Analizar Vulnerabilidades con Openvas
Open vas es un escaner de vulnerabilidades de red, es muy util cuando estamos realizando un análisis de riesgo , dentro de los analisis de riesgo tenemos que incluir las debilidades logicas .
paso 1 : instalar Openvas
para instalar openvas podemos bajar el taz.gz directo del sitio oficial o ayudarnos de algún repositorio oficial reconocido por el sitio, en nuestro caso lo instalaremos via repositorio, ya que en mi persepcion los paquetes deben tener 1 sola forma de administrarse, en el caso que no exista algún repositorio oficial recomiendo nosotros mismos construir nuesto rpm, el cual no es el objetivo de este manual.
Instalamos la PGP del sitio autorizado.
# rpm --import http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
instalamos los archivos del deposito .
# lynx -source http://www.atomicorp.com/installers/atomic.sh | sh
============================
Atomic Archive installer, version 1.1
Configuring the [atomic] yum archive for this system
Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-11.el5.art.noarch.rpm: OK
Would you like to add the Plesk yum repository to the system?
Enable Plesk repository? (y/n) [Default: n]: y
Plesk 8.6 and 9.2 repositories are available:
NOTE: Plesk 9 repos are only available for rhel/centos 4 and 5
Enable Plesk 8.6 or 9.2? (8/9) [Default: 8]: 9
The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
atomic - [ACTIVATED] - contains the stable tree of ART packages
atomic-testing - [DISABLED] - contains the testing tree of ART packages
atomic-bleeding - [DISABLED] - contains the development tree of ART packages
================================
Instalamos los paquetes necesarios para openvas.
# yum -y install openvas-libraries openvas-libnasl openvas-server openvas-plugins openvas-client openvas-scanner
al terminar la instalacion , corremos el siguiente comando.
# openvas-mkcert
===========================================
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [DE]: mx
Your state or province name [none]: bc
Your location (e.g. town) [Berlin]: ens
Your organization [OpenVAS Users United]: na
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
/etc/openvas/openvassd.conf updated
The following files were created:
. Certification authority:
Certificate = /var/lib/openvas/CA/cacert.pem
Private key = /var/lib/openvas/private/CA/cakey.pem
. OpenVAS Server :
Certificate = /var/lib/openvas/CA/servercert.pem
Private key = /var/lib/openvas/private/CA/serverkey.pem
Press [ENTER] to exit
===========================================
Agregamos un usuario para nuestro analizador
# openvas-adduser
Nota: para agregar reglas a los usuarios podemos leer el manual con
# man openvas-adduser
=============================
Using /var/tmp as a temporary file holder.
Add a new openvassd user
---------------------------------
Login : enduser
Authentication (pass/cert) [pass] : pass
Login password :
Login password (again) :
Passwords do not match!
Login password :
Login password (again) :
User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that enduser has the right to test.
For instance, you may want him to be able to scan his own host only.
Please see the openvas-adduser(8) man page for the rules syntax.
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
Login : enduser
Password : ***********
Rules :
Is that ok? (y/n) [y] y
user added.
===========================
El siguiente paso es actualizar los plugins, correrá un alista muy grande. así que tengan paciencia
# openvas-nvt-sync
===========================
sent 514645 bytes received 66691961 bytes 327039.45 bytes/sec
total size is 64891003 speedup is 0.97
[i] Checking dir: ok
[i] Checking MD5 checksum: ok
===========================
Ya actualizados todos los plugins , procedemos a correr el server de openvas
# openvassd
All plugins loaded
este proceso puede demorar algunos segundos dependiendo de la capacidad del equipo.
y el paso final . correr el cliente .
entramos en una terminarl vnc o podemos utilizar xterm para correr sesiones remotas .
# OpenVAS-Client
y comenzamos a trabajar ..
paso 1 : instalar Openvas
para instalar openvas podemos bajar el taz.gz directo del sitio oficial o ayudarnos de algún repositorio oficial reconocido por el sitio, en nuestro caso lo instalaremos via repositorio, ya que en mi persepcion los paquetes deben tener 1 sola forma de administrarse, en el caso que no exista algún repositorio oficial recomiendo nosotros mismos construir nuesto rpm, el cual no es el objetivo de este manual.
Instalamos la PGP del sitio autorizado.
# rpm --import http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
instalamos los archivos del deposito .
# lynx -source http://www.atomicorp.com/installers/atomic.sh | sh
============================
Atomic Archive installer, version 1.1
Configuring the [atomic] yum archive for this system
Installing the Atomic GPG key: OK
Downloading atomic-release-1.0-11.el5.art.noarch.rpm: OK
Would you like to add the Plesk yum repository to the system?
Enable Plesk repository? (y/n) [Default: n]: y
Plesk 8.6 and 9.2 repositories are available:
NOTE: Plesk 9 repos are only available for rhel/centos 4 and 5
Enable Plesk 8.6 or 9.2? (8/9) [Default: 8]: 9
The Atomic Rocket Turtle archive has now been installed and configured for your system
The following channels are available:
atomic - [ACTIVATED] - contains the stable tree of ART packages
atomic-testing - [DISABLED] - contains the testing tree of ART packages
atomic-bleeding - [DISABLED] - contains the development tree of ART packages
================================
Instalamos los paquetes necesarios para openvas.
# yum -y install openvas-libraries openvas-libnasl openvas-server openvas-plugins openvas-client openvas-scanner
al terminar la instalacion , corremos el siguiente comando.
# openvas-mkcert
===========================================
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
This script will now ask you the relevant information to create the SSL certificate of OpenVAS.
Note that this information will *NOT* be sent to anybody (everything stays local), but anyone with the ability to connect to your OpenVAS daemon will be able to retrieve this information.
CA certificate life time in days [1460]:
Server certificate life time in days [365]:
Your country (two letter code) [DE]: mx
Your state or province name [none]: bc
Your location (e.g. town) [Berlin]: ens
Your organization [OpenVAS Users United]: na
-------------------------------------------------------------------------------
Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------
Congratulations. Your server certificate was properly created.
/etc/openvas/openvassd.conf updated
The following files were created:
. Certification authority:
Certificate = /var/lib/openvas/CA/cacert.pem
Private key = /var/lib/openvas/private/CA/cakey.pem
. OpenVAS Server :
Certificate = /var/lib/openvas/CA/servercert.pem
Private key = /var/lib/openvas/private/CA/serverkey.pem
Press [ENTER] to exit
===========================================
Agregamos un usuario para nuestro analizador
# openvas-adduser
Nota: para agregar reglas a los usuarios podemos leer el manual con
# man openvas-adduser
=============================
Using /var/tmp as a temporary file holder.
Add a new openvassd user
---------------------------------
Login : enduser
Authentication (pass/cert) [pass] : pass
Login password :
Login password (again) :
Passwords do not match!
Login password :
Login password (again) :
User rules
---------------
openvassd has a rules system which allows you to restrict the hosts that enduser has the right to test.
For instance, you may want him to be able to scan his own host only.
Please see the openvas-adduser(8) man page for the rules syntax.
Enter the rules for this user, and hit ctrl-D once you are done:
(the user can have an empty rules set)
Login : enduser
Password : ***********
Rules :
Is that ok? (y/n) [y] y
user added.
===========================
El siguiente paso es actualizar los plugins, correrá un alista muy grande. así que tengan paciencia
# openvas-nvt-sync
===========================
sent 514645 bytes received 66691961 bytes 327039.45 bytes/sec
total size is 64891003 speedup is 0.97
[i] Checking dir: ok
[i] Checking MD5 checksum: ok
===========================
Ya actualizados todos los plugins , procedemos a correr el server de openvas
# openvassd
All plugins loaded
este proceso puede demorar algunos segundos dependiendo de la capacidad del equipo.
y el paso final . correr el cliente .
entramos en una terminarl vnc o podemos utilizar xterm para correr sesiones remotas .
# OpenVAS-Client
y comenzamos a trabajar ..
Comentarios