DISCLAIMER - I'm not responsible if you break stuff. Read at your own risk.
I had a lot of "fun" the other day with OpenVAS.
If you're not aware, OpenVAS is a free, open source vulnerability scanning tool.
You may be familiar with commercial scanners (Qualys, Nessus, Retina, Nexpose...)
OpenVAS comes on Kali, and you can get the appliance and/or enterprise support from Greenbone. You can also install from the source code, or from packages for Linux flavors (Kali, Ubuntu, RHEL/Centos/Fedora).
I have also noticed that while the Greenbone appliance is very well documented, installing from the packages is not quite so. OpenVAS 9 was released earlier this year, so the documentation for Greenbone's 4.0 version of the appliance is still in "draft".
I needed LDAP support for centralized authentication & the community Greenbone appliance was not compiled with LDAP support (obviously, an enterprise would want that support, right? Which means pay for the enterprise appliance! I see what they did there).
Anyhoo.
I decided to install OpenVAS 9 on CentOS 7.
Hooking into LDAP and getting my domain certs in the appliance web application was a doozy. I mean, it took a couple days, but still. The appliance documentation makes it look easy, when the package installation is a bit different (did I mention it's like the wild west on the lack of documentation?).
Note: I'm using an Active Directory CA.
I followed this guide for my install. No problems.
1. Set up LDAP configuration in OpenVAS
Configure LDAP settings: Under administration, go to LDAP.
Under host, ensure you type the common name of your CA in the hostname. If it doesn't match Openvas won't communicate with LDAP!! When you view /var/log/openvas/openvasmd.log, it will NOT tell you this! You will see a bunch of "couldn't contact the LDAP server" errors. (which you can test that with openldap's ldapsearch, to determine this is literally just an openvas problem). Follow the Greenbone guides for the other fields... I used %s@domain for user accounts.
Pull the CA certificate (base 64) from your local domain https://adserver/certsrv
Upload the cert to the LDAP settings. It will register and you should see your info populate.
2. Create users
and make sure you click the checkbox for LDAP.
Now, for the SSL certs......... This is super simple with the appliance! but without it --- eeeee_eee. I couldn't find much on documentation at all. And that's why you get this lovely blog.
It comes with self-signed certs with the install, but I wanted a trusted cert for my domain.
1. Create your certs
openvas has a command called openvas-mkcert, which as it turns out is depreciated in v9.
openvas-manage-certs, is the new command. Buuut I figured it was easier to do it with openssl.
I used openssl, but in order to add subjectAltNames I had to modify openssl.cnf
nano /etc/pki/tls/openssl.cnf
under the [req] header,
uncomment
#req_extensions = v3_req
and then added the following on the line below the [v3_req] header
subjectAltName=IP:10.0.0.3,DNS:openvas.domain
You do not need to include the port, for openvas its like 9392 or something. but not necessary in the cert. (in case you were wondering).
Get private key:
openssl genrsa -out private.key
Once you have the private key, generate your CSR.
openssl req -new -key private.key -out server.csr
Copypasta the .csr (cat it) and then paste it into the create request field of your CA, and make sure you select web server cert!
Now download the base64 encoded certificate. It will be something like, yournewcert.cer
You can copypasta back to your putty window, scp, whatever.
Now you have your private AND public keys! yay! HTTPS might happen without Chrome bitching about it... eh not so fast.
I just took for granted that something like this would be running on an open source web platform, like nginx or httpd (apache). I was surprised to find out that it wasn't. I couldn't put my certs in those places. I did a little digging. I found out that the webserver is hardcoded in the openvas application (I creeped on some source code from greenbone's website). I noticed here that libmicrohttpd was listed as a "prerequisite". It was like verification that all my worst fears came to life.
LOL, maybe I'm exaggerating. Anyway, I went to check out this libicrohttpd to see more about how terrible this was going to be, and how to get HTTPS working with it. From what I read, you had to point the source code to the certificates. So, somewhere in openvas, the self signed certificates had a specific location and a specific name to be referenced by the code. For hints about the name, I recalled the greenbone instructions for certs, which state they use base64 encoded .pem files.
Since this is linux, I just did a find command to see where the .pem files lived on this machine.
find / -name *pem
which turned up with:
/var/lib/openvas/CA/servercert.pem
/var/lib/openvas/private/CA/serverkey.pem
Then, I was like DUH. /var/lib/openvas. microhttpd is a library in C, which uses a hardcoded path to certs. it makes sense they put them here.
2. Move your Certs to the right places!
So, you want to move the current servercert.pem & serverkey.pem.
mv /var/lib/openvas/CA/servercert.pem /var/lib/openvas/CA/servercert.pem.old
mv /var/lib/openvas/private/CA/serverkey.pem /var/lib/openvas/private/CA/serverkey.pem.old
and then copy the newly created certs to the old location, with the SAME name as the ones that just moved. I copied them just to make sure I had the originals if I messed up typing somewhere. You can mv these, if you want. I just rm'd them after I verified everything was working.
cp /path/to/the/server.cer /var/lib/openvas/CA/servercert.pem
cp /path/to/the/private.key /var/lib/openvas/private/CA/serverkey.pem
3. Reboot!
shutdown -r
and then wait for it to come back up with your shiny new, trusted certs. (:
Something you may also want to check is permissions on your directories with your keys. - Make sure they're not world-readable/writable.
annd that's it. Not so bad when you're not digging for answers. hahaha
-m.
Wednesday, November 15, 2017
Thursday, October 26, 2017
Hey Everyone,
This is turning into an annual blog, it seems. Sorry about that.
I started an LLC earlier this year with intentions to aim towards mobile app & web development and security consulting... I don't have the website up yet, unfortunately. Too busy with other things.
The LLC process is fairly painless in my state, about 52$ and 15 minutes later, I had an EIN & LLC. I then got a business bank account with checking and a credit card. If you've ever thought about it, just take the plunge and got for it. Tax write-offs for company related items (hardware, training, etc) will help you get everything you need together to start earning money.
I got my CISSP last week and I recently had the opportunity to attend the CompTIA workshop for their new certification, Pentester+. Look to those objectives being published within the next two weeks! The event was great, the staff was great, and the opportunity was once in a lifetime. If you get the chance to be one of their SME's definitely do it.
I am currently working on setting up my "laboratory" (for my LLC) in my office. I purchased two 34" curved monitors and a refurbished Dell R610. I'm going to need some more hard drives and RAM for it, eventually. I went through quite a bit of troubleshooting to enable a setting in the BIOS that allowed me to boot from the DVD drive (it was not blatantly obvious, like most things in IT). I'm going to get Ubuntu running on it with DevStack to have my own personal cloud (I really just need a Lakitu sticker for it now). With that there will be some solid lab setups for sharpening my offensive security as well as dev skills. (My initial attempt to install it, I forgot to configure the RAID controller, first derp... and I also have an ugly, long Cat5e ran across the length of my house to the router)
I'll blog about these adventures, someone might find them helpful... don't worry (:
I've also spent some time tinkering in AWS, so good so far. I've gotten some Udemy training for AWS from "A Cloud Guru" and it's one of the best online trainings I've ran into by far.
I've been spending a lot of time at the Midwest Cyber Center (a really, really amazing non-profit), as a technical mentor, helping them prepare students for the Cyber Patriot program. As well as I went to the Microsoft "Digi-Girls" event, which encourages middle and high school girls to get involved with STEM fields. I told a girl she could get paid to find security flaws in websites and programs, and she was SO excited. Made my day. I also talked to some who were going to the event to get out of class, and had no real interest in STEM careers. They asked me how much I paid for my half sleeve tattoo, and I told them it was probably around $1200. They flipped out, and I told them if they had a STEM job, they too could spend lots of money on tattoos. I think I got their attention. Job well done, it seems.
I also started writing a presentation on buffer overflows (stack & heap) with an accompanying lab... When I have time, I'll touch it up and post it here for everyone.
I also read about the recent Blueborne attack vector & Corresponding exploits. Armis Labs has created one of the most well-written white papers I have ever seen. They color coded lines of code and wrote easy to understand explanation and details. The TLDR version is that there was a lack of input validation on the header files in the C programming language, affecting the implementation of bluetooth across all devices that shared the library. The scariest part, was that this vulnerability occurred during the handshake process (before you paired your device), and allowed for a buffer overflow which was leveraged for remote code execution. They took the moral high ground and disclosed it to vendors, allowing them time to patch before it was publicized.
Aside from IT things, I'll be attending Ford's Adrenaline Academy for their Ford Focus RS rally school soon.
Sorry, the last two posts have been rants of little to no real technical value. Just busy.
This is turning into an annual blog, it seems. Sorry about that.
I started an LLC earlier this year with intentions to aim towards mobile app & web development and security consulting... I don't have the website up yet, unfortunately. Too busy with other things.
The LLC process is fairly painless in my state, about 52$ and 15 minutes later, I had an EIN & LLC. I then got a business bank account with checking and a credit card. If you've ever thought about it, just take the plunge and got for it. Tax write-offs for company related items (hardware, training, etc) will help you get everything you need together to start earning money.
I got my CISSP last week and I recently had the opportunity to attend the CompTIA workshop for their new certification, Pentester+. Look to those objectives being published within the next two weeks! The event was great, the staff was great, and the opportunity was once in a lifetime. If you get the chance to be one of their SME's definitely do it.
I am currently working on setting up my "laboratory" (for my LLC) in my office. I purchased two 34" curved monitors and a refurbished Dell R610. I'm going to need some more hard drives and RAM for it, eventually. I went through quite a bit of troubleshooting to enable a setting in the BIOS that allowed me to boot from the DVD drive (it was not blatantly obvious, like most things in IT). I'm going to get Ubuntu running on it with DevStack to have my own personal cloud (I really just need a Lakitu sticker for it now). With that there will be some solid lab setups for sharpening my offensive security as well as dev skills. (My initial attempt to install it, I forgot to configure the RAID controller, first derp... and I also have an ugly, long Cat5e ran across the length of my house to the router)
I'll blog about these adventures, someone might find them helpful... don't worry (:
I've also spent some time tinkering in AWS, so good so far. I've gotten some Udemy training for AWS from "A Cloud Guru" and it's one of the best online trainings I've ran into by far.
I've been spending a lot of time at the Midwest Cyber Center (a really, really amazing non-profit), as a technical mentor, helping them prepare students for the Cyber Patriot program. As well as I went to the Microsoft "Digi-Girls" event, which encourages middle and high school girls to get involved with STEM fields. I told a girl she could get paid to find security flaws in websites and programs, and she was SO excited. Made my day. I also talked to some who were going to the event to get out of class, and had no real interest in STEM careers. They asked me how much I paid for my half sleeve tattoo, and I told them it was probably around $1200. They flipped out, and I told them if they had a STEM job, they too could spend lots of money on tattoos. I think I got their attention. Job well done, it seems.
I also started writing a presentation on buffer overflows (stack & heap) with an accompanying lab... When I have time, I'll touch it up and post it here for everyone.
I also read about the recent Blueborne attack vector & Corresponding exploits. Armis Labs has created one of the most well-written white papers I have ever seen. They color coded lines of code and wrote easy to understand explanation and details. The TLDR version is that there was a lack of input validation on the header files in the C programming language, affecting the implementation of bluetooth across all devices that shared the library. The scariest part, was that this vulnerability occurred during the handshake process (before you paired your device), and allowed for a buffer overflow which was leveraged for remote code execution. They took the moral high ground and disclosed it to vendors, allowing them time to patch before it was publicized.
Aside from IT things, I'll be attending Ford's Adrenaline Academy for their Ford Focus RS rally school soon.
Sorry, the last two posts have been rants of little to no real technical value. Just busy.
Subscribe to:
Comments (Atom)