mercredi 20 janvier 2016
OpenVAS 8 Build and Installation (Linux Debian 7+ and LinuxMint 17+)
As I try to keep my good 2016 resolution while still beeing (a bit) lazy, here is an update of my post about OpenVAS Installation (http://infosec.praud.com/2014/11/openvas-installation-debian-7-linuxmint.html ), for its version 8, including the gnutls patch which already seemed to crash OpenVAS 7.
So this post will explain how to build and install OpenVAS 8 from source:
openvas-libraries-8.0.6
openvas-scanner-5.0.5
openvas-manager-6.0.7
greenbone-security-assistant-6.0.8
openvas-cli-1.4.3
I didn't install the remaining stuff from http://www.openvas.org/install-source.html but I guess it's the same kind of procedure as the other items.
# 1 - Build & Install OpenVAS Libraries
# add /opt/openvas/lib in /etc/ld.so.conf
sudo apt-get install pkg-config libssh-dev libgnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev
sudo apt-get install doxygen
sudo apt-get install xmltoman
sudo apt-get install sqlfairy
sudo apt-get install cmake
sudo apt-get install flex
sudo apt-get install libhiredis-dev
tar xzf openvas-libraries-8.0.6.tar.gz
cd openvas-libraries-8.0.6/
# Apply this patch if you upgrade to latest gnutls lib:
# More info on this here: http://comments.gmane.org/gmane.comp.security.openvas.users/9068
--- misc/openvas_server.c.orig  2016-01-12 14:19:44.580035097 +0100
+++ misc/openvas_server.c       2016-01-12 14:20:08.264040607 +0100
@@ -806,7 +806,7 @@
   */
 
   if ((err_gnutls = gnutls_priority_set_direct (*server_session,
-                                                priority? priority : "SECURE",
+                                                priority? priority : "NORMAL",
                                                 NULL)))
     {
       g_warning ("%s: failed to set tls priorities: %s\n", __FUNCTION__,
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
sudo ldconfig
cd ../..
export PKG_CONFIG_PATH=/opt/openvas/lib/pkgconfig:$PKG_CONFIG_PATH
export PATH=/opt/openvas/bin:/opt/openvas/sbin:$PATH
# 2 - Build & Install OpenVAS Scanner
tar xzf openvas-scanner-5.0.5.tar.gz
cd openvas-scanner-5.0.5/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
cd ../..
sudo openvas-mkcert
The following files were created:
. Certification authority:
   Certificate = /opt/openvas/var/lib/openvas/CA/cacert.pem
   Private key = /opt/openvas/var/lib/openvas/private/CA/cakey.pem
. OpenVAS Server : 
    Certificate = /opt/openvas/var/lib/openvas/CA/servercert.pem
    Private key = /opt/openvas/var/lib/openvas/private/CA/serverkey.pem
sudo openvas-nvt-sync
sudo openvassd
# check the init state:
ps ax | grep openvas
14475 ?        Rs     0:03 openvassd: Reloaded 1550 of 45313 NVTs (3% / ETA: 02:49)
14476 ?        S      0:00 openvassd (Loading Handler)
redis-server /opt/openvas/share/doc/openvas-scanner/example_redis_2_4.conf 
#   or
redis-server /opt/openvas/share/doc/openvas-scanner/example_redis_2_6.conf 
# 3 - Build & Install OpenVAS Manager
sudo apt-get install sqlite3 libsqlite3-dev xsltproc libgd-perl
tar xzf openvas-manager-6.0.7.tar.gz
cd openvas-manager-6.0.7/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
cd ../..
# Generate key/cert 
sudo openvas-mkcert-client
# After having answered to the questions, the necessary stuff will be created in a /tmp/ subdirectory, for instance: /tmp/openvas-mkcert-client.19926. cd in this directory and:
cp key_om.pem /opt/openvas/var/lib/openvas/private/CA/clientkey.pem
cp cert_om.pem /opt/openvas/var/lib/openvas/CA/clientcert.pem
sudo openvas-scapdata-sync
sudo openvas-certdata-sync
sudo openvasmd --rebuild
# Create an administrator user for OpenVAS
sudo openvasmd --create-user=
# A message like this should be shown: User created with password 'XXXX'.
# Store this p# Create an administrator user for OpenVAS
sudo openvasmd --create-user=
# A message like this should be shown: User created with password 'XXXX'.
# Store this passwd in a safe place.asswd in a safe place.
openvasmd --create-user=admin
User created with password 'XXXX'.
openvasmd --create-user=jc1
User created with password 'YYYY'.
# Import/Update IANA Services Names
wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
sudo openvas-portnames-update service-names-port-numbers.xml
rm service-names-port-numbers.xml
sudo openvasmd
# 4 - Build & Install the Greenbone Web UI
sudo apt-get install libxml2-dev libxslt1-dev libmicrohttpd-dev 
tar xzf greenbone-security-assistant-6.0.8.tar.gz 
cd greenbone-security-assistant-6.0.8/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
# Start the Web server
sudo gsad --listen=127.0.0.1 -p 9392
# Point your preferred browser to: https://localhost:9392
# 5 - Build & Install the OpenVAS CLI
tar xzf openvas-cli-1.4.3.tar.gz
cd openvas-cli-1.4.3/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
# 6 - Add some useful tools
OpenVAS is not an isolated product, it's more useful with some other tools, without any necessary configuration, they just have to be accessible in the standard PATH:
apt-get install wapiti
apt-get install nikto
apt-get install nmap
# Download Arachni 
cd /opt (or wherever you want)
tar arachni-1.0.5-0.5.6-linux-x86_64.tar.gz
ln -s /path/to/arachni-1.0.5-0.5.6/bin/* /usr/local/bin/
# Download DIRB 
tar xzf dirb222.tar.gz
cd dirb222
sudo apt-get install libcurl4-gnutls-dev
./configure
make
sudo make install
# 6 - Enjoy!
Now, point you preferred browser to https://localhost:9392 (tell it to accept the "non-trusted" TLS certificate), follow the instruction & help in the Web UI, and kill your target servers, or the machine running OpenVAS, or most probably both ;)
Oh, to access the Web UI, you will need the login/passwd generated on step 3 (OpenVAS Manager install).
Comments welcome!
  
More than year without a post on this blog...
Well, I have been a bit busy.
Considering the success of my previous post, I took the good resolution of writing more really useful stuff, here. ;)
While waiting I keep my promise (or not ;) ), you can take a look at the other useful things I work on: LockEmail.Com
Basically, it's an end-to-end encrypted email solution, easy to use, and cheap.
Feel free to drop me an email if you want to test it, it's a free beta for some weeks: contact@datashush.com
Happy 2016!
Considering the success of my previous post, I took the good resolution of writing more really useful stuff, here. ;)
While waiting I keep my promise (or not ;) ), you can take a look at the other useful things I work on: LockEmail.Com
Basically, it's an end-to-end encrypted email solution, easy to use, and cheap.
Feel free to drop me an email if you want to test it, it's a free beta for some weeks: contact@datashush.com
Happy 2016!
Inscription à :
Commentaires (Atom)
