To scan a host using OpenVAS, you will have to go through a configuration phase that can be done in two different ways, depending on your specific need:
- Using the Greenbone web interface
- Using the OpenVAS Management Protocol (OMP)
OMP for automation
From the moment you have to handle a large number of machines and scans, using a graphical interface will be insufficient. The best way to automate the configuration process is to use OMP.
Using OMP can be useful as well, if you don’t have access to a graphical environment. Another benefit of using OMP instead of the Greenbone interface is that the latter has a bug in version 5.0.3 (fixed in version 5.0.4) which prevents the creation of a target with SSH credentials: http://seclists.org/openvas/2012/q4/167
How to use OMP?
In order to be able to use the omp binary, you will need to install the OpenVAS Command-Line Interface (openvas-cli) package.
The omp binary provides shortcut arguments for some of the most common tasks but the best way to exploit the full capabilities of the XML-based OpenVAS Management Protocol (http://www.openvas.org/protocol-doc.html) is to use its –xml switch and feed it XML requests.
For instance, if the user “username” with password “password” wants to interact with the OpenVAS Manager listening on port 9390 on localhost (127.0.0.1), he will need to use a command such as:
omp -u username -w password -h 127.0.0.1 -p 9390 –xml=’<help/>’
Note that using the -i switch will prettify the output.
How to scan a host using OMP?
1. Choose which tests to perform
To scan a host, we need to choose a scan config, which will tell OpenVAS which plugins and options to use. OpenVAS comes with 4 different configurations as we can see using the command:
or, using XML to get much more information about the configuration:
We will do a scan with the configuration named “Full and very deep ultimate”. We will need to remember its ID: 74db13d6-7489-11df-91b9-002264764cea
2. Provide information to identify the target host
The second thing we will have to do is set up the target host on which we will perform the scan. By default, only Localhost is available, as we can see using either command:
Adding a target is very straightforward. We only need a name and the IP of the host to scan:
If we want to run more intrusive tests, we will need to provide SSH credentials to log into the target and perform scans from the inside.
a. The SSH credentials are created using the following command:
<name>Admin SSH key</name>
<private>Base64 encoded string</private>
<public>Plain text string</public>
b. Then, we need to retrieve the ID of the credentials we created, using:
omp -w admin -iX “<get_lsc_credentials/>”
c. Finally, we need to provide these credentials during the target’s creation:
omp -w admin –xml=’
<name>Target with SSH</name>
3. Create a task linking the target to the scan config
We now have a set of tests to run and a host on which to run them. The only thing left before launching the scan is to bind both in a “task” that can then be run as many time as we want in order, for instance, to follow the evolution of the host’s level of security over time.
We only need the ID of the config and the ID of the target, retrieved as explained previously.
<comment>Deep scan on Server 3</comment>
4. Start the scanning process
Finally, we can start the scan:
omp –xml=’<start_task task_id=”267a3405-e84a-47da-97b2-5fa0d2e8995e”/>’
Note : this task can also be paused and stopped before it is finished:
omp –xml=’<stop_task task_id=”267a3405-e84a-47da-97b2-5fa0d2e8995e”/>’
omp –xml=’<pause_task task_id=”267a3405-e84a-47da-97b2-5fa0d2e8995e”/>’
The status of the different tasks can be seen using the command:
5. Get the reports for a task
a. Get the report’s ID
After each scan, a report is generated. We can retrieve the IDs of those reports using the command:
omp -iX ‘<get_tasks details=”1”/>’
To get the IDs of the different reports generated for a given task, knowing the task’s ID, and avoid listing all the tasks, we can specify the “task_id“ option:
omp -iX ‘<get_tasks task_id=”77ba3c2e-ff61-44b7-86ed-f10d213008ee” details=”1”/>’
b. Get the report’s format
The second thing you will need to know is the ID of the format in which you want to get the report. The formats available at the moment are text, XML, PDF and NBE.
To know the IDs of those formats, the following command will do the trick:
omp -iX ‘<get_report_formats/>’
omp -iX ‘<get_reports report_id=”68d3bf25-591e-4be6-97af-1e66fd8924ab” format_id=”c402cc3e-b531-11e1-9163-406186ea4fc5″/>’
Return status codes
Now, we just need to do proper error handling. As explained on this page (http://www.openvas.org/openvas-cr-28.html) in the section “Numerical response codes”, OMP uses return codes very similar to the HTTP response codes 200, 201, 202, 400, 401, 403, 404, 409, 500 and 503:
2xx = command successful (received, understood and accepted)
200 : Ok
201 : Ok, resource created
202 : Ok, request submitted
4xx = command could not be executed due to an error made by the client
400 : Syntax error
401 : Authenticate first
403 : Access to resource forbidden
404 : Resource missing
409 : Resource busy
5xx = command failed due to an error in the manager
500 : Internal error
503 : Service unavailable / Service temporarily down
We’ve shown how to use OMP for automation of Vulnerability Assessment on your servers. Now, you can start to do it more frequently and do not forget to analyze the results!
Comments are always welcome! Thanks!