前言:该文章记录了我安装、使用、基于OpenVas二次开发的一些经验,包含我了收集到的很多资料和心血,如果对你有帮助,请点个赞。转载请注明原文链接
0X01 安装OpenVAS
CentOS安装openvas:https://forums.atomicorp.com/viewtopic.php?f=31&t=8047
vim /etc/selinux/config
# 修改参数:
SELINUX=disabled
# 更新:
yum -y update
重启:
reboot
# 安装依赖:
yum install -y wget bzip2 texlive net-tools alien gnutls-utils
# 添加仓库:
wget -q -O - https://www.atomicorp.com/installers/atomic | sh
# 安装:
yum install openvas -y
# 编辑文件:
vim /etc/redis.conf
# 修改配置:
unixsocket /tmp/redis.sock
unixsocketperm 700
# 重启redis:
systemctl enable redis && systemctl restart redis
# 启动openvas初始环境配置:
openvas-setup
# 防火墙放行端口:
firewall-cmd --permanent --add-port=9392/tcp
firewall-cmd --reload
firewall-cmd --list-port
# 访问登录:
https://本机IP:9392
# 验证完整性以及运行的可靠性:
openvas-check-setup --v9
# 据部分用户反馈可能出现一些故障,临时解决办法,但我没遇到:
# yum -y install texlive-changepage texlive-titlesec
# mkdir -p /usr/share/texlive/texmf-local/tex/latex/comment
# cd /usr/share/texlive/texmf-local/tex/latex/comment
#wget http://mirrors.ctan.org/macros/latex/contrib/comment/comment.sty
# chmod 644 comment.sty
# texhash
安装好后共有三个主要service: gsad.service、gvmd.service、openvas-scanner.service
可以使用systemctl命令查看三个服务的状态。
gvmd是openvas的管理程序,gsad提供Web界面,scanner则是扫描器,可以接收命令来执行扫描任务。
架构图:
openvas-manager-->老版本叫做openvasmd-->新版本改为gvmd
更新feed属于OpenVAS-Scanner模块的命令:
greenbone-nvt-sync
单独测试某个nasl脚本命令:https://community.greenbone.net/t/understanding-testing-of-nasl-scripts/393
openvas-nasl -X -B -d -i /var/lib/openvas/plugins -t <target> nginx_detect.nasl
0X02 Docker版OpenVAS
OpenVAS的docker容器:https://github.com/mikesplain/openvas-docker,这个镜像使用的不是最新版OpenVAS,openvas-manager使用的是TCP连接来接受命令,新版本用的是Unix Socket。
0X03 相关文档
社区:
https://community.greenbone.net/
GVM-PYSHELL:
https://docs.greenbone.net/GSM-Manual/gos-4/en/omp.html#gvm-pyshell
PROTOCOL:
https://python-gvm.readthedocs.io/en/latest/api/protocols.html#module-gvm.protocols.gmpv7
详细https://docs.greenbone.net/API/GMP/gmp-7.0.html#type_status
INSTALL:
https://python-gvm.readthedocs.io/en/latest/install.html#using-pip
API:
https://python-gvm.readthedocs.io/en/latest/usage.html
扫描目标系统为Windows:
关于filter:
https://docs.greenbone.net/GSM-Manual/gos-4/en/gui_introduction.html
关于扫描速度:
https://docs.greenbone.net/GSM-Manual/gos-4/en/performance.html#scan-performance
https://github.com/greenbone/gvm-tools
GVM Interactive Console. Type "help" to get information about functionality.
>>> nvts = gmp.get_nvts()
>>> nvts
<Element get_nvts_response at 0x7f918466bec8>
>>> resp_str = etree.tostring(nvts)
>>> len(resp_str)
6830849
>>> print(resp_str[:100])
b'<get_nvts_response status="200" status_text="OK"><nvt oid="1.3.6.1.4.1.25623.1.0.103307"><name>1024 '
>>> print(resp_str[6830800:])
b't>0</count></user_tags></nvt></get_nvts_response>'
0X04 踩坑
1、使用pip安装的python-gvm有bug,get_nvts调用的是get_notes方法。所以使用github源码进行安装:
https://github.com/greenbone/python-gvm
2、使用python-gvm中的TLSConnection可以和openvas-manager通信,一般是监听在9390端口。
openvas_docker:
mikesplain/openvas latest 889967897c49 6 weeks ago 6.39GB
version: '3'
services:
openvas:
image: 889967897c49
container_name: zcs_openvas
ports:
- "442:443"
volumes:
- /home/docker_openvas/run/:/var/run/
network_mode: 'bridge'
nasl脚本存放的路径:/usr/local/var/lib/openvas/plugins
关于使用python-gvm的问题:
使用方式:
class OpenVasHelper:
"""
op = OpenVasHelper()
result1 = op.exec_cmd('get_nvt',{'nvt_oid':'1.3.6.1.4.1.25623.1.0.10961'})
result2 = op.exec_cmd('get_version')
result3 = op.exec_cmd('get_nvts')
print(result)
"""
def __init__(self):
self.conn = DebugConnection(UnixSocketConnection(path=config['OPENVAS']['SOCK_PATH']))
self.username=config['OPENVAS']['USER']
self.password=config['OPENVAS']['PASSWD']
def exec_cmd(self, command, params=None):
gmp = Gmp(connection=self.conn)
try:
gmp.authenticate(self.username, self.password)
with gmp:
if not params:
response = gmp.__getattribute__(command)()
else:
response = gmp.__getattribute__(command)(**params)
result = json.loads(json.dumps(xmltodict.parse(response)))
# result = xmltodict.parse(response)
return result
except GvmError as e:
print('An error occurred', e, file=sys.stderr)
return 1
实例化的时候在views.py顶层创建了一个实例,那么该views使用的均是这个实例,所有的命令都得排队发往openvas的socket,如果前一条命令还未返回成功,后一条命令接踵而至就会导致返回的数据出现异常。所以将连接操作写到函数中,创建多个socket连接。
class OpenVasHelper:
"""
op = OpenVasHelper()
result1 = op.exec_cmd('get_nvt',{'nvt_oid':'1.3.6.1.4.1.25623.1.0.10961'})
result2 = op.exec_cmd('get_version')
result3 = op.exec_cmd('get_nvts')
print(result)
"""
def exec_cmd(self, command, params=None):
conn = DebugConnection(UnixSocketConnection(path=config['OPENVAS']['SOCK_PATH']))
username = config['OPENVAS']['USER']
password = config['OPENVAS']['PASSWD']
gmp = Gmp(connection=conn)
try:
gmp.authenticate(username, password)
with gmp:
if not params:
response = gmp.__getattribute__(command)()
else:
response = gmp.__getattribute__(command)(**params)
# logging.debug(response)
# result = json.loads(json.dumps(xmltodict.parse(response, encoding='utf-8')))
result = xmltodict.parse(response)
return result
except Exception as e:
print('An error occurred', e, file=sys.stderr)
raise APIException
0X05 靶场
metasploitable2 基于Ubuntu搭建的靶场,直接下载vmdx文件,导入到vmware中即可运行。
metasploitable3 基于windows 2008搭建的靶场:
https://github.com/rapid7/metasploitable3
https://github.com/rapid7/metasploitable3/wiki/Vulnerabilities
0X06 编译安装openvas各模块
openvas-scanner:扫描器
gvmd:openvas-manager
gsa: openvas web管理界面
gvm-tools:openvas management tools
gvm-libs: openvas依赖库
python-gvm: python API
注意:github的master分支不是稳定版,https://community.greenbone.net/t/gvm-10-stable-initial-release-2019-04-05/208
CentOS 7 安装
1.导入epel repo
2.切换国内BASE源
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
mv /etc/yum.repos.d/epel.repo /etc/yum.repos.d/epel.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
wget -O /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo
yum clean all
yum makecache
3.yum install cmake3 gcc
4.安装gvm-libs:
1)升级zlib
wget https://www.zlib.net/zlib-1.2.11.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --libdir=/lib64/ --prefix=/usr/local/zlib
make && make install
rpm -qa | grep zlib # 查找旧版本包
rpm -e --nodeps pack_name # 删除旧版本
rm -f /lib64/libz.so.1.2.7 # 删除原包链接文件
ldconfig # 刷新库文件
ll /lib64/libz.* # 查看链接结果
yum install libgnomeui-devel
yum install gnutls
以失败告终,默认是在debian9下安装,要安装到CentOS 7上太多软件包不兼容,需要手动安装,各种依赖关系过于复杂。
Ubuntu18.04 安装
https://sadsloth.net/post/install-gvm10beta2/
chgrp 用户名 文件名 -R
chown 用户名 文件名 -R
-R表示递归目录下所有文件
1.更换国内ubuntu源,apt-update
Ubuntu缺少mysql_config,会导致pip安装mysqlclient失败:
apt-get install libmysqlclient-dev
~~~
安装所有依赖库:
apt install -y cmake pkg-config libglib2.0-dev libgpgme11-dev uuid-dev libssh-gcrypt-dev libhiredis-dev \
gcc libgnutls28-dev libpcap-dev libgpgme-dev bison libksba-dev libsnmp-dev libgcrypt20-dev redis-server \
libsqlite3-dev libical-dev gnutls-bin doxygen nmap libmicrohttpd-dev libxml2-dev apt-transport-https curl \
xmltoman xsltproc gcc-mingw-w64 perl-base heimdal-dev libpopt-dev graphviz nodejs rpm nsis wget sshpass socat snmp
~~~
2.下载源文件
cd /usr/local/src
sudo mkdir openvas
sudo chown $USER:$USER openvas
cd openvas
wget -O gvm-libs-1.0-beta2.tar.gz https://github.com/greenbone/gvm-libs/archive/v1.0+beta2.tar.gz ;\
wget -O openvas-scanner-6.0-beta2.tar.gz https://github.com/greenbone/openvas-scanner/archive/v6.0+beta2.tar.gz ;\
wget -O gvmd-8.0-beta2.tar.gz https://github.com/greenbone/gvmd/archive/v8.0+beta2.tar.gz ;\
wget -O gsa-8.0-beta2.tar.gz https://github.com/greenbone/gsa/archive/v8.0+beta2.tar.gz ;\
wget -O ospd-1.3.2.tar.gz https://github.com/greenbone/ospd/archive/v1.3.2.tar.gz ;\
wget -O openvas-smb-1.0.4.tar.gz https://github.com/greenbone/openvas-smb/archive/v1.0.4.tar.gz
sudo su
3.安装gvm-libs
1)apt-get install cmake pkg-config libglib2.0-dev libgpgme11-dev \
libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev
2)cd gvm-libs
3)mkdir build & cd build
4)cmake ..
5)make
6)make install
# usermod -a -G root zcs 将普通用户添加到root组
4.安装openvas-sacnner
1)apt-get install gcc pkg-config libssh-gcrypt-dev libgnutls28-dev libglib2.0-dev \
libpcap-dev libgpgme-dev bison libksba-dev libsnmp-dev libgcrypt20-dev nmap
2)apt-get install redis # 官方提供了3.2和4.0的配置文件
3)Redis:
cd /etc/redis/
cp /usr/local/src/openvas/openvas-scanner-6.0.0/doc/redis_config_examples/redis_4_0.conf.in ./
mv redis.conf redis.conf.bak
mv redis_4_0.conf.in redis.conf
sed -i 's|/usr/local/var/run/openvas-redis.pid|/var/run/redis/redis-server.pid|g' /etc/redis/redis.conf ;\
sed -i 's|/tmp/redis.sock|/var/run/redis/redis-server.sock|g' /etc/redis/redis.conf ;\
sed -i 's|dir ./|dir /var/lib/redis|g' /etc/redis/redis.conf
sysctl -w net.core.somaxconn=1024
sysctl vm.overcommit_memory=1
echo "net.core.somaxconn=1024" >> /etc/sysctl.conf
echo "vm.overcommit_memory=1" >> /etc/sysctl.conf
systemctl daemon-reload
systemctl restart redis
greenbone-nvt-sync
cat << EOF > /usr/local/etc/openvas/openvassd.conf # 添加openvassd配置文件
db_address = /var/run/redis/redis-server.sock
EOF
ldconfig # 刷新动态链接库
openvassd
4)systemctl:
vim /lib/systemd/system/redis-server.service
5)cd openvas_scanner
6)mkdir build & cd build
7)cmake ..
8)make
9)make install
10)greenbone-nvt-sync # 下载初始nvts
11)ldconfig
12)openvassd
默认安装路径为/usr/local/,配置文件:/usr/local/etc/openvas/openvassd.conf
Wait until “openvassd: Reloaded is done”.. and switches to “Waiting for ingcoming…”
5.安装openvas-manager
前置软件:
apt-get install sqlite3
apt-get install libsqlite3-dev
apt-get install libical-dev gnutls-bin
tar -zxvf openvas-manager-v8.0.0.tar.gz
cd gvmd-8.0.0
mkdir build
cd build
cmake ..
make
make install
与Greenbone Vulnerability Manager进行的所有基于TCP的通信都使用TLS协议来建立安全连接以及进行身份验证和授权。这需要存在由证书颁发机构(CA)和CA签名的服务器和客户端证书组成的证书基础结构。
当通过OSP协议连接到扫描仪时,Greenbone Vulnerability Manager使用客户端证书。
gvm-manage-certs -a
gvmd --create-user=myuser
gvmd # 运行管理器,第一次运行会初始化sqlite3数据库
如果需要生成pdf报告:
apt-get install texlive-latex-extra --no-install-recommends
apt-get install texlive-fonts-recommended
6.安装gsa
apt-get install libmicrohttpd-dev libxml2-dev
apt-get install nodejs
curl --silent --show-error https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add
echo "deb https://dl.yarnpkg.com/debian/ stable main" | sudo tee /etc/apt/sources.list.d/yarn.list
apt-get update
apt-get install yarn
apt-get install libpopt-dev
mkdir build
cd build
cmake ..
make
make install
0X07 字段解释
1. QoD
2.关于severity范围划分
可以在GSA GUI上设置使用的划分方法。默认为:
7.0 - 10.0: High
4.0 - 6.9: Medium
0.0 - 3.9: Low
https://serverfault.com/questions/910380/critical-vulnerability-rating-on-openvas-9
0X08 手动更新规则
1.下载nvt文件,tar.bz2:
http://dl.greenbone.net/community-nvt-feed-current.tar.bz2
解压:tar -jxvf ./community-nvt-feed-current.tar.bz2 -C ./nvts/
覆盖原目录:cp -r /home/nvts/. /usr/local/var/lib/openvas/plugins/
0X09 Dockerfile
并非完全版,只完成了部分工作
FROM ubuntu:18.04
ARG ROOT_PATH=/usr/local/src
COPY openvas-manager-8.0.0.tar.gz \
openvas-scanner-6.0.0.tar.gz \
gvm-libs-10.0.0.tar.gz \
gsa-8.0-beta2.tar.gz \
community-nvt-feed-current.tar.bz2 \
start.sh \
sources.list.bak ${ROOT_PATH}/
ENV DEBIAN_FRONTEND noninteractive
RUN apt-get update \
&& apt-get -y install --reinstall ca-certificates \
&& rm -f /etc/apt/sources.list \
&& cp ${ROOT_PATH}/sources.list.bak /etc/apt/sources.list \
&& apt-get update \
&& cd ${ROOT_PATH} \
&& mkdir openvas \
&& cd openvas \
&& tar -zxvf ../gvm-libs-10.0.0.tar.gz \
&& tar -zxvf ../openvas-manager-8.0.0.tar.gz \
&& tar -zxvf ../openvas-scanner-6.0.0.tar.gz \
&& tar -zxvf ../gsa-8.0-beta2.tar.gz \
&& apt-get -y install cmake pkg-config libglib2.0-dev libgpgme11-dev libgnutls28-dev uuid-dev libssh-gcrypt-dev libhiredis-dev \
&& cd gvm-libs-10.0.0 \
&& mkdir build \
&& cd build \
&& cmake .. \
&& make \
&& make install
RUN apt-get -y install gcc pkg-config libssh-gcrypt-dev libgnutls28-dev libglib2.0-dev \
libpcap-dev libgpgme-dev bison libksba-dev libsnmp-dev libgcrypt20-dev nmap redis rsync tar \
&& cd /etc/redis/ \
&& mkdir /var/run/redis \
&& cp ${ROOT_PATH}/openvas/openvas-scanner-6.0.0/doc/redis_config_examples/redis_4_0.conf.in ./ \
&& rm -f redis.conf \
&& mv redis_4_0.conf.in redis.conf \
&& sed -i 's|/tmp/redis.sock|/var/run/redis/redis-server.sock|g' /etc/redis/redis.conf \
&& sed -i 's|/usr/local/var/run/openvas-redis.pid|/var/run/redis/redis-server.pid|g' /etc/redis/redis.conf \
&& sed -i 's|dir ./|dir /var/lib/redis|g' /etc/redis/redis.conf \
&& cd ${ROOT_PATH}/openvas/openvas-scanner-6.0.0/ \
&& mkdir build \
&& cd build \
&& cmake .. \
&& make \
&& make install \
&& cd ${ROOT_PATH} \
&& tar -jxvf community-nvt-feed-current.tar.bz2 -C /usr/local/var/lib/openvas/plugins/ \
&& echo > /usr/local/etc/openvas/openvassd.conf \
&& echo db_address = /var/run/redis/redis-server.sock >> /usr/local/etc/openvas/openvassd.conf \
&& ldconfig
# && apt-get -y install sqlite3 libsqlite3-dev libical-dev gnutls-bin texlive-latex-extra texlive-fonts-recommended \
# libmicrohttpd-dev libxml2-dev nodejs
# 安装manager时遇到的问题,安装libical-dev时需要手动选择地区来配置timezone,可以使用debconf来
# 设置默认参数,实现静默安装
CMD [ "bash", "/usr/local/src/start.sh"]