Automation of Vulnerability Assessments with OpenVAS

To scan a host using OpenVAS, you will have to go through a configuration phase that can be done in two different ways, depending on your specific need:

  • Using the Greenbone web interface
  • Using the OpenVAS Management Protocol (OMP)

OMP for automation

From the moment you have to handle a large number of machines and scans, using a graphical interface will be insufficient. The best way to automate the configuration process is to use OMP.

Using OMP can be useful as well, if you don’t have access to a graphical environment. Another benefit of using OMP instead of the Greenbone interface is that the latter has a bug in version 5.0.3 (fixed in version 5.0.4) which prevents the creation of a target with SSH credentials: http://seclists.org/openvas/2012/q4/167

How to use OMP?

In order to be able to use the omp binary, you will need to install the OpenVAS Command-Line Interface (openvas-cli) package.

The omp binary provides shortcut arguments for some of the most common tasks but the best way to exploit the full capabilities of the XML-based OpenVAS Management Protocol (http://www.openvas.org/protocol-doc.html) is to use its –xml switch and feed it XML requests.

For instance, if the user “username” with password “password” wants to interact with the OpenVAS Manager listening on port 9390 on localhost (127.0.0.1), he will need to use a command such as:
omp -u username -w password -h 127.0.0.1 -p 9390 –xml=’<help/>’

Note that using the -i switch will prettify the output.

How to scan a host using OMP?

1. Choose which tests to perform

To scan a host, we need to choose a scan config, which will tell OpenVAS which plugins and options to use. OpenVAS comes with 4 different configurations as we can see using the command:
 omp -g

output:

omp_g

or, using XML to get much more information about the configuration:
omp –xml=‘<get_configs/>’

omp_get_configs

We will do a scan with the configuration named “Full and very deep ultimate”. We will need to remember its ID: 74db13d6-7489-11df-91b9-002264764cea

2. Provide information to identify the target host

The second thing we will have to do is set up the target host on which we will perform the scan. By default, only Localhost is available, as we can see using either command:
omp -T
omp –xml=’<get_targets/>’

Adding a target is very straightforward. We only need a name and the IP of the host to scan:

omp –xml=’
<create_target>
<name>Target Name</name>
<hosts>172.16.83.130</hosts>
</create_target>‘

omp_create_target_without_ssh

If we want to run more intrusive tests, we will need to provide SSH credentials to log into the target and perform scans from the inside.

a. The SSH credentials are created using the following command:

omp –xml=’
<create_lsc_credential>
<name>Admin SSH key</name>
<login>username</login>
<key>
<private>Base64 encoded string</private>
<public>Plain text string</public>
</key>
</create_lsc_credential>‘

omp_create_credentials_2

b. Then, we need to retrieve the ID of the credentials we created, using:

omp -w admin -iX “<get_lsc_credentials/>”

omp_get_credentials

c. Finally, we need to provide these credentials during the target’s creation:

omp -w admin –xml=’
<create_target>
<name>Target with SSH</name>
<hosts>50.19.25.99</hosts>
<ssh_lsc_credential id=”1d2b4d39-1041-4953-819e-0de8d93c654c”>
<port>22</port>
</ssh_lsc_credential>
</create_target>’

omp_create_target_with_credentials

3. Create a task linking the target to the scan config

We now have a set of tests to run and a host on which to run them. The only thing left before launching the scan is to bind both in a “task” that can then be run as many time as we want in order, for instance, to follow the evolution of the host’s level of security over time.

We only need the ID of the config and the ID of the target, retrieved as explained previously.

omp –xml=’
<create_task>
<name>Daily scan</name>
<comment>Deep scan on Server 3</comment>
<config id=”74db13d6-7489-11df-91b9-002264764cea”/>
<target id=”637416ea-1007-464b-8869-efa571a7b52a”/>
</create_task>’

create_task

4. Start the scanning process

Finally, we can start the scan:
omp –xml=’<start_task task_id=”267a3405-e84a-47da-97b2-5fa0d2e8995e”/>’

omp_start_task

Note : this task can also be paused and stopped before it is finished:
omp –xml=’<stop_task task_id=”267a3405-e84a-47da-97b2-5fa0d2e8995e”/>’
omp –xml=’<pause_task task_id=”267a3405-e84a-47da-97b2-5fa0d2e8995e”/>’

The status of the different tasks can be seen using the command:
omp -G

5. Get the reports for a task

a. Get the report’s ID

After each scan, a report is generated. We can retrieve the IDs of those reports using the command:
omp -iX ‘<get_tasks details=”1”/>’

To get the IDs of the different reports generated for a given task, knowing the task’s ID, and avoid listing all the tasks, we can specify the “task_id“ option:
omp -iX ‘<get_tasks task_id=”77ba3c2e-ff61-44b7-86ed-f10d213008ee” details=”1”/>’

b. Get the report’s format

The second thing you will need to know is the ID of the format in which you want to get the report. The formats available at the moment are text, XML, PDF and NBE.

To know the IDs of those formats, the following command will do the trick:
    omp -iX ‘<get_report_formats/>’

omp -iX ‘<get_reports report_id=”68d3bf25-591e-4be6-97af-1e66fd8924ab” format_id=”c402cc3e-b531-11e1-9163-406186ea4fc5″/>’

Return status codes

Now, we just need to do proper error handling. As explained on this page (http://www.openvas.org/openvas-cr-28.html) in the section “Numerical response codes”, OMP uses return codes very similar to the HTTP response codes 200, 201, 202, 400, 401, 403, 404, 409, 500 and 503:

2xx = command successful (received, understood and accepted)
200 : Ok
201 : Ok, resource created
202 : Ok, request submitted
4xx = command could not be executed due to an error made by the client
400 : Syntax error
401 : Authenticate first
403 : Access to resource forbidden
404 : Resource missing
409 : Resource busy
5xx = command failed due to an error in the manager
500 : Internal error
    503 : Service unavailable / Service temporarily down

Conclusion

We’ve shown how to use OMP for automation of Vulnerability Assessment on your servers. Now, you can start to do it more frequently and do not forget to analyze the results!

Comments are always welcome! Thanks!

François

7 thoughts on “Automation of Vulnerability Assessments with OpenVAS

  1. I was excited to uncover this site. I wanted to thank you for ones time for this
    fantastic read!! I definitely really liked every bit of it
    and i also have you book-marked to check out new information on your website.

  2. Question from a new user.
    How do you supply a confirmation from the client in a script?

    I am trying to delete an agent in my script, the OpenVAS documentation states that the client will be asked for confirmation, but does not explain how to supply this confirmation. I assume that is what is going wrong here:
    omp -u admin -w xxxx –xml=”
    Failed to read response.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s