Beruflich Dokumente
Kultur Dokumente
Electrical A (Batch A)
PRACTICAL 9
Architecture Overview
The Open Vulnerability Assessment System (OpenVAS) is a framework of several services
and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS
Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests
(NVTs) which are served with daily updates via the OpenVAS NVT Feed or via a commercial
feed service.
130950109008
75
Cyber Security
Electrical A (Batch A)
The OpenVAS Manager is the central service that consolidates plain vulnerability scanning
into a full vulnerability management solution. The Manager controls the Scanner via OTP
(OpenVAS Transfer Protocol) and itself offers the XML-based, stateless OpenVAS
Management Protocol (OMP). All intelligence is implemented in the Manager so that it is
possible to implement various lean clients that will behave consistently e.g. with regard to
filtering or sorting scan results. The Manager also controls a SQL database (sqlite-based)
where all configuration and scan result data is centrally stored. Finally, Manager also handles
user management includiung access control with groups and roles.
130950109008
76
Cyber Security
Electrical A (Batch A)
Different OMP clients are available: The Greenbone Security Assistant (GSA) is a lean web
service offering a user interface for web browsers. GSA uses XSL transformation stylesheet
that converts OMP responses into HTML.
OpenVAS CLI contains the command line tool "omp" which allows to create batch processes
to drive OpenVAS Manager. Another tool of this package is a Nagios plugin.
130950109008
77
Cyber Security
Electrical A (Batch A)
Most of the tools listed above share functionality that is aggregated in the OpenVAS
Libraries.
The OpenVAS Scanner offers the communication protocol OTP (OpenVAS Transfer
Protocol) which allows to control the scan execution. This protocol is subject to be eventually
replaced and thus it is not recommended to develop OTP clients.
Feature overview
OpenVAS Scanner
o Many target hosts are scanned concurrently
o OpenVAS Transfer Protocol (OTP)
o SSL support for OTP (always)
o WMI support (optional)
OpenVAS Manager
130950109008
78
Cyber Security
Electrical A (Batch A)
130950109008
79
Cyber Security
Electrical A (Batch A)
OpenVAS CLI
o Client for OMP
o Runs on Windows, Linux, etc.
o Plugin for Nagios
The feed is usually updated weekly. The files of the OpenVAS NVT Feed are signed by the
"OpenVAS: Transfer Integrity" certificate. The presence of this signature does not indicate
any judgement or quality control of the script itself. It is only intended to assist you in
verifying the integrity of the NVT files after transfer. Thus, a valid signature only means that
the script has not been modified on the way between the OpenVAS distribution point and
130950109008
80
Cyber Security
Electrical A (Batch A)
your OpenVAS installation. See the notes at the bottom of the overview on Trusted NVTs for
more information on this certificate.
INSTALLATION
Step 1 Download the Plugins for OpenVAS
Applications > Kali > Vulnerability Analysis
OpenVAS > OpenVAS Setup
OpenVAS will now download all the plugins required (a few minutes)
81
Cyber Security
Electrical A (Batch A)
130950109008
82
Cyber Security
Electrical A (Batch A)
Look for the OpenVAS self signed certificate and delete it. Then go
through adding the
exception for Openvas 9392.
130950109008
83
Cyber Security
Electrical A (Batch A)
130950109008
84
Cyber Security
Electrical A (Batch A)
This step is critical. if you do not update the vulnerability database feeds, it will
generate errors later on.
Administration > NVT Feed
Administration > SCAP Database Feed (these are xml files for the reports)
130950109008
85
Cyber Security
Electrical A (Batch A)
130950109008
86
Cyber Security
Electrical A (Batch A)
Look for the Blue box with a White star click the star
White star = New Target
130950109008
87
Cyber Security
Electrical A (Batch A)
130950109008
88
Cyber Security
Electrical A (Batch A)
130950109008
89
Cyber Security
Electrical A (Batch A)
Other Activities
130950109008
90
Cyber Security
Electrical A (Batch A)
Port List
130950109008
91
Cyber Security
Electrical A (Batch A)
Of course, the teaching aspect of WebGoat means that certain information will be revealed
that would not typically be available. This makes it possible to guide the tester through an
assessment process.
Objectives
Having followed the testing techniques within WebGoat, a tester should be able to:
130950109008
92
Cyber Security
Electrical A (Batch A)
HTTP Request/Response
130950109008
93
Cyber Security
Electrical A (Batch A)
Installation
WebGoat is a platform independent environment.It utilizes Apache Tomcat and the JAVA
development environment. Installers are provided for Microsoft Windows and UNIX
environments, together with notes for installation on other platforms.
130950109008
94
Cyber Security
Electrical A (Batch A)
Installing to Windows
Installing Java
Install and deploy the appropriate version from http://java.sun.com/downloads/ (1.4.1
or later)
Installing Tomcat
Install and deploy core Tomcat from http://tomcat.apache.org/download55.cgi
Unzip the Windows_WebGoat-x.x.zip to your working environment
To start Tomcat, browse to the WebGoat directory unzipped above and double click
"webgoat.bat"
Start your browser and browse to:http://localhost/WebGoat/attack
130950109008
95
Cyber Security
Electrical A (Batch A)
Tamper Data
Tamper Data is a tool allowing you to intercept and modify Request/Response from
your Mozilla Firefox Browser
If not yet installed, you can download it here:
https://addons.mozilla.org/enus/firefox/addon/tamper-data/
You have to click on Start Tamper to start intercepting Request/Response
Note that this will intercept, and let you see the HTTP request/response, all your internet
traffic
130950109008
96
Cyber Security
Electrical A (Batch A)
Fig:Tamper Data
97
Cyber Security
Electrical A (Batch A)
Exercise:
Go to; exercise General Http Basics
Insert your name in the input field and start the tampering
Modify the parameter person in the HTTP request in such a way
to get back the string webgoat as response from the server
130950109008
98
Cyber Security
130950109008
Electrical A (Batch A)
99
Cyber Security
Electrical A (Batch A)
130950109008
100
Cyber Security
Electrical A (Batch A)
When parameters are in clear (i.e. not encrypted) they can be easily changed by who is
listening your internet traffic. In this case it was only your name But Assume you want to
make a payment of 800 Euro to the account of your landlord and insert 12345 as the account
130950109008
101
Cyber Security
Electrical A (Batch A)
number.The attacker can change such number to 34566 (his account number) .In this way he
managed to steal 800 Euro from you.
Sniffing
Goal: Steal the password of the user Jack
Go to Insecure Communication Insecure Login
Press the button Submit and use Tamper Data to steal the password
130950109008
102
Cyber Security
Electrical A (Batch A)
You performed your first sniffing attack.You intercepted the traffic of your victim and
stolen his password. If this is the same password he uses for his internet banking (or
email account) you can now easily access it
Parameter Tampering
130950109008
103
Cyber Security
130950109008
Electrical A (Batch A)
104
Cyber Security
130950109008
Electrical A (Batch A)
105
Cyber Security
Electrical A (Batch A)
You used your recently learned hacking skills to gain personal advantages
You paid 1$ a product worth 3000$
Why is that possible?
The web server is not checking that youre paying the right amount of money
An hacker who knows this vulnerability is able to exploit it
Conclusion: After performing this practical we learn about Application Inspection Tool
Webgoat.
130950109008
106