使用OpenVAS进行漏洞扫描
攻击机: Kali 192.168.205.128
靶机: Win2012 R2 192.168.205.130
注:Kali中安装OpenVAS可以参考:《Kali之——OpenVAS 8.0 Vulnerability Scanning》
在Metasploit中加载OpenVAS插件
为了将OpenVAS整合到Metasploit中,首先需要在Metasploit中加载OpenVAS插件。
msfconsole
load
load openvas
msf > load
load aggregator load db_credcollect load ips_filter load msfd load openvas load sample load sounds load token_hunter
load alias load db_tracker load komand load msgrpc load pcap_log load session_notifier load sqlmap load wiki
load auto_add_route load event_tester load lab load nessus load request load session_tagger load thread load wmap
load beholder load ffautoregen load libnotify load nexpose load rssfeed load socket_logger load token_adduser
msf > load openvas
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*]
[*] OpenVAS integration requires a database connection. Once the
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*]
[*] Successfully loaded plugin: OpenVAS
将Metasploit中的OpenVAS插件与OpenVAS软件本身连接
可以通过在命令openvas_connect后面添加用户凭证、服务器地址、端口号和SSL状态实现,如下命令所示:
openvas_connect admin admin localhost 9390 ok
msf > openvas_connect admin admin localhost 9390 ok
[*] Connecting to OpenVAS instance at localhost:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
创建工作区
查看帮助信息
workspace -h
msf > workspace -h
Usage:
workspace List workspaces
workspace -v List workspaces verbosely
workspace [name] Switch workspace
workspace -a [name] ... Add workspace(s)
workspace -d [name] ... Delete workspace(s)
workspace -D Delete all workspaces
workspace -r <old> <new> Rename workspace
workspace -h Show this help information
创建一个名为NetScan的工作区
workspace -a NetScan
msf > workspace -a NetScan
[*] Added workspace: NetScan
切换到NetScan工作区
workspace NetScan
msf > workspace NetScan
[*] Workspace: NetScan
创建目标
可以使用命令openvas_target_create来创建任意数量的目标。
openvas_target_create
openvas_target_create outer 192.168.205.130 Outer_Interface
msf > openvas_target_create
[*] Usage: openvas_target_create <name> <hosts> <comment>
msf >
msf > openvas_target_create outer 192.168.205.130 Outer_Interface
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 275520c1-9a9e-4e49-865a-cd22ca4f3c6f
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
275520c1-9a9e-4e49-865a-cd22ca4f3c6f outer 192.168.205.130 1 0 Outer_Interface
这里,我们创建了IP地址为192.168.205.130的目标,名字为outer,备注为Outer-Interface,我们需要记住这个目标的ID:275520c1-9a9e-4e49-865a-cd22ca4f3c6f
定义策略
可以使用openvas_config_list命令列出示例策略。
openvas_config_list
msf > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs
ID Name
-- ----
085569ce-73ed-11df-83c3-002264764cea empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5 Host Discovery
698f691e-7489-11df-9d8c-002264764cea Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea Full and very deep
74db13d6-7489-11df-91b9-002264764cea Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196 Discovery
bbca7412-a950-11e3-9109-406186ea4fc5 System Discovery
daba56c8-73ec-11df-a475-002264764cea Full and fast
这里,我们选择Full and fast策略,同样我们需要记住这个策略ID:daba56c8-73ec-11df-a475-002264764cea
创建扫描任务
这里我们使用的命令是openvas_task_create
首先,我们查看下目标列表
openvas_target_list
msf > openvas_target_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
275520c1-9a9e-4e49-865a-cd22ca4f3c6f outer 192.168.205.130 1 0 Outer_Interface
接着创建扫描任务
openvas_task_create
openvas_task_create Netscan ScanForVulns 策略id 目标id
msf > openvas_task_create
[*] Usage: openvas_task_create <name> <comment> <config_id> <target_id>
msf >
msf > openvas_task_create Netscan ScanForVulns daba56c8-73ec-11df-a475-002264764cea 275520c1-9a9e-4e49-865a-cd22ca4f3c6f
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] f1311593-6ffb-4eef-817f-3c0f1df521b7
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
f1311593-6ffb-4eef-817f-3c0f1df521b7 Netscan ScanForVulns New -1
这里的目标id就是第4步中创建的目标id,策略id就是第5步中创建的策略id
这里,我们也需要记下这个任务id:f1311593-6ffb-4eef-817f-3c0f1df521b7
开始扫描
openvas_task_start
openvas_task_start 任务id
msf > openvas_task_start
[*] Usage: openvas_task_start <id>
msf >
msf > openvas_task_start f1311593-6ffb-4eef-817f-3c0f1df521b7
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>cdfbf3e8-cf79-4f5e-a34d-6076457bd16b</report_id></start_task_response></X>
这里的任务id就是第6步中得出的任务id
查看任务进度
openvas_task_list
msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
f1311593-6ffb-4eef-817f-3c0f1df521b7 Netscan ScanForVulns Running 94
msf > openvas_task_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
f1311593-6ffb-4eef-817f-3c0f1df521b7 Netscan ScanForVulns Done -1
列出扫描报告
openvas_report_list
msf > openvas_report_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of reports
ID Task Name Start Time Stop Time
-- --------- ---------- ---------
cdfbf3e8-cf79-4f5e-a34d-6076457bd16b Netscan 2019-01-20T09:39:11Z 2019-01-20T09:44:11Z
这些报告可以下载,如果需要导出报告,那么我们就要选择一个报告id
查看所有的格式ID
openvas_format_list
msf > openvas_format_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of report formats
ID Name Extension Summary
-- ---- --------- -------
5057e5cc-b825-11e4-9d0e-28d24461215b Anonymous XML xml Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b Verinice ITG vna Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5 CPE csv Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5 HTML html Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5 ITG csv German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5 CSV Hosts csv CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5 ARF xml Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5 NBE nbe Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd Topology SVG svg Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5 TXT txt Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5 LaTeX tex LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5 XML xml Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15 Verinice ISM vna Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5 CSV Results csv CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5 PDF pdf Portable Document Format report.
将报告导入数据库
这里使用openvas_report_import命令后面加上报告ID和格式ID导入到数据库中。
openvas_report_import 报告id 格式id
msf > openvas_report_import cdfbf3e8-cf79-4f5e-a34d-6076457bd16b a994b278-1f62-11e1-96ac-406186ea4fc5
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] Importing report to database.
查看MSF中的漏洞数据库
将报告成功导入数据库之后,就可以使用vulns命令查看MSF中的漏洞数据库,如下所示:
msf > vulns
[*] Time: 2019-01-20 09:48:02 UTC Vuln: host=192.168.205.130 name=ICMP Timestamp Detection refs=CVE-1999-0524
通过浏览器访问
所有的漏洞都已经保存到了数据库中,我们还可以通过浏览器9392端口来登录Greenbone助手,对漏洞数量进行交替确认,并深入了解这些漏洞的细节。如下图所示:
写在最后
如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!
