The developers of Kali Linux [1] deliver a considerable number of tools for the task of identifying weak points in your network. Among these, Nmap [2] and OpenVAS [3] are the most important.

Nmap

Nmap provides basic information about the network, and it can check connected systems for weak points with scripts that are implemented by its scripting engine. The software comes with scripts for a wide variety of many well-known shortcomings. Entering the name of the script starts a test of the system. You will find these ready-to-use test routines in the subdirectory /usr/share/nmap/scripts/ . More than a hundred such scripts are located here that are capable of checking the internals of all services imaginable. The basic command invocation is:

$ nmap --script=Name Target-IP

Nmap also includes Lua, a widely known, platform-independent programming language. This language gives even less experienced users a capability for writing new scripts. Because Nmap does not put the scripts into subfolders, you should take a look at the /usr/share/nmap/scripts/script.db file. This file lists all of the tests in plain text that are integrated into Nmap and assigns the tests to categories. Examples of the headings for these categories include auth , broadcast , brute , discovery , dos , malware , and vuln (Figure 1).

Figure 1: The Nmap database comes with hundreds of ready-to-use scripts for many different applications.

You will find one or more category assignments behind the name of each script. Some of the script names make it obvious which service or server the routine will test. The method for arranging and naming scripts also makes it possible to manually select the application you want to test. Nmap accepts a placeholder when a script is called, which allows you to call all of the scripts relevant to a particular server with just one call. For example, to start all tests relevant to a Microsoft SQL database server, enter the following invocation at the prompt:

$ nmap --script="ms-sql-*" Target-IP

The routine then runs all scripts belonging to this service and outputs the results in a list view (Figure 2). If you want to look at more than one computer with all the scripts in a particular category, you enter the following command:

$ nmap --script=category1,category2,... Target IP

Remember that the testing routines can precipitate a crash of the targeted system. This is especially true for running a large number of tests. Therefore, you should schedule more burdensome tests when there is a reduced load on the network. Additionally, and to be on the safe side, you should make a backup of a target production system before beginning the tests.

Figure 2: As the scan shows, the Microsoft web server IIS checks out as not vulnerable to the WebDAV bug.

OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is among the most important of the tools that are used to find weak points in individual computer systems and complete networks. The software offers around 35,000 routines for analyzing vulnerabilities. A plugin interface makes it possible to permanently expand the tests, and a feed service keeps the system constantly up to date. OpenVAS consists of several components and typically requires more effort to install and configure. Luckily, however, the version of the tool offered in Kali Linux is largely preconfigured. Consequently, any additional configuration efforts should be minimal.

All of the preconfigured OpenVAS routines are found in the startup program under Applications | Kali Linux | Vulnerability analysis | OpenVAS . The first step is to set up the tool. This is done by entering the command openvas-setup on the console to start initialization. Alternatively, you can call up the menu option openvas initial setup , which will also start the tool.

The comprehensive initialization takes several minutes even on powerful and up-to-date systems. Various downloads from the Internet will queue up during the process, for example, the most up-to-date versions of plugins. Therefore, OpenVAS is suitable for live use only under certain conditions. (See the "Heads Up" box.) When the first setup concludes, the routine will start the three OpenVAS components: OpenVAS Scanner , OpenVAS Manager , and the Greenbone Security Assistant .

It is important to regularly update the test routines at scheduled intervals. Otherwise, there might be weak points that get overlooked because of obsolete and incomplete test routines. Routine updates are started by entering the openvas-feed-update at the prompt. OpenVAS then executes an update of all feeds, making all of the relevant areas, and the SCAP and CERT feeds, up to date. After restarting, the software with its new routines is ready for use.

In the graphical interface, the feeds are updated via the openvas feed update option in the OpenVAS menu. To start a test, select the openvas check setup from the same submenu or type openvas-check-setup in the terminal. The routine tests all of the components for their presence and correct installation. If problems are detected, the tool generates a corresponding message and outputs it in the terminal.

OpenVAS is one of the few, large software packages in the area of IT security which, in the form of Greenbone Security Assistant, also has a graphical interface. Because the assistant contains a procedure for logging in to OpenVAS, before starting the assistant, you should first set up another administrator with operating rights for the tools together with a password:

$ openvasmd --create-user=user --role=Admin
$ openvasmd --user=user --new-password=password

Then, you should restart OpenVAS by entering openvas-stop and openvas-start .

Using the profile you have created, you next log in to the Greenbone Security Assistant. To activate the graphical interface for OpenVAS, you should start the web browser Iceweasel in Kali Linux and enter https://localhost:9392 in the address line. Iceweasel will then complain about an insecure certificate, but you should accept this anyway so you can log into the system. The security assistant greets you with an uncluttered interface, which in spite of its appearance, takes a little getting used to because some of the symbols will probably not look familiar (Figure 3).

Figure 3: At first, the start window for OpenVAS looks like it will take some getting used to. After working your way into it, however, OpenVAS ought to be very practical.

Tasks and Targets

To use the software in a meaningful way, your first step should be to identify tasks and targets. A target can consist of a single computer system, or it can be made up of a complete LAN. If you don't make special requests for the security analysis, then you should simply enter the IP address of the target system or network address on the input line of the start window. The scan begins with a click on Start Scan .

To define separate tasks, you will need to designate target systems. This is done by selecting the entry Configuration | Targets in the menu line in the top part of the OpenVAS window. Some symbols will then appear in the center of the upper part of the window. One of these will be a blue star symbol, which when clicked, opens a dialog for you to enter detailed information about the target of your investigation. The software accepts both single IP and network addresses and also multiple IP addresses when these are entered into the Hosts field and separated by commas. In the Port List option, you should select which ports the software is supposed to scan. OpenVAS has all of the customary scenarios covered here. Additionally, you should enter the protocols in the Alive Test field that the tool should incorporate during a scan.

After completing the selection, you should save the target settings by clicking on the Create Target button at the lower right of the window. The next step is to define a task and the target where OpenVAS should carry out the task. Do this by opening the option dialog via Scan Management | Tasks and clicking again on the blue star. Next, you should set the intensity in the Scan Config field that OpenVAS should use to scan the target system. In the Scan Targets field, select one of the default or newly defined targets. A final click on Create Task saves the newly set up task (Figure 4).

Figure 4: You can generate a scan configuration tailored to your purposes with just a few mouse clicks.

To start a scan, go to the Actions column of the Scan Management | Tasks submenu. In the far right of the window, you will see that each line contains various symbols. One of these is an arrow set against a green background. Clicking on this arrow starts a scan. Clicking on Scan Management | Reports while the individual routines are running gives you first results. OpenVAS lists the results of the scan in a table arranged according to the corresponding routine. Weak points are tagged clearly with a colored bar in the Severity column (Figure 5). Note that this scan takes significant time for larger networks that require numerous scan routines. This places a definite load on the resources of the target systems. Therefore, you must avoid performing any work whatsoever on the relevant computer systems during a scan.

Figure 5: The highly informative Scan-Report in OpenVAS reveals some weak points in Microsoft Windows.

Fixing Weak Points

A yellow or red bar in the Severity column of single test routines indicates that there are significant weak points in the affected computer and that they need to be fixed. OpenVAS offers additional support here by both explaining the specific reason for a weak point it has identified and suggesting possible solutions.

To get the details of problematic configuration settings on the target system, go to the Scan Management | Reports menu and click on the list you want. A list window will open containing a Vulnerability column. This column contains scan results highlighted in red or yellow. Clicking on the scan results you select opens a detailed view that contains excellent information about the weak point identified and in the Solution area also a detailed recommendation for a solution (Figure 6).

Figure 6: The software uncovers weak points and also directly recommends suitable solutions for fixing them.

Scheduled Dates and Reports

The configuration of particular systems within a larger network changes frequently. In these situations, it is a good idea to apply OpenVAS automatically at controlled intervals to quickly identify weak points. To set up automatic application, you will need to first set up a schedule in the Configuration | Schedules menu. This can be used to schedule regular and automatic scans, even for periods as long as several months. Then, you should link the schedule with a task by activating the corresponding schedule in the selection field Schedule (optional) for tasks. OpenVAS will then execute the next scan at the time you have designated. It is a very good idea to document security scans, especially when you are dealing with larger installations.

OpenVAS makes documentation easy by letting you save reports in a large number of formats. You will need to click on the selection field in the upper middle of the Report menu and select the desired file format. Then, you should click on the green arrow to the right of the selection field and save the document. The software saves a highly detailed version of the report in which all of the test routines and their results are individually presented. This means that one report for the scan of a single workstation can be almost 30 pages long when saved in PDF format (Figure 7).

Figure 7: Because of the high quality of information contained in OpenVAS reports, the analysis for the scan of a single computer can be nearly 30 pages long.

Conclusion

Especially because of OpenVAS, Kali Linux delivers an extremely powerful tool for finding and fixing weak points of all kinds in an intranet. The tool is well suited for the beginner, because it works automatically and is largely self-explanatory. The developers have succeeded in preconfiguring OpenVAS in such a way that very few manual steps are necessary. In short, this tool comes practically ready to use and significantly improves network security.