1 of 11

Technical setup at Unit (now Sikt)

asbjorn.reglund.thorsen@sikt.no

2 of 11

Visual setup

2

3 of 11

Architecture

3

4 of 11

What are the common approaches?

  • Get the ips or ip ranges
  • Know that you are allowed to scan the ips
  • Remember to tell operations, also give the ip where scan is performed from
  • Scan from the inside and outside separate
  • Begin with port scan using masscan

4

5 of 11

What are the common approaches?

  • Masscan ip ranges for all ports
    • Time consuming
    • Possible to turn down rate limit
  • You need to make two files of the results
    • I use a simple script
    • List of ip addresses found in masscan into a file1.txt
    • List of unique ports found in masscan into a file2.txt
  • Use the results from masscan and import to Greenbone
  • Import the file with the IP addresses
  • Import the file with the ports

5

6 of 11

Tools

Installation of Greenbone GVM/OpenVAS on Kali Linux

  • gvm/kali-rolling 21.4.2.0 all
  • remote network security auditor - metapackage and useful scripts

sudo apt install gvm # install GVM meta package

sudo gvm-setup # takes some time, sets up certificates, database and synchronizes NVT feed

6

7 of 11

Automation

Prepare a scan with masscan. Find interesting candidates as targets for OpenVAS. This is faster than scanning whole networks with OpenVAS. Additionally, OpenVAS has a limit of scanning max. 4096 IP addresses at once.

sudo masscan -p 1-1024,2222,3389,4343,5985,5986,8080,8443,9100,16992-16995 192.168.47.192/27 10.156.46.0/24 -oX trondheim.xml

  • python-libnmap (https://github.com/savon-noir/python-libnmap)
  • python-gvm (https://github.com/greenbone/python-gvm)

7

8 of 11

Experiences

  • Some false positives (false banners on enterprise Linux with backports)
    • Need to check Quality of Detection (QoD) and human review
  • Positive feedback from most admins
  • Announce scans and make IP known to not alarm administrators if they check the logs
    • Logs may grow considerably (esp. Web server logs)
  • Many good findings on operating systems end-of-life, vulnerable web components (Apache, PHP), misconfigurations, default passwords
  • Creation of simple scan configurations to search for only one vulnerability/CVE possible.

8

9 of 11

Experiences

  • Former stability problems solved through transition to GSA provided by Kali Linux
  • System becomes very slow after many scans. Regular database cleanups are necessary.
  • Setup of AD/LDAP authentication not yet successful. No authorisation through AD roles possible.
  • Integration of additional tools for web vulnerabilities deprecated (Arachni, nikto).
    • Web security assessment tools like BurpSuite or Zapp still needed

9

10 of 11

10

11 of 11

info@eunis.org