Results 1 to 4 of 4

Thread: BT5R3 - OpenVAS incorrectly claims remote host dead when scanning from multi-homed VM

Hybrid View

  1. #1
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    7

    Unhappy BT5R3 - OpenVAS incorrectly claims remote host dead when scanning from multi-homed VM

    Background:-
    I've installed Back|Track 5R3 on a VM (in a VMware environment) to evaluate it, connected to a live network with a connection to the Internet, and updated it with the latest packages. It's also on 3 test networks simulating the live environment, with a Metasploitable VM target and clones of 2 live Windows servers that I'm using to test against, making it a total of 4 network interfaces on the VM. The Internet connection is on eth0, and seems to be the default address picked by most tools for the local endpoint (even when another one makes more sense).

    I'm going through the standard sequence for a pentest (well, more vulnerability assessment at this point), using the wiki as a guide as to how to set things up. I've run into a number of minor issues with the distro, but have managed to fix them so far.

    Issue:-
    I've set up OpenVAS in accordance with the instructions in the Wiki and, while it doesn't pass muster for version 5 according to "Openvas check setup" (OpenVAS Scanner being version 3.2.5 instead of 3.3), it is a valid OpenVAS v4 installation. There didn't seem to be an updated package for OpenVAS in the BT repositories, so I let that slide.

    However, I can't get openvassd to scan. It keeps failing with the following error:
    Code:
    [Tue Jan 15 09:20:50 2013][3844] user om starts a new scan. Target(s) : 192.168.77.1, with max_hosts = 20 and max_checks = 4 
    [Tue Jan 15 09:20:50 2013][3844] user om : testing 192.168.77.1 (::ffff:192.168.77.1) [3866] 
    [Tue Jan 15 09:20:51 2013][3866] user om : new KB will be saved as /usr/local/var/lib/openvas/users/om/kbs/192.168.77.1
    [Tue Jan 15 09:21:01 2013][3866] user om : The remote host (192.168.77.1) is dead 
    [Tue Jan 15 09:21:01 2013][3866] Finished testing 192.168.77.1. Time : 10.26 secs 
    [Tue Jan 15 09:21:01 2013][3844] user om : test complete
    [Tue Jan 15 09:21:01 2013][3844] Total time to scan all hosts : 11 seconds 
    [Tue Jan 15 09:21:01 2013][3844] user om : Kept alive connection
    [Tue Jan 15 09:21:01 2013][3844] Communication closed by client
    The test network I'm using here is 192.168.77.0/24, with BT on 192.168.77.250 and the target Metasploitable VM on 192.168.77.1. I can ping the Metasploitable VM before, during and after the scan failure, and I'm logged onto it as well, so I know it isn't dead and I know it's reachable via the network.

    I started to look into the configuration file (at "/usr/local/etc/openvas/openvassd.conf", according to Greenbone Security Assistant and the openvassd manual page) to see if I could enable the "log_whole_attack" setting to get more detail, and found that the configuration file didn't exist! I created this file, using an example I found on the Internet, and updated it to include all of the settings reportedly set according to GSA as follows:-
    Code:
    # Configuration file of the OpenVAS Security Scanner
    # Every line starting with a '#' is a comment
    
    [Misc]
    
    # Path to the security checks folder :
    plugins_folder = /usr/local/var/lib/openvas/plugins
    
    # Path to OpenVAS caching folder:
    cache_folder = /usr/local/var/cache/openvas
    
    # Path to OpenVAS include directories:
    # (multiple entries are separated with colon ':')
    include_folders = /usr/local/var/lib/openvas/plugins
    
    # Maximum number of simultaneous hosts tested :
    max_hosts = 30
    
    # Maximum number of simultaneous checks against each host tested :
    max_checks = 10
    
    # Niceness. If set to 'yes', openvassd will renice itself to 10.
    be_nice = no
    
    # Log file (or 'syslog') :
    logfile = /usr/local/var/log/openvas/openvassd.messages
    
    # Shall we log every details of the attack ? (disk intensive)
    log_whole_attack = yes
    
    # Log the name of the plugins that are loaded by the server ?
    log_plugins_name_at_load = yes
    
    
    # Dump file for debugging output, use `-' for stdout
    dumpfile = /usr/local/var/log/openvas/openvassd.dump
    
    
    # Rules file :
    rules = /usr/local/share/openvas/openvassd.rules
    
    
    # CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
    cgi_path = /cgi-bin:/scripts
    
    
    # Range of the ports the port scanners will scan :
    # 'default' means that OpenVAS will scan ports found in its
    # services file.
    port_range = default
    
    
    # Optimize the test (recommended) :
    optimize_test = yes
    
    
    # Optimization :
    # Read timeout for the sockets of the tests :
    checks_read_timeout = 5
    
    
    # Ports against which two plugins should not be run simultaneously :
    # non_simult_ports = Services/www, 139, Services/finger
    non_simult_ports = 139, 445
    
    
    # Maximum lifetime of a plugin (in seconds) :
    plugins_timeout = 320
    
    
    # Safe checks rely on banner grabbing :
    safe_checks = yes
    
    
    # Automatically activate the plugins that are depended on
    auto_enable_dependencies = yes
    
    
    # Do not echo data from plugins which have been automatically enabled
    silent_dependencies = no
    
    
    # Designate hosts by MAC address, not IP address (useful for DHCP networks)
    use_mac_addr = no
    
    
    #--- Knowledge base saving (can be configured by the client) :
    # Save the knowledge base on disk :
    save_knowledge_base = no
    # Restore the KB for each test :
    kb_restore = no
    # Only test hosts whose KB we do not have :
    only_test_hosts_whose_kb_we_dont_have = no
    # Only test hosts whose KB we already have :
    only_test_hosts_whose_kb_we_have = no
    # KB test replay :
    kb_dont_replay_scanners = no
    kb_dont_replay_info_gathering = no
    kb_dont_replay_attacks = no
    kb_dont_replay_denials = no
    kb_max_age = 864000
    #--- end of the KB section
    
    
    
    # If this option is set, OpenVAS will not scan a network incrementally
    # (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
    # slice the workload throughout the whole network (ie: it will scan
    # 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
    slice_network_addresses = no
    
    # Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
    nasl_no_signature_check = yes
    
    # Others
    drop_privileges = no
    unscanned_closed = yes
    vhosts = 
    vhosts_ip = 
    config_file=/usr/local/etc/openvas/openvassd.conf
    
    #end.
    #
    # Added by openvas-mkcert
    #
    # If you decide to protect your private key with a password,
    # uncomment and change next line
    # pem_password=password
    # If you want to force the use of a client certificate, uncomment next line
    # force_pubkey_auth = yes
    #
    # Added by openvas-mkcert
    #
    cert_file=/usr/local/var/lib/openvas/CA/servercert.pem
    key_file=/usr/local/var/lib/openvas/private/CA/serverkey.pem
    ca_file=/usr/local/var/lib/openvas/CA/cacert.pem
    # If you decide to protect your private key with a password,
    # uncomment and change next line
    # pem_password=password
    # If you want to force the use of a client certificate, uncomment next line
    # force_pubkey_auth = yes
    Running it again, I saw no improvement in the amount of detail being logged.
    Code:
    [Tue Jan 15 16:17:50 2013][3844] user om starts a new scan. Target(s) : 192.168.77.1, with max_hosts = 20 and max_checks = 4 
    [Tue Jan 15 16:17:50 2013][3844] user om : testing 192.168.77.1 (::ffff:192.168.77.1) [3866] 
    [Tue Jan 15 16:17:50 2013][3866] user om : new KB will be saved as /usr/local/var/lib/openvas/users/om/kbs/192.168.77.1
    [Tue Jan 15 16:18:00 2013][3866] user om : The remote host (192.168.77.1) is dead 
    [Tue Jan 15 16:18:00 2013][3866] Finished testing 192.168.77.1. Time : 10.26 secs 
    [Tue Jan 15 16:18:00 2013][3844] user om : test complete
    [Tue Jan 15 16:18:00 2013][3844] Total time to scan all hosts : 11 seconds 
    [Tue Jan 15 16:18:00 2013][3844] user om : Kept alive connection
    [Tue Jan 15 16:18:00 2013][3844] Communication closed by client
    The discrepancy between the reported "max_hosts" and "max_checks" values in the log with respect to the configuration file indicates that openvassd is actually reading some other configuration file somewhere, and possibly binding to the wrong local IP address to start with (the Internet one which seems to be the default for most tools?).

    Does anyone have any ideas as to how I might resolve this? I would normally look at the source code for the tool and tweak it if necessary, but as it's an executable, I'm not sure how easily I can tweak it, nor in this case, where I would get the customised source code.

  2. #2
    Just burned their ISO
    Join Date
    Jan 2013
    Posts
    7

    Default Re: BT5R3 - OpenVAS incorrectly claims remote host dead when scanning from multi-home

    Right, I've found the problem. It seems that you have to tell openvassd to ensure its source IP addresses matches the local IP addresses used on the networks it's scanning; otherwise it uses the default (wrong) IP address. The command I ended up running was:-
    Code:
    openvassd -S 172.16.2.250,192.168.77.250,192.168.244.250
    I've changed the corresponding "Start OpenVAS Scanner" menu command (and changed a few other things), and will be keeping an eye out for similar issues in the future. Perhaps someone (me?) ought to write up a How-To for configuring a multi-homed BT configuration.

    However, it is still ignoring the configuration file, even if I specify it explicitly via a -c parameter, as it still claims to be running with max_hosts = 20 and max_checks = 4, and doesn't log the list of plugins it runs against the remote host. Any ideas how I can resolve that?

  3. #3
    Just burned their ISO
    Join Date
    Dec 2012
    Location
    Russia
    Posts
    4

    Default Re: BT5R3 - OpenVAS incorrectly claims remote host dead when scanning from multi-home

    Absolutely with you it agree. In it something is also to me it seems it is very good idea. Completely with you I will agree.

  4. #4
    Just burned their ISO
    Join Date
    Jan 2013
    Location
    Russia
    Posts
    3

    Default Re: BT5R3 - OpenVAS incorrectly claims remote host dead when scanning from multi-home

    Now all became clear to me, I thank for the necessary information.

Similar Threads

  1. Virtual Box and host-wireless (Extension errors in BT5r3)
    By thelordmeatball in forum BackTrack 5 Beginners Section
    Replies: 6
    Last Post: 09-15-2012, 11:54 AM
  2. Vulnerability Scanning with OpenVas
    By blackhawk2292 in forum BackTrack 5 General Topics
    Replies: 0
    Last Post: 03-26-2012, 10:11 PM
  3. New chip claims multi-gigabit transfers over 60GHz RF
    By Back|Track_user in forum OLD Wireless
    Replies: 38
    Last Post: 01-27-2009, 09:07 AM
  4. sniffing on a remote host: forwarding fail ?
    By shiro in forum OLD Newbie Area
    Replies: 4
    Last Post: 12-15-2008, 09:51 PM
  5. Would remote exploit host this?
    By squishyalt in forum OLD BT3beta General
    Replies: 7
    Last Post: 06-15-2008, 05:26 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •