# 使用OpenVAS进行漏洞扫描

攻击机: Kali 192.168.205.128

靶机: Win2012 R2 192.168.205.130

注:Kali中安装OpenVAS可以参考:《Kali之——OpenVAS 8.0 Vulnerability Scanning (opens new window)

# 在Metasploit中加载OpenVAS插件

为了将OpenVAS整合到Metasploit中,首先需要在Metasploit中加载OpenVAS插件。

msfconsole
load
load openvas

msf > load 
load aggregator        load db_credcollect    load ips_filter        load msfd              load openvas           load sample            load sounds            load token_hunter      
load alias             load db_tracker        load komand            load msgrpc            load pcap_log          load session_notifier  load sqlmap            load wiki              
load auto_add_route    load event_tester      load lab               load nessus            load request           load session_tagger    load thread            load wmap              
load beholder          load ffautoregen       load libnotify         load nexpose           load rssfeed           load socket_logger     load token_adduser     
msf > load openvas 
[*] Welcome to OpenVAS integration by kost and averagesecurityguy.
[*] 
[*] OpenVAS integration requires a database connection. Once the 
[*] database is ready, connect to the OpenVAS server using openvas_connect.
[*] For additional commands use openvas_help.
[*] 
[*] Successfully loaded plugin: OpenVAS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# 将Metasploit中的OpenVAS插件与OpenVAS软件本身连接

可以通过在命令openvas_connect后面添加用户凭证、服务器地址、端口号和SSL状态实现,如下命令所示:

openvas_connect admin admin localhost 9390 ok

msf > openvas_connect admin admin localhost 9390 ok
[*] Connecting to OpenVAS instance at localhost:9390 with username admin...
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS connection successful
1
2
3
4
5
6

# 创建工作区

# 查看帮助信息

workspace -h

msf > workspace -h
Usage:
    workspace                  List workspaces
    workspace -v               List workspaces verbosely
    workspace [name]           Switch workspace
    workspace -a [name] ...    Add workspace(s)
    workspace -d [name] ...    Delete workspace(s)
    workspace -D               Delete all workspaces
    workspace -r <old> <new>   Rename workspace
    workspace -h               Show this help information
1
2
3
4
5
6
7
8
9
10
11
12

# 创建一个名为NetScan的工作区

workspace -a NetScan

msf > workspace -a NetScan
[*] Added workspace: NetScan
1
2
3
4

# 切换到NetScan工作区

workspace NetScan

msf > workspace NetScan 
[*] Workspace: NetScan
1
2
3
4

# 创建目标

可以使用命令openvas_target_create来创建任意数量的目标。

openvas_target_create
openvas_target_create outer 192.168.205.130 Outer_Interface

msf > openvas_target_create 
[*] Usage: openvas_target_create <name> <hosts> <comment>
msf > 
msf > openvas_target_create outer 192.168.205.130 Outer_Interface
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] 275520c1-9a9e-4e49-865a-cd22ca4f3c6f
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name   Hosts            Max Hosts  In Use  Comment
--                                    ----   -----            ---------  ------  -------
275520c1-9a9e-4e49-865a-cd22ca4f3c6f  outer  192.168.205.130  1          0       Outer_Interface
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

这里,我们创建了IP地址为192.168.205.130的目标,名字为outer,备注为Outer-Interface,我们需要记住这个目标的ID:275520c1-9a9e-4e49-865a-cd22ca4f3c6f

# 定义策略

可以使用openvas_config_list命令列出示例策略。

openvas_config_list

msf > openvas_config_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of configs

ID                                    Name
--                                    ----
085569ce-73ed-11df-83c3-002264764cea  empty
2d3f051c-55ba-11e3-bf43-406186ea4fc5  Host Discovery
698f691e-7489-11df-9d8c-002264764cea  Full and fast ultimate
708f25c4-7489-11df-8094-002264764cea  Full and very deep
74db13d6-7489-11df-91b9-002264764cea  Full and very deep ultimate
8715c877-47a0-438d-98a3-27c7a6ab2196  Discovery
bbca7412-a950-11e3-9109-406186ea4fc5  System Discovery
daba56c8-73ec-11df-a475-002264764cea  Full and fast
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

这里,我们选择Full and fast策略,同样我们需要记住这个策略ID:daba56c8-73ec-11df-a475-002264764cea

# 创建扫描任务

这里我们使用的命令是openvas_task_create

首先,我们查看下目标列表

openvas_target_list

msf > openvas_target_list
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of targets

ID                                    Name   Hosts            Max Hosts  In Use  Comment
--                                    ----   -----            ---------  ------  -------
275520c1-9a9e-4e49-865a-cd22ca4f3c6f  outer  192.168.205.130  1          0       Outer_Interface
1
2
3
4
5
6
7
8
9

接着创建扫描任务

openvas_task_create
openvas_task_create Netscan ScanForVulns 策略id 目标id

msf > openvas_task_create 
[*] Usage: openvas_task_create <name> <comment> <config_id> <target_id>
msf > 
msf > openvas_task_create  Netscan ScanForVulns daba56c8-73ec-11df-a475-002264764cea 275520c1-9a9e-4e49-865a-cd22ca4f3c6f
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] f1311593-6ffb-4eef-817f-3c0f1df521b7
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name     Comment       Status  Progress
--                                    ----     -------       ------  --------
f1311593-6ffb-4eef-817f-3c0f1df521b7  Netscan  ScanForVulns  New     -1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

这里的目标id就是第4步中创建的目标id,策略id就是第5步中创建的策略id

这里,我们也需要记下这个任务id:f1311593-6ffb-4eef-817f-3c0f1df521b7

# 开始扫描

openvas_task_start
openvas_task_start 任务id

msf > openvas_task_start
[*] Usage: openvas_task_start <id>
msf > 
msf > openvas_task_start f1311593-6ffb-4eef-817f-3c0f1df521b7
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] <X><authenticate_response status='200' status_text='OK'><role>Admin</role><timezone>UTC</timezone><severity>nist</severity></authenticate_response><start_task_response status='202' status_text='OK, request submitted'><report_id>cdfbf3e8-cf79-4f5e-a34d-6076457bd16b</report_id></start_task_response></X>
1
2
3
4
5
6
7
8
9

这里的任务id就是第6步中得出的任务id

# 查看任务进度

openvas_task_list

msf > openvas_task_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name     Comment       Status   Progress
--                                    ----     -------       ------   --------
f1311593-6ffb-4eef-817f-3c0f1df521b7  Netscan  ScanForVulns  Running  94

msf > openvas_task_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of tasks

ID                                    Name     Comment       Status  Progress
--                                    ----     -------       ------  --------
f1311593-6ffb-4eef-817f-3c0f1df521b7  Netscan  ScanForVulns  Done    -1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# 列出扫描报告

openvas_report_list

msf > openvas_report_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of reports

ID                                    Task Name  Start Time            Stop Time
--                                    ---------  ----------            ---------
cdfbf3e8-cf79-4f5e-a34d-6076457bd16b  Netscan    2019-01-20T09:39:11Z  2019-01-20T09:44:11Z
1
2
3
4
5
6
7
8
9
10

这些报告可以下载,如果需要导出报告,那么我们就要选择一个报告id

# 查看所有的格式ID

openvas_format_list

msf > openvas_format_list 
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[+] OpenVAS list of report formats

ID                                    Name           Extension  Summary
--                                    ----           ---------  -------
5057e5cc-b825-11e4-9d0e-28d24461215b  Anonymous XML  xml        Anonymous version of the raw XML report
50c9950a-f326-11e4-800c-28d24461215b  Verinice ITG   vna        Greenbone Verinice ITG Report, v1.0.1.
5ceff8ba-1f62-11e1-ab9f-406186ea4fc5  CPE            csv        Common Product Enumeration CSV table.
6c248850-1f62-11e1-b082-406186ea4fc5  HTML           html       Single page HTML report.
77bd6c4a-1f62-11e1-abf0-406186ea4fc5  ITG            csv        German "IT-Grundschutz-Kataloge" report.
9087b18c-626c-11e3-8892-406186ea4fc5  CSV Hosts      csv        CSV host summary.
910200ca-dc05-11e1-954f-406186ea4fc5  ARF            xml        Asset Reporting Format v1.0.0.
9ca6fe72-1f62-11e1-9e7c-406186ea4fc5  NBE            nbe        Legacy OpenVAS report.
9e5e5deb-879e-4ecc-8be6-a71cd0875cdd  Topology SVG   svg        Network topology SVG image.
a3810a62-1f62-11e1-9219-406186ea4fc5  TXT            txt        Plain text report.
a684c02c-b531-11e1-bdc2-406186ea4fc5  LaTeX          tex        LaTeX source file.
a994b278-1f62-11e1-96ac-406186ea4fc5  XML            xml        Raw XML report.
c15ad349-bd8d-457a-880a-c7056532ee15  Verinice ISM   vna        Greenbone Verinice ISM Report, v3.0.0.
c1645568-627a-11e3-a660-406186ea4fc5  CSV Results    csv        CSV result list.
c402cc3e-b531-11e1-9163-406186ea4fc5  PDF            pdf        Portable Document Format report.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# 将报告导入数据库

这里使用openvas_report_import命令后面加上报告ID和格式ID导入到数据库中。

openvas_report_import 报告id 格式id

msf > openvas_report_import cdfbf3e8-cf79-4f5e-a34d-6076457bd16b a994b278-1f62-11e1-96ac-406186ea4fc5
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
/usr/share/metasploit-framework/vendor/bundle/ruby/2.5.0/gems/openvas-omp-0.0.4/lib/openvas-omp.rb:201: warning: Object#timeout is deprecated, use Timeout.timeout instead.
[*] Importing report to database.
1
2
3
4
5
6

# 查看MSF中的漏洞数据库

将报告成功导入数据库之后,就可以使用vulns命令查看MSF中的漏洞数据库,如下所示:

msf > vulns
[*] Time: 2019-01-20 09:48:02 UTC Vuln: host=192.168.205.130 name=ICMP Timestamp Detection refs=CVE-1999-0524 
1
2

# 通过浏览器访问

所有的漏洞都已经保存到了数据库中,我们还可以通过浏览器9392端口来登录Greenbone助手,对漏洞数量进行交替确认,并深入了解这些漏洞的细节。如下图所示:

img

# 写在最后

如果你觉得冰河写的还不错,请微信搜索并关注「 冰河技术 」微信公众号,跟冰河学习高并发、分布式、微服务、大数据、互联网和云原生技术,「 冰河技术 」微信公众号更新了大量技术专题,每一篇技术文章干货满满!不少读者已经通过阅读「 冰河技术 」微信公众号文章,吊打面试官,成功跳槽到大厂;也有不少读者实现了技术上的飞跃,成为公司的技术骨干!如果你也想像他们一样提升自己的能力,实现技术能力的飞跃,进大厂,升职加薪,那就关注「 冰河技术 」微信公众号吧,每天更新超硬核技术干货,让你对如何提升技术能力不再迷茫!