jeudi 27 novembre 2014

OpenVAS Installation (Debian 7 / LinuxMint 17)

(UPDATE 2016-01-20: you can find an updated version of this post for OpenVAS 8 here)

At last, a useful post on this blog ;)

For some time now, I use OpenVAS to check my clients' network and infrastructure. OpenVAS is a libre fork of Nessus, a well known vulnerability scanner. Like most powerful products, it can be a nightmare to properly install and configure. Many resources are available about this on the Internet, but none of them worked fully for my usage. So here is my OpenVAS install procedure. I hope it may be useful for others.

This procedure worked on Debian 7 and Linux Mint 17 (it should work on other distro/versions of your favorite OS), with the following versions of OpenVAS components, built from source code:

  1. openvas-libraries-7.0.6
  2. openvas-scanner-4.0.5
  3. openvas-manager-5.0.6
  4. greenbone-security-assistant-5.0.4
  5. openvas-cli-1.3.1
  6. And add some optional but useful stuff
  7. Enjoy!
1 - Build & Install OpenVAS Libraries

sudo apt-get install pkg-config libssh-dev libgnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev

sudo apt-get install doxygen
sudo apt-get install xmltoman
sudo apt-get install sqlfairy
sudo apt-get install cmake
sudo apt-get install flex

tar xzf openvas-libraries-7.0.6.tar.gz
cd openvas-libraries-7.0.6

mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache

sudo ldconfig


2 - Build & Install OpenVAS Scanner

tar xzf openvas-scanner-4.0.5.tar.gz
cd openvas-scanner-4.0.5

mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache

sudo openvas-mkcert
sudo openvas-nvt-sync

# launch the scanner:
sudo openvassd


3 - Build & Install OpenVAS Manager

sudo apt-get install sqlite3 libsqlite3-dev xsltproc libgd-perl

tar xzf openvas-manager-5.0.6.tar.gz
cd openvas-manager-5.0.6

mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache

# Generate key/cert 
sudo openvas-mkcert-client
# After having answered to the questions, the necessary stuff will be created in a /tmp/ directory, for instance: /tmp/openvas-mkcert-client.19926. cd in this directory and:
cp key_om.pem /usr/local/var/lib/openvas/private/CA/clientkey.pem
cp cert_om.pem /usr/local/var/lib/openvas/CA/clientcert.pem

sudo openvas-scapdata-sync
sudo openvas-certdata-sync
sudo openvasmd --rebuild

# Create an administrator user for OpenVAS
sudo openvasmd --create-user=<yourlogin>
# A message like this should be shown: User created with password 'XXXX'.
# Store this passwd in a safe place.

# Import/Update IANA Services Names
wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
sudo openvas-portnames-update service-names-port-numbers.xml
rm service-names-port-numbers.xml


4 - Build & Install the Greenbone Web UI

tar xzf greenbone-security-assistant-5.0.4.tar.gz
cd greenbone-security-assistant-5.0.4

sudo apt-get install libxml2-dev libxslt1-dev libmicrohttpd-dev 

mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache

# Start the Web server
sudo gsad --listen=127.0.0.1 -p 9392


5 - Build & Install the OpenVAS CLI

tar xzf openvas-cli-1.3.1.tar.gz
cd openvas-cli-1.3.1

mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache

6 - Add some useful tools

OpenVAS is not an isolated product, it's more useful with some other tools, without any necessary configuration, they just have to be accessible in the standard PATH:

apt-get install wapiti
apt-get install nikto
apt-get install nmap

# Download Arachni
cd /opt (or wherever you want)
tar arachni-1.0.5-0.5.6-linux-x86_64.tar.gz
ln -s /path/to/arachni-1.0.5-0.5.6/bin/* /usr/local/bin/

# Download DIRB
tar xzf dirb222.tar.gz
cd dirb222
sudo apt-get install libcurl4-gnutls-dev
./configure
make
sudo make install


6 - Enjoy!

Now, point you preferred browser to https://localhost:9392 (tell it to accept the "non-trusted" TLS certificate), follow the instruction & help in the Web UI, and kill your target servers, or the machine running OpenVAS, or most probably both ;)

Oh, to access the Web UI, you will need the login/passwd generated on step 3 (OpenVAS Manager install).

Comments welcome!

(UPDATE 2016-01-20: you can find an updated version of this post for OpenVAS 8 here)


5 commentaires:

  1. Great Tutorial !
    Worked for me Linux Mint 17.1
    Thanks Bro' !

    RépondreSupprimer
  2. Im getting this...

    # tar xzf openvas-libraries-7.0.6.tar.gz
    tar (child): openvas-libraries-7.0.6.tar.gz: Cannot open: No such file or directory
    tar (child): Error is not recoverable: exiting now
    tar: Child returned status 2
    tar: Error is not recoverable: exiting now

    RépondreSupprimer
    Réponses
    1. The versions of the components on http://www.openvas.org/install-source.html were upgraded since I wrote the post. You will now have to download openvas-libraries-7.0.10.tar.gz and adapt the commands accordingly.

      I soon will write an update for OpenVAS 8.0, after having properly tested this new version.

      Supprimer
  3. The link to DIRB should be http://sourceforge.net/projects/dirb/files/dirb/2.22/, rather than the DirBuster that is currently present.

    Thank you for the post. Useful for anyone who has tried to use their downloadable appliance, which doesn't have the option packages installed.

    RépondreSupprimer