, but once you've seen it, its easy enough.
-
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
@BRRABill So the setup its self so far hasn't seemed to difficult.
The GUI sucks though, and isn't intuitive. Adding targets is awkward, but once you've seen it, its easy enough.
Yeah, I guess installing wasn't a big deal. I ended up just using one of their preconfigured ones. (This was back in my pre-Linux days.)
I think getting it work was more my thing. I'm sure if I stayed on it I would have figured it out. The GUI is definitely terrible.
-
Probably the worse GUI I've seen. It's so bad I had to download the vm again just to help @DustinB3403 because it's not intuitive at all.
-
So besides the bad interface, and oddity of having to download the NVTs separately the solution its self doesn't seem so bad.
A bit slow (vbox on my system), once you start to use it its actually kinda simply, and provides a nice insight to where things are vulnerable.
-
@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:
So besides the bad interface, and oddity of having to download the NVTs separately the solution its self doesn't seem so bad.
A bit slow (vbox on my system), once you start to use it its actually kinda simply, and provides a nice insight to where things are vulnerable.
NVTs are downloaded on a schedule (weekly). You only have to do it once manually and it should update after that. You can always verify in the GUI by looking at the date of the latest NVTs.
The other option, which I've done for small companies who are low on resources is to just have the update command run at startup. There isn't a real reason to have this server up 24/7 so you can boot it up weekly or whatever if you want.
