前言:該文章記錄了我安裝、使用、基於OpenVas二次開發的一些經驗,包含我了收集到的很多資料和心血,如果對你有幫助,請點個贊。轉載請註明原文鏈接
0X01 安裝OpenVAS
CentOS安裝openvas:https://forums.atomicorp.com/viewtopic.php?f=31&t=8047
vim /etc/selinux/config
# 修改參數:
SELINUX=disabled
# 更新:
yum -y update
重啓:
reboot
# 安裝依賴:
yum install -y wget bzip2 texlive net-tools alien gnutls-utils
# 添加倉庫:
wget -q -O - https://www.atomicorp.com/installers/atomic | sh
# 安裝:
yum install openvas -y
# 編輯文件:
vim /etc/redis.conf
# 修改配置:
unixsocket /tmp/redis.sock
unixsocketperm 700
# 重啓redis:
systemctl enable redis && systemctl restart redis
# 啓動openvas初始環境配置:
openvas-setup
# 防火牆放行端口:
firewall-cmd --permanent --add-port=9392/tcp
firewall-cmd --reload
firewall-cmd --list-port
# 訪問登錄:
https://本機IP:9392
# 驗證完整性以及運行的可靠性:
openvas-check-setup --v9
# 據部分用戶反饋可能出現一些故障,臨時解決辦法,但我沒遇到:
# yum -y install texlive-changepage texlive-titlesec
# mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment
# cd /usr/share/texlive/texmf-local/tex/latex/comment
#wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
# chmod 644 comment.sty
# texhash
安裝好後共有三個主要service: gsad.service、gvmd.service、openvas-scanner.service
可以使用systemctl命令查看三個服務的狀態。
gvmd是openvas的管理程序,gsad提供Web界面,scanner則是掃描器,可以接收命令來執行掃描任務。
架構圖:
openvas-manager-->老版本叫做openvasmd-->新版本改爲gvmd
更新feed屬於OpenVAS-Scanner模塊的命令:
greenbone-nvt-sync
單獨測試某個nasl腳本命令:https://community.greenbone.net/t/understanding-testing-of-nasl-scripts/393
openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t <target> nginx_detect.nasl
0X02 Docker版OpenVAS
OpenVAS的docker容器:https://github.com/mikesplain/openvas-docker,這個鏡像使用的不是最新版OpenVAS,openvas-manager使用的是TCP連接來接受命令,新版本用的是Unix Socket。
0X03 相關文檔
社區:
https://community.greenbone.net/
GVM-PYSHELL:
https://docs.greenbone.net/GSM-Manual/gos-4/en/omp.html#gvm-pyshell
PROTOCOL:
https://python-gvm.readthedocs.io/en/latest/api/protocols.html#module-gvm.protocols.gmpv7
詳細https://docs.greenbone.net/API/GMP/gmp-7.0.html#type_status
INSTALL:
https://python-gvm.readthedocs.io/en/latest/install.html#using-pip
API:
https://python-gvm.readthedocs.io/en/latest/usage.html
掃描目標系統爲Windows:
關於filter:
https://docs.greenbone.net/GSM-Manual/gos-4/en/gui_introduction.html
關於掃描速度:
https://docs.greenbone.net/GSM-Manual/gos-4/en/performance.html#scan-performance
https://github.com/greenbone/gvm-tools
GVM Interactive Console. Type "help" to get information about functionality.
>>> nvts = gmp.get_nvts()
>>> nvts
<Element get_nvts_response at 0x7f918466bec8>
>>> resp_str = etree.tostring(nvts)
>>> len(resp_str)
6830849
>>> print(resp_str[:100])
b'<get_nvts_response status="200" status_text="OK"><nvt oid="1.3.6.1.4.1.25623.1.0.103307"><name>1024 '
>>> print(resp_str[6830800:])
b't>0</count></user_tags></nvt></get_nvts_response>'
0X04 踩坑
1、使用pip安裝的python-gvm有bug,get_nvts調用的是get_notes方法。所以使用github源碼進行安裝:
https://github.com/greenbone/python-gvm
2、使用python-gvm中的TLSConnection可以和openvas-manager通信,一般是監聽在9390端口。
openvas_docker:
mikesplain/openvas latest 889967897c49 6 weeks ago 6.39GB
version: '3'
services:
openvas:
image: 889967897c49
container_name: zcs_openvas
ports:
- "442:443"
volumes:
- /home/docker_openvas/run/:/var/run/
network_mode: 'bridge'
nasl腳本存放的路徑:/usr/local/var/lib/openvas/plugins
關於使用python-gvm的問題:
使用方式:
class OpenVasHelper:
"""
op = OpenVasHelper()
result1 = op.exec_cmd('get_nvt',{'nvt_oid':'1.3.6.1.4.1.25623.1.0.10961'})
result2 = op.exec_cmd('get_version')
result3 = op.exec_cmd('get_nvts')
print(result)
"""
def __init__(self):
self.conn = DebugConnection(UnixSocketConnection(path=config['OPENVAS']['SOCK_PATH']))
self.username=config['OPENVAS']['USER']
self.password=config['OPENVAS']['PASSWD']
def exec_cmd(self, command, params=None):
gmp = Gmp(connection=self.conn)
try:
gmp.authenticate(self.username, self.password)
with gmp:
if not params:
response = gmp.__getattribute__(command)()
else:
response = gmp.__getattribute__(command)(**params)
result = json.loads(json.dumps(xmltodict.parse(response)))
# result = xmltodict.parse(response)
return result
except GvmError as e:
print('An error occurred', e, file=sys.stderr)
return 1
實例化的時候在views.py頂層創建了一個實例,那麼該views使用的均是這個實例,所有的命令都得排隊發往openvas的socket,如果前一條命令還未返回成功,後一條命令接踵而至就會導致返回的數據出現異常。所以將連接操作寫到函數中,創建多個socket連接。
class OpenVasHelper:
"""
op = OpenVasHelper()
result1 = op.exec_cmd('get_nvt',{'nvt_oid':'1.3.6.1.4.1.25623.1.0.10961'})
result2 = op.exec_cmd('get_version')
result3 = op.exec_cmd('get_nvts')
print(result)
"""
def exec_cmd(self, command, params=None):
conn = DebugConnection(UnixSocketConnection(path=config['OPENVAS']['SOCK_PATH']))
username = config['OPENVAS']['USER']
password = config['OPENVAS']['PASSWD']
gmp = Gmp(connection=conn)
try:
gmp.authenticate(username, password)
with gmp:
if not params:
response = gmp.__getattribute__(command)()
else:
response = gmp.__getattribute__(command)(**params)
# logging.debug(response)
# result = json.loads(json.dumps(xmltodict.parse(response, encoding='utf-8')))
result = xmltodict.parse(response)
return result
except Exception as e:
print('An error occurred', e, file=sys.stderr)
raise APIException
0X05 靶場
metasploitable2 基於Ubuntu搭建的靶場,直接下載vmdx文件,導入到vmware中即可運行。
metasploitable3 基於windows 2008搭建的靶場:
https://github.com/rapid7/metasploitable3
https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities
0X06 編譯安裝openvas各模塊
openvas-scanner:掃描器
gvmd:openvas-manager
gsa: openvas web管理界面
gvm-tools:openvas management tools
gvm-libs: openvas依賴庫
python-gvm: python API
注意:github的master分支不是穩定版,https://community.greenbone.net/t/gvm-10-stable-initial-release-2019-04-05/208
CentOS 7 安裝
1.導入epel repo
2.切換國內BASE源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
3.yum install cmake3 gcc
4.安裝gvm-libs:
1)升級zlib
wget https://www.zlib.net/zlib-1.2.11.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --libdir=/lib64/ --prefix=/usr/local/zlib
make && make install
rpm -qa | grep zlib # 查找舊版本包
rpm -e --nodeps pack_name # 刪除舊版本
rm -f /lib64/libz.so.1.2.7 # 刪除原包鏈接文件
ldconfig # 刷新庫文件
ll /lib64/libz.* # 查看鏈接結果
yum install libgnomeui-devel
yum install gnutls
以失敗告終,默認是在debian9下安裝,要安裝到CentOS 7上太多軟件包不兼容,需要手動安裝,各種依賴關係過於複雜。
Ubuntu18.04 安裝
https://sadsloth.net/post/install-gvm10beta2/
chgrp 用戶名 文件名 -R
chown 用戶名 文件名 -R
-R表示遞歸目錄下所有文件
1.更換國內ubuntu源,apt-update
Ubuntu缺少mysql_config,會導致pip安裝mysqlclient失敗:
apt-get install libmysqlclient-dev
~~~
安裝所有依賴庫:
apt install -y cmake pkg-config libglib2.0-dev libgpgme11-dev uuid-dev libssh-gcrypt-dev libhiredis-dev \
gcc libgnutls28-dev libpcap-dev libgpgme-dev bison libksba-dev libsnmp-dev libgcrypt20-dev redis-server \
libsqlite3-dev libical-dev gnutls-bin doxygen nmap libmicrohttpd-dev libxml2-dev apt-transport-https curl \
xmltoman xsltproc gcc-mingw-w64 perl-base heimdal-dev libpopt-dev graphviz nodejs rpm nsis wget sshpass socat snmp
~~~
2.下載源文件
cd /usr/local/src
sudo mkdir openvas
sudo chown $USER:$USER openvas
cd openvas
wget -O gvm-libs-1.0-beta2.tar.gz https://github.com/greenbone/gvm-libs/archive/v1.0+beta2.tar.gz ;\
wget -O openvas-scanner-6.0-beta2.tar.gz https://github.com/greenbone/openvas-scanner/archive/v6.0+beta2.tar.gz ;\
wget -O gvmd-8.0-beta2.tar.gz https://github.com/greenbone/gvmd/archive/v8.0+beta2.tar.gz ;\
wget -O gsa-8.0-beta2.tar.gz https://github.com/greenbone/gsa/archive/v8.0+beta2.tar.gz ;\
wget -O ospd-1.3.2.tar.gz https://github.com/greenbone/ospd/archive/v1.3.2.tar.gz ;\
wget -O openvas-smb-1.0.4.tar.gz https://github.com/greenbone/openvas-smb/archive/v1.0.4.tar.gz
sudo su
3.安裝gvm-libs
1)apt-get install cmake pkg-config libglib2.0-dev libgpgme11-dev \
libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev
2)cd gvm-libs
3)mkdir build & cd build
4)cmake ..
5)make
6)make install
# usermod -a -G root zcs 將普通用戶添加到root組
4.安裝openvas-sacnner
1)apt-get install gcc pkg-config libssh-gcrypt-dev libgnutls28-dev libglib2.0-dev \
libpcap-dev libgpgme-dev bison libksba-dev libsnmp-dev libgcrypt20-dev nmap
2)apt-get install redis # 官方提供了3.2和4.0的配置文件
3)Redis:
cd /etc/redis/
cp /usr/local/src/openvas/openvas-scanner-6.0.0/doc/redis_config_examples/redis_4_0.conf.in ./
mv redis.conf redis.conf.bak
mv redis_4_0.conf.in redis.conf
sed -i 's|/usr/local/var/run/openvas-redis.pid|/var/run/redis/redis-server.pid|g' /etc/redis/redis.conf ;\
sed -i 's|/tmp/redis.sock|/var/run/redis/redis-server.sock|g' /etc/redis/redis.conf ;\
sed -i 's|dir ./|dir /var/lib/redis|g' /etc/redis/redis.conf
sysctl -w net.core.somaxconn=1024
sysctl vm.overcommit_memory=1
echo "net.core.somaxconn=1024" >> /etc/sysctl.conf
echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
systemctl daemon-reload
systemctl restart redis
greenbone-nvt-sync
cat << EOF > /usr/local/etc/openvas/openvassd.conf # 添加openvassd配置文件
db_address = /var/run/redis/redis-server.sock
EOF
ldconfig # 刷新動態鏈接庫
openvassd
4)systemctl:
vim /lib/systemd/system/redis-server.service
5)cd openvas_scanner
6)mkdir build & cd build
7)cmake ..
8)make
9)make install
10)greenbone-nvt-sync # 下載初始nvts
11)ldconfig
12)openvassd
默認安裝路徑爲/usr/local/,配置文件:/usr/local/etc/openvas/openvassd.conf
Wait until “openvassd: Reloaded is done”.. and switches to “Waiting for ingcoming…”
5.安裝openvas-manager
前置軟件:
apt-get install sqlite3
apt-get install libsqlite3-dev
apt-get install libical-dev gnutls-bin
tar -zxvf openvas-manager-v8.0.0.tar.gz
cd gvmd-8.0.0
mkdir build
cd build
cmake ..
make
make install
與Greenbone Vulnerability Manager進行的所有基於TCP的通信都使用TLS協議來建立安全連接以及進行身份驗證和授權。這需要存在由證書頒發機構(CA)和CA簽名的服務器和客戶端證書組成的證書基礎結構。
當通過OSP協議連接到掃描儀時,Greenbone Vulnerability Manager使用客戶端證書。
gvm-manage-certs -a
gvmd --create-user=myuser
gvmd # 運行管理器,第一次運行會初始化sqlite3數據庫
如果需要生成pdf報告:
apt-get install texlive-latex-extra --no-install-recommends
apt-get install texlive-fonts-recommended
6.安裝gsa
apt-get install libmicrohttpd-dev libxml2-dev
apt-get install nodejs
curl --silent --show-error https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt-get update
apt-get install yarn
apt-get install libpopt-dev
mkdir build
cd build
cmake ..
make
make install
0X07 字段解釋
1. QoD
2.關於severity範圍劃分
可以在GSA GUI上設置使用的劃分方法。默認爲:
7.0 - 10.0: High
4.0 - 6.9: Medium
0.0 - 3.9: Low
https://serverfault.com/questions/910380/critical-vulnerability-rating-on-openvas-9
0X08 手動更新規則
1.下載nvt文件,tar.bz2:
http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
解壓:tar -jxvf ./community-nvt-feed-current.tar.bz2 -C ./nvts/
覆蓋原目錄:cp -r /home/nvts/. /usr/local/var/lib/openvas/plugins/
0X09 Dockerfile
並非完全版,只完成了部分工作
FROM ubuntu:18.04
ARG ROOT_PATH=/usr/local/src
COPY openvas-manager-8.0.0.tar.gz \
openvas-scanner-6.0.0.tar.gz \
gvm-libs-10.0.0.tar.gz \
gsa-8.0-beta2.tar.gz \
community-nvt-feed-current.tar.bz2 \
start.sh \
sources.list.bak ${ROOT_PATH}/
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update \
&& apt-get -y install --reinstall ca-certificates \
&& rm -f /etc/apt/sources.list \
&& cp ${ROOT_PATH}/sources.list.bak /etc/apt/sources.list \
&& apt-get update \
&& cd ${ROOT_PATH} \
&& mkdir openvas \
&& cd openvas \
&& tar -zxvf ../gvm-libs-10.0.0.tar.gz \
&& tar -zxvf ../openvas-manager-8.0.0.tar.gz \
&& tar -zxvf ../openvas-scanner-6.0.0.tar.gz \
&& tar -zxvf ../gsa-8.0-beta2.tar.gz \
&& apt-get -y install cmake pkg-config libglib2.0-dev libgpgme11-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev \
&& cd gvm-libs-10.0.0 \
&& mkdir build \
&& cd build \
&& cmake .. \
&& make \
&& make install
RUN apt-get -y install gcc pkg-config libssh-gcrypt-dev libgnutls28-dev libglib2.0-dev \
libpcap-dev libgpgme-dev bison libksba-dev libsnmp-dev libgcrypt20-dev nmap redis rsync tar \
&& cd /etc/redis/ \
&& mkdir /var/run/redis \
&& cp ${ROOT_PATH}/openvas/openvas-scanner-6.0.0/doc/redis_config_examples/redis_4_0.conf.in ./ \
&& rm -f redis.conf \
&& mv redis_4_0.conf.in redis.conf \
&& sed -i 's|/tmp/redis.sock|/var/run/redis/redis-server.sock|g' /etc/redis/redis.conf \
&& sed -i 's|/usr/local/var/run/openvas-redis.pid|/var/run/redis/redis-server.pid|g' /etc/redis/redis.conf \
&& sed -i 's|dir ./|dir /var/lib/redis|g' /etc/redis/redis.conf \
&& cd ${ROOT_PATH}/openvas/openvas-scanner-6.0.0/ \
&& mkdir build \
&& cd build \
&& cmake .. \
&& make \
&& make install \
&& cd ${ROOT_PATH} \
&& tar -jxvf community-nvt-feed-current.tar.bz2 -C /usr/local/var/lib/openvas/plugins/ \
&& echo > /usr/local/etc/openvas/openvassd.conf \
&& echo db_address = /var/run/redis/redis-server.sock >> /usr/local/etc/openvas/openvassd.conf \
&& ldconfig
# && apt-get -y install sqlite3 libsqlite3-dev libical-dev gnutls-bin texlive-latex-extra texlive-fonts-recommended \
# libmicrohttpd-dev libxml2-dev nodejs
# 安裝manager時遇到的問題,安裝libical-dev時需要手動選擇地區來配置timezone,可以使用debconf來
# 設置默認參數,實現靜默安裝
CMD [ "bash", "/usr/local/src/start.sh"]