Cyber Security

Electrical A (Batch A)

PRACTICAL 9

Aim: Network vulnerability using OpenVAS

The Open Vulnerability Assessment System (OpenVAS) is a framework of several services
and tools offering a comprehensive and powerful vulnerability scanning and vulnerability
management solution.
The actual security scanner is accompanied with a daily updated feed of Network
Vulnerability Tests (NVTs), over 35,000 in total (as of April 2014).
All OpenVAS products are Free Software. Most components are licensed under the GNU
General Public License (GNU GPL).

Architecture Overview
The Open Vulnerability Assessment System (OpenVAS) is a framework of several services
and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS
Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests
(NVTs) which are served with daily updates via the OpenVAS NVT Feed or via a commercial
feed service.

130950109008

75

Cyber Security

Electrical A (Batch A)

The OpenVAS Manager is the central service that consolidates plain vulnerability scanning
into a full vulnerability management solution. The Manager controls the Scanner via OTP
(OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS
Management Protocol (OMP). All intelligence is implemented in the Manager so that it is
possible to implement various lean clients that will behave consistently e.g. with regard to
filtering or sorting scan results. The Manager also controls a SQL database (sqlite-based)
where all configuration and scan result data is centrally stored. Finally, Manager also handles
user management includiung access control with groups and roles.

130950109008

76

Cyber Security

Electrical A (Batch A)

Different OMP clients are available: The Greenbone Security Assistant (GSA) is a lean web
service offering a user interface for web browsers. GSA uses XSL transformation stylesheet
that converts OMP responses into HTML.
OpenVAS CLI contains the command line tool "omp" which allows to create batch processes
to drive OpenVAS Manager. Another tool of this package is a Nagios plugin.

130950109008

77

Cyber Security

Electrical A (Batch A)

Most of the tools listed above share functionality that is aggregated in the OpenVAS
Libraries.
The OpenVAS Scanner offers the communication protocol OTP (OpenVAS Transfer
Protocol) which allows to control the scan execution. This protocol is subject to be eventually
replaced and thus it is not recommended to develop OTP clients.

Feature overview

OpenVAS Scanner
o Many target hosts are scanned concurrently
o OpenVAS Transfer Protocol (OTP)
o SSL support for OTP (always)
o WMI support (optional)

OpenVAS Manager

130950109008

78

Cyber Security

Electrical A (Batch A)

o OpenVAS Management Protocol (OMP)

o SQL Database (sqlite) for configurations and scan results
o SSL support for OMP (always)
o Many concurrent scans tasks (many OpenVAS Scanners)
o Notes management for scan results
o False Positive management for scan results
o Scheduled scans
o Flexible escalators upon status of a scan task
o Stop, Pause and Resume of scan tasks
o Master-Slave Mode to control many instances from a central one
o Reports Format Plugin Framework with various plugins for: XML, HTML,
LateX, etc.
o User Management
o Feed status view
o Feed synchronisation

Greenbone Security Assistant (GSA)

o Client for OMP and OAP
o HTTP and HTTPS
o Web server on its own (microhttpd), thus no extra web server required
o Integrated online-help system
o Multi-language support

130950109008

79

Cyber Security

Electrical A (Batch A)

OpenVAS CLI
o Client for OMP
o Runs on Windows, Linux, etc.
o Plugin for Nagios

About OpenVAS NVT Feed

The OpenVAS project maintains a public feed of Network Vulnerability Tests (NVTs). It
contains more than 35,000 NVTs (as of April 2014), growing on a daily basis. This feed is
configured as the default for OpenVAS.
For online-synchronisation use the command openvas-nvt-sync to update your local NVTs
with the newest ones from the feed service. The command allows rsync, wget or curl as
transfer method.
For offline-updates it is also possible to download the whole Feed content as a single archive
file (around 14 MByte). However, it is recommended to use the rsync-synchronisation routine
because it downloads only changes and therefore is tremendously faster after the very first
full download.

The feed is usually updated weekly. The files of the OpenVAS NVT Feed are signed by the
"OpenVAS: Transfer Integrity" certificate. The presence of this signature does not indicate
any judgement or quality control of the script itself. It is only intended to assist you in
verifying the integrity of the NVT files after transfer. Thus, a valid signature only means that
the script has not been modified on the way between the OpenVAS distribution point and

130950109008

80

Cyber Security

Electrical A (Batch A)

your OpenVAS installation. See the notes at the bottom of the overview on Trusted NVTs for
more information on this certificate.

INSTALLATION
Step 1 Download the Plugins for OpenVAS
Applications > Kali > Vulnerability Analysis
OpenVAS > OpenVAS Setup
OpenVAS will now download all the plugins required (a few minutes)

Step 2 Iceweasel Local Host Port 9392

Iceweasel
https://127.0.0.1:9392
or
https://localhost:9392
130950109008

81

Cyber Security

Electrical A (Batch A)

Confirm Security Exception

If you cant connect under local host, then go

130950109008

82

Cyber Security

Electrical A (Batch A)

Edit > Preferences

Advanced Tab
View Certificates

Look for the OpenVAS self signed certificate and delete it. Then go
through adding the
exception for Openvas 9392.

Step 3 OpenVAS Login Box

130950109008

83

Cyber Security

Electrical A (Batch A)

Default username = admin

Password (whatever you entered during setup)
******
OpenVAS Security Assistant screen (Hermione Granger wizard appears)

130950109008

84

Cyber Security

Electrical A (Batch A)

Step 4 Update your Vulnerability Database Feeds

Administration > NVT Feed > Synchronise with Feed Now

This step is critical. if you do not update the vulnerability database feeds, it will
generate errors later on.
Administration > NVT Feed
Administration > SCAP Database Feed (these are xml files for the reports)
130950109008

85

Cyber Security

Electrical A (Batch A)

Administration > Cert Feed

*******
Add Users
Administration > Users
Add Users

Step 5 Set Targets to Scan

Configuration > Targets
Localhost will be there by default.
Add your router as a target eg 192.168.1.1 or 192.168.1.254

130950109008

86

Cyber Security

Electrical A (Batch A)

Look for the Blue box with a White star click the star
White star = New Target

130950109008

87

Cyber Security

Electrical A (Batch A)

Enter IP of Router, and port options (eg all TCP)

Create Target Button

Step 6 Create a Task

Scan Management > New Task

130950109008

88

Cyber Security

Electrical A (Batch A)

Home Router scan

Create Task Button
Scan Config = Full and Fast

NEW STATUS (Green)

Green Arrow to Run this new task

Step 7 To watch LIVE

Set No Refresh dropdown box to 30 seconds

130950109008

89

Cyber Security

Electrical A (Batch A)

Other Activities

130950109008

90

Cyber Security

Electrical A (Batch A)

Port List

130950109008

91

Cyber Security

Electrical A (Batch A)

Coclusion: After performing this experiment we learn about Network vulnerability

using OpenVAS
PRACTICAL 10
Aim:Application Inspection Tool Webgoat
The WebGoatv5 application is designed to illustrate typical security flaws within webapplications. It is intended to teach a structured approach to testing for, and exploiting such
vulnerabilities within the context of an Application Security Assessment.
A full Application Security Assessment testing methodology is being documented by
http://www.owasp.org/testing/ and this will provide a superset of the issues demonstrated
within the WebGoat. If may include a formal design and code review, for example. The
WebGoat lessons aim to give practical training and examples relating ot the Implementation
Review phase of the OWASP Web Application Security Testing Methodology.
The WebGoatv5 Application provides a testing platform for a typical application security
assessment. The assessor is given the same information and rights as a typical customer or
client of an on-line application.
-

The application is web based

The attack simulations are remote

All of the described techniques may be performed from any connected location.

The testing is black-box

Source code is not supplied, but it can be viewed and downloaded.

Credentials and operational information is provided

Of course, the teaching aspect of WebGoat means that certain information will be revealed
that would not typically be available. This makes it possible to guide the tester through an
assessment process.
Objectives
Having followed the testing techniques within WebGoat, a tester should be able to:

Understand the high-level interaction processes within a web-application

Determine information within client visible data which data which could be useful in
an attack
Identify and understand data and user interactions which may expose the application
to attack

130950109008

92

Cyber Security

Electrical A (Batch A)

Perform tests against those interactions to expose flaws in their operation

Execute attacks against the application to demonstrate and exploit vulnerabilities

HTTP Request/Response

While browsing, every time an action is taken, a HTTP Request is created

The HTTP Request goes from the browser to the web server
The web server make some elaboration (e.g. verify if you are a registered user) and
send back a HTTP Response

130950109008

93

Cyber Security

Electrical A (Batch A)

Installation
WebGoat is a platform independent environment.It utilizes Apache Tomcat and the JAVA
development environment. Installers are provided for Microsoft Windows and UNIX
environments, together with notes for installation on other platforms.

130950109008

94

Cyber Security

Electrical A (Batch A)

Installing to Windows
Installing Java
Install and deploy the appropriate version from http://java.sun.com/downloads/ (1.4.1
or later)
Installing Tomcat
Install and deploy core Tomcat from http://tomcat.apache.org/download55.cgi
Unzip the Windows_WebGoat-x.x.zip to your working environment
To start Tomcat, browse to the WebGoat directory unzipped above and double click

"webgoat.bat"
Start your browser and browse to:http://localhost/WebGoat/attack

This link is case-sensitive. Make sure to use a large W and G.

Username:guest and Password:guest

130950109008

95

Cyber Security

Electrical A (Batch A)

Fig:Initial Login Screen

Tamper Data
Tamper Data is a tool allowing you to intercept and modify Request/Response from
your Mozilla Firefox Browser
If not yet installed, you can download it here:
https://addons.mozilla.org/enus/firefox/addon/tamper-data/
You have to click on Start Tamper to start intercepting Request/Response
Note that this will intercept, and let you see the HTTP request/response, all your internet
traffic

130950109008

96

Cyber Security

Electrical A (Batch A)

Fig:Tamper Data

HTTP Basics - Exercise

Goal: meet WebGoat and TamperData.

130950109008

97

Cyber Security

Electrical A (Batch A)

Exercise:
Go to; exercise General Http Basics
Insert your name in the input field and start the tampering
Modify the parameter person in the HTTP request in such a way
to get back the string webgoat as response from the server

130950109008

98

Cyber Security

130950109008

Electrical A (Batch A)

99

Cyber Security

Electrical A (Batch A)

Change the value of person to taogbew

The server will reverse it and you will get webgoat as final response

130950109008

100

Cyber Security

Electrical A (Batch A)

When parameters are in clear (i.e. not encrypted) they can be easily changed by who is
listening your internet traffic. In this case it was only your name But Assume you want to
make a payment of 800 Euro to the account of your landlord and insert 12345 as the account

130950109008

101

Cyber Security

Electrical A (Batch A)

number.The attacker can change such number to 34566 (his account number) .In this way he
managed to steal 800 Euro from you.

Sniffing
Goal: Steal the password of the user Jack
Go to Insecure Communication Insecure Login
Press the button Submit and use Tamper Data to steal the password

Start tampering then press the Submit button

Get the value of the field clear_pass
The solution is sniffy

130950109008

102

Cyber Security

Electrical A (Batch A)

You performed your first sniffing attack.You intercepted the traffic of your victim and
stolen his password. If this is the same password he uses for his internet banking (or
email account) you can now easily access it

Parameter Tampering

Start Tampering Data then press the button Purchase

Change the parameter Price to the value 1.00$
If successful you will get a Congratulations message

130950109008

103

Cyber Security

130950109008

Electrical A (Batch A)

104

Cyber Security

130950109008

Electrical A (Batch A)

105

Cyber Security

Electrical A (Batch A)

You used your recently learned hacking skills to gain personal advantages
You paid 1$ a product worth 3000$
Why is that possible?
The web server is not checking that youre paying the right amount of money
An hacker who knows this vulnerability is able to exploit it
Conclusion: After performing this practical we learn about Application Inspection Tool
Webgoat.

130950109008

106