Tracking down weak points in your intranet

The developers of Kali Linux [1] deliver a considerable number of tools for the task of identifying weak points in your network. Among these, Nmap [2] and OpenVAS [3] are the most important.

Nmap

Nmap provides basic information about the network, and it can check connected systems for weak points with scripts that are implemented by its scripting engine. The software comes with scripts for a wide variety of many well-known shortcomings. Entering the name of the script starts a test of the system. You will find these ready-to-use test routines in the subdirectory /usr/share/nmap/scripts/ . More than a hundred such scripts are located here that are capable of checking the internals of all services imaginable. The basic command invocation is:

$ nmap --script=Name Target-IP

Nmap also includes Lua, a widely known, platform-independent programming language. This language gives even less experienced users a capability for writing new scripts. Because Nmap does not put the scripts into subfolders, you should take a look at the /usr/share/nmap/scripts/script.db file. This file lists all of the tests in plain text that are integrated into Nmap and assigns the tests to categories. Examples of the headings for these categories include auth , broadcast , brute , discovery , dos , malware , and vuln (Figure 1).

Figure 1: The Nmap database comes with hundreds of ready-to-use scripts for many different applications.

You will find one or more category assignments behind the name of each script. Some of the script names make it obvious which service or server the routine will test. The method for arranging and naming scripts also makes it possible to manually select the application you want to test. Nmap accepts a placeholder when a script is called, which allows you to call all of the scripts relevant to a particular server with just one call. For example, to start all tests relevant to a Microsoft SQL database server, enter the following invocation at the prompt:

$ nmap --script="ms-sql-*" Target-IP

The routine then runs all scripts belonging to this service and outputs the results in a list view (Figure 2). If you want to look at more than one computer with all the scripts in a particular category, you enter the following command:

$ nmap --script=category1,category2,... Target IP

Remember that the testing routines can precipitate a crash of the targeted system. This is especially true for running a large number of tests. Therefore, you should schedule more burdensome tests when there is a reduced load on the network. Additionally, and to be on the safe side, you should make a backup of a target production system before beginning the tests.

Figure 2: As the scan shows, the Microsoft web server IIS checks out as not vulnerable to the WebDAV bug.

OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is among the most important of the tools that are used to find weak points in individual computer systems and complete networks. The software offers around 35,000 routines for analyzing vulnerabilities. A plugin interface makes it possible to permanently expand the tests, and a feed service keeps the system constantly up to date. OpenVAS consists of several components and typically requires more effort to install and configure. Luckily, however, the version of the tool offered in Kali Linux is largely preconfigured. Consequently, any additional configuration efforts should be minimal.

All of the preconfigured OpenVAS routines are found in the startup program under Applications | Kali Linux | Vulnerability analysis | OpenVAS . The first step is to set up the tool. This is done by entering the command openvas-setup on the console to start initialization. Alternatively, you can call up the menu option openvas initial setup , which will also start the tool.

The comprehensive initialization takes several minutes even on powerful and up-to-date systems. Various downloads from the Internet will queue up during the process, for example, the most up-to-date versions of plugins. Therefore, OpenVAS is suitable for live use only under certain conditions. (See the "Heads Up" box.) When the first setup concludes, the routine will start the three OpenVAS components: OpenVAS Scanner , OpenVAS Manager , and the Greenbone Security Assistant .

It is important to regularly update the test routines at scheduled intervals. Otherwise, there might be weak points that get overlooked because of obsolete and incomplete test routines. Routine updates are started by entering the openvas-feed-update at the prompt. OpenVAS then executes an update of all feeds, making all of the relevant areas, and the SCAP and CERT feeds, up to date. After restarting, the software with its new routines is ready for use.

In the graphical interface, the feeds are updated via the openvas feed update option in the OpenVAS menu. To start a test, select the openvas check setup from the same submenu or type openvas-check-setup in the terminal. The routine tests all of the components for their presence and correct installation. If problems are detected, the tool generates a corresponding message and outputs it in the terminal.

OpenVAS is one of the few, large software packages in the area of IT security which, in the form of Greenbone Security Assistant, also has a graphical interface. Because the assistant contains a procedure for logging in to OpenVAS, before starting the assistant, you should first set up another administrator with operating rights for the tools together with a password:

$ openvasmd --create-user=user --role=Admin
$ openvasmd --user=user --new-password=password

Then, you should restart OpenVAS by entering openvas-stop and openvas-start .

Using the profile you have created, you next log in to the Greenbone Security Assistant. To activate the graphical interface for OpenVAS, you should start the web browser Iceweasel in Kali Linux and enter https://localhost:9392 in the address line. Iceweasel will then complain about an insecure certificate, but you should accept this anyway so you can log into the system. The security assistant greets you with an uncluttered interface, which in spite of its appearance, takes a little getting used to because some of the symbols will probably not look familiar (Figure 3).

Figure 3: At first, the start window for OpenVAS looks like it will take some getting used to. After working your way into it, however, OpenVAS ought to be very practical.