At last, a useful post on this blog ;)
For some time now, I use OpenVAS to check my clients' network and infrastructure. OpenVAS is a libre fork of Nessus, a well known vulnerability scanner. Like most powerful products, it can be a nightmare to properly install and configure. Many resources are available about this on the Internet, but none of them worked fully for my usage. So here is my OpenVAS install procedure. I hope it may be useful for others.
This procedure worked on Debian 7 and Linux Mint 17 (it should work on other distro/versions of your favorite OS), with the following versions of OpenVAS components, built from source code:
- openvas-libraries-7.0.6
- openvas-scanner-4.0.5
- openvas-manager-5.0.6
- greenbone-security-assistant-5.0.4
- openvas-cli-1.3.1
- And add some optional but useful stuff
- Enjoy!
1 - Build & Install OpenVAS Libraries
sudo apt-get install pkg-config libssh-dev libgnutls-dev libglib2.0-dev libpcap-dev libgpgme11-dev uuid-dev bison libksba-dev
sudo apt-get install doxygen
sudo apt-get install xmltoman
sudo apt-get install sqlfairy
sudo apt-get install cmake
sudo apt-get install flex
tar xzf openvas-libraries-7.0.6.tar.gz
cd openvas-libraries-7.0.6
mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache
sudo ldconfig
2 - Build & Install OpenVAS Scanner
tar xzf openvas-scanner-4.0.5.tar.gz
cd openvas-scanner-4.0.5
mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache
sudo openvas-mkcert
sudo openvas-nvt-sync
# launch the scanner:
sudo openvassd
3 - Build & Install OpenVAS Manager
sudo apt-get install sqlite3 libsqlite3-dev xsltproc libgd-perl
tar xzf openvas-manager-5.0.6.tar.gz
cd openvas-manager-5.0.6
mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache
# Generate key/cert
sudo openvas-mkcert-client
# After having answered to the questions, the necessary stuff will be created in a /tmp/ directory, for instance: /tmp/openvas-mkcert-client.19926. cd in this directory and:
cp key_om.pem /usr/local/var/lib/openvas/private/CA/clientkey.pem
cp cert_om.pem /usr/local/var/lib/openvas/CA/clientcert.pem
sudo openvas-scapdata-sync
sudo openvas-certdata-sync
sudo openvasmd --rebuild
# Create an administrator user for OpenVAS
sudo openvasmd --create-user=<yourlogin>
# A message like this should be shown: User created with password 'XXXX'.
# Store this passwd in a safe place.
# Import/Update IANA Services Names
wget http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
sudo openvas-portnames-update service-names-port-numbers.xml
rm service-names-port-numbers.xml
4 - Build & Install the Greenbone Web UI
tar xzf greenbone-security-assistant-5.0.4.tar.gz
cd greenbone-security-assistant-5.0.4
sudo apt-get install libxml2-dev libxslt1-dev libmicrohttpd-dev
mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache
# Start the Web server
sudo gsad --listen=127.0.0.1 -p 9392
5 - Build & Install the OpenVAS CLI
tar xzf openvas-cli-1.3.1.tar.gz
cd openvas-cli-1.3.1
mkdir build
cd build
cmake ..
make
make doc
sudo make install
make rebuild_cache
6 - Add some useful tools
OpenVAS is not an isolated product, it's more useful with some other tools, without any necessary configuration, they just have to be accessible in the standard PATH:
apt-get install wapiti
apt-get install nikto
apt-get install nmap
# Download Arachni
cd /opt (or wherever you want)
tar arachni-1.0.5-0.5.6-linux-x86_64.tar.gz
ln -s /path/to/arachni-1.0.5-0.5.6/bin/* /usr/local/bin/
# Download DIRB
tar xzf dirb222.tar.gz
cd dirb222
sudo apt-get install libcurl4-gnutls-dev
./configure
make
sudo make install
6 - Enjoy!
Now, point you preferred browser to https://localhost:9392 (tell it to accept the "non-trusted" TLS certificate), follow the instruction & help in the Web UI, and kill your target servers, or the machine running OpenVAS, or most probably both ;)
Oh, to access the Web UI, you will need the login/passwd generated on step 3 (OpenVAS Manager install).
Comments welcome!
(UPDATE 2016-01-20: you can find an updated version of this post for OpenVAS 8 here)
Oh, to access the Web UI, you will need the login/passwd generated on step 3 (OpenVAS Manager install).
Comments welcome!
(UPDATE 2016-01-20: you can find an updated version of this post for OpenVAS 8 here)