mercredi 20 janvier 2016

OpenVAS 8 Build and Installation (Linux Debian 7+ and LinuxMint 17+)

As I try to keep my good 2016 resolution while still beeing (a bit) lazy, here is an update of my post about OpenVAS Installation (http://infosec.praud.com/2014/11/openvas-installation-debian-7-linuxmint.html ), for its version 8, including the gnutls patch which already seemed to crash OpenVAS 7.

So this post will explain how to build and install OpenVAS 8 from source:

openvas-libraries-8.0.6
openvas-scanner-5.0.5
openvas-manager-6.0.7
greenbone-security-assistant-6.0.8
openvas-cli-1.4.3

I didn't install the remaining stuff from http://www.openvas.org/install-source.html but I guess it's the same kind of procedure as the other items.

# 1 - Build & Install OpenVAS Libraries

# add /opt/openvas/lib in /etc/ld.so.conf

sudo apt-get install pkg-config libssh-dev libgnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev

sudo apt-get install doxygen
sudo apt-get install xmltoman
sudo apt-get install sqlfairy
sudo apt-get install cmake
sudo apt-get install flex
sudo apt-get install libhiredis-dev

tar xzf openvas-libraries-8.0.6.tar.gz
cd openvas-libraries-8.0.6/

# Apply this patch if you upgrade to latest gnutls lib:
# More info on this here: http://comments.gmane.org/gmane.comp.security.openvas.users/9068

--- misc/openvas_server.c.orig 2016-01-12 14:19:44.580035097 +0100
+++ misc/openvas_server.c 2016-01-12 14:20:08.264040607 +0100
@@ -806,7 +806,7 @@
*/

if ((err_gnutls = gnutls_priority_set_direct (*server_session,
- priority? priority : "SECURE",
+ priority? priority : "NORMAL",
NULL)))
{
g_warning ("%s: failed to set tls priorities: %s\n", __FUNCTION__,



mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
sudo ldconfig
cd ../..

export PKG_CONFIG_PATH=/opt/openvas/lib/pkgconfig:$PKG_CONFIG_PATH
export PATH=/opt/openvas/bin:/opt/openvas/sbin:$PATH

# 2 - Build & Install OpenVAS Scanner

tar xzf openvas-scanner-5.0.5.tar.gz
cd openvas-scanner-5.0.5/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
cd ../..

sudo openvas-mkcert
The following files were created:

. Certification authority:
Certificate = /opt/openvas/var/lib/openvas/CA/cacert.pem
Private key = /opt/openvas/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
Certificate = /opt/openvas/var/lib/openvas/CA/servercert.pem
Private key = /opt/openvas/var/lib/openvas/private/CA/serverkey.pem

sudo openvas-nvt-sync

sudo openvassd

# check the init state:
ps ax | grep openvas
14475 ? Rs 0:03 openvassd: Reloaded 1550 of 45313 NVTs (3% / ETA: 02:49)
14476 ? S 0:00 openvassd (Loading Handler)

redis-server /opt/openvas/share/doc/openvas-scanner/example_redis_2_4.conf
# or
redis-server /opt/openvas/share/doc/openvas-scanner/example_redis_2_6.conf


# 3 - Build & Install OpenVAS Manager

sudo apt-get install sqlite3 libsqlite3-dev xsltproc libgd-perl

tar xzf openvas-manager-6.0.7.tar.gz
cd openvas-manager-6.0.7/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache
cd ../..

# Generate key/cert
sudo openvas-mkcert-client
# After having answered to the questions, the necessary stuff will be created in a /tmp/ subdirectory, for instance: /tmp/openvas-mkcert-client.19926. cd in this directory and:
cp key_om.pem /opt/openvas/var/lib/openvas/private/CA/clientkey.pem
cp cert_om.pem /opt/openvas/var/lib/openvas/CA/clientcert.pem

sudo openvas-scapdata-sync
sudo openvas-certdata-sync
sudo openvasmd --rebuild

# Create an administrator user for OpenVAS
sudo openvasmd --create-user=
# A message like this should be shown: User created with password 'XXXX'.
# Store this p# Create an administrator user for OpenVAS
sudo openvasmd --create-user=
# A message like this should be shown: User created with password 'XXXX'.
# Store this passwd in a safe place.asswd in a safe place.
openvasmd --create-user=admin
User created with password 'XXXX'.
openvasmd --create-user=jc1
User created with password 'YYYY'.

# Import/Update IANA Services Names
wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
sudo openvas-portnames-update service-names-port-numbers.xml
rm service-names-port-numbers.xml

sudo openvasmd

# 4 - Build & Install the Greenbone Web UI

sudo apt-get install libxml2-dev libxslt1-dev libmicrohttpd-dev

tar xzf greenbone-security-assistant-6.0.8.tar.gz
cd greenbone-security-assistant-6.0.8/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache

# Start the Web server
sudo gsad --listen=127.0.0.1 -p 9392

# Point your preferred browser to: https://localhost:9392

# 5 - Build & Install the OpenVAS CLI

tar xzf openvas-cli-1.4.3.tar.gz
cd openvas-cli-1.4.3/
mkdir build
cd build
cmake -DCMAKE_INSTALL_PREFIX=/opt/openvas ..
make
make doc
sudo make install
make rebuild_cache

# 6 - Add some useful tools

OpenVAS is not an isolated product, it's more useful with some other tools, without any necessary configuration, they just have to be accessible in the standard PATH:

apt-get install wapiti
apt-get install nikto
apt-get install nmap

# Download Arachni
cd /opt (or wherever you want)
tar arachni-1.0.5-0.5.6-linux-x86_64.tar.gz
ln -s /path/to/arachni-1.0.5-0.5.6/bin/* /usr/local/bin/

# Download DIRB
tar xzf dirb222.tar.gz
cd dirb222
sudo apt-get install libcurl4-gnutls-dev
./configure
make
sudo make install

# 6 - Enjoy!

Now, point you preferred browser to https://localhost:9392 (tell it to accept the "non-trusted" TLS certificate), follow the instruction & help in the Web UI, and kill your target servers, or the machine running OpenVAS, or most probably both ;)

Oh, to access the Web UI, you will need the login/passwd generated on step 3 (OpenVAS Manager install).

Comments welcome!

Aucun commentaire:

Enregistrer un commentaire