Re: [Openvas-discuss] OpenVAS credentials download empty package empty (0 bytes)

[Christian Fischer]

Hi,

On 12.10.2018 21:13, MontrealPaul_Openvas-discuss wrote:
> I have no idea what to do with this information... Is there a
> program/add-in/module named "alien" required for this functionality?
> (and, in passing, if this is the case, why is it not specified in the
> requirements/documentation? (rhetorical question, probably beyond the
> scope of this mailing list...) )

there is indeed a package called "alien" required (besides a few more)
which needs to be installed via your package manager.

Each source repository is shipping an INSTALL file, the one of the
manager responsible for this credentials task has included this
documentation [1] since ages.

Furthermore the "openvas-check-setup" script [1] is also checking and
reporting such missing dependencies / recommendations. While this script
is now deprecated it still works for OpenVAS/GMV 9 and is AFAIK shipped
with the Kali packages.

Regards,

[1] https://github.com/greenbone/gvm/blob/v7.0.3/INSTALL#L481-L484
[2]
http://svn.wald.intevation.org/svn/openvas/branches/tools-attic/openvas-check-setup

On 12.10.2018 21:13, MontrealPaul_Openvas-discuss wrote:
> Two follow-ups:
> 
> First of all, I should have specified (though it should be obvious) that
> the issue I am having is in the "Credentials" section, under the
> "Configuration" menu.
> 
> Secondly, I find in openvasmd.log many lines (probably one per attempt)
> which say:
> 
> lsc_user_exe_recreate: Need "alien" to make EXEs
> 
> I have no idea what to do with this information... Is there a
> program/add-in/module named "alien" required for this functionality?
> (and, in passing, if this is the case, why is it not specified in the
> requirements/documentation? (rhetorical question, probably beyond the
> scope of this mailing list...) )
> 
> Bonus question: I see here and there in the documentation that a similar
> function is available for Debian, but I don't see this icon in my GUI;
> perhaps because I'm running under Kali Linux. Is there some way to
> generate a similar "credentials self-installer" for other Linux boxes
> (I'm especially interested in deploying to Ubuntu hosts.
> 
> Thanks in advance for any and all help or feedback!
> 
> Salutations,
>   -Paul
> 
> P.S.: My apologies to the administrator(s) for sending the previous copy
> of this message from the wrong (unregistered) address.
> 
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openvas install installation not complete

[Christian Fischer]

Hi,

On 04.10.2018 03:03, Joe Cummings wrote:
> I'm new to openvas and just performed an install.  My redis-openvas
> directory appears to be missing, along with my redis-server.sock file.  So,
> I can not start my redis-server.

as this is an issue / setup problem with redis-server which is mostly
unrelated on OpenVAS/GVM and highly depends on your used Linux
distribution i would suggest to either get in touch with the redis
support community [1] or with a support forums related to your Linux
distribution on how to follow / configure the suggestions provided by
the openvas-check-setup script:


> ERROR: redis-server is not running or not listening on socket:
/var/run/redis-openvas/redis-server.sock
> FIX: You should start the redis-server or configure it to listen on
socket: /var/run/redis-openvas/redis-server.

[1] https://redis.io/community

> Thanks for any assistance.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS discuss

[Christian Fischer]

On 05.10.2018 16:45, Vanina Yordanova wrote:
> Hello,
> 
> I would like to get access to OpenVAS mailing list. I have a question and I
> am running out of options how to solve it.
> Bellow you can see it.
> Thank you in advance!

just as a reference / follow-up. This was discussed / answered in:

https://community.greenbone.net/t/openvas-returns-0-results-and-n-a-severity/442

> --
> 
> Dear All,
> 
> I am making my first steps in vulnerability testing. I installed OpenVAS9
> inside a docker container using maiksplain/openvas image. It is running on
> Ubuntu 18.04.
> 
> When I applied the setup check almost everything gives OK except the
> following warnings:
> tep 1: Checking OpenVAS Scanner …
> ERROR: OpenVAS Scanner too old or too new: 5.1.2
> FIX: Please install OpenVAS Scanner 5.0.
> HINT: Please see the --v6/7/8/9 command line options to check other major
> versions.
> 
> ERROR: Your OpenVAS-8 installation is not yet complete!
> 
> Please follow the instructions marked with FIX above and run this
> script again.
> 
> If you think this result is wrong, please report your observation
> and help us to improve this check routine:
> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
> Please attach the log-file (/tmp/openvas-check-setup.log) to help us
> analyze the problem.
> 
> root@7bdea11a30cb:/# ./openvas-check-setup --v9
> openvas-check-setup 2.3.7
> Test completeness and readiness of OpenVAS-9
> 
> Please report us any non-detected problems and
> help us to improve this check routine:
> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
> 
> Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the
> problem.
> 
> Use the parameter --server to skip checks for client tools
> like GSD and OpenVAS-CLI.
> 
> Step 1: Checking OpenVAS Scanner …
> OK: OpenVAS Scanner is present in version 5.1.2.
> OK: redis-server is present in version v=3.0.6.
> OK: scanner (kb_location setting) is configured properly using the
> redis-server socket: /var/run/redis/redis.sock
> OK: redis-server is running and listening on socket:
> /var/run/redis/redis.sock.
> OK: redis-server configuration is OK and redis-server is running.
> OK: NVT collection in /var/lib/openvas/plugins contains 46995 NVTs.
> WARNING: Signature checking of NVTs is not enabled in OpenVAS Scanner.
> SUGGEST: Enable signature checking (see
> http://www.openvas.org/trusted-nvts.html).
> WARNING: The initial NVT cache has not yet been generated.
> SUGGEST: Start OpenVAS Scanner for the first time to generate the cache.
> Step 2: Checking OpenVAS Manager …
> OK: OpenVAS Manager is present in version 7.0.3.
> OK: OpenVAS Manager database found in /var/lib/openvas/mgr/tasks.db.
> OK: Access rights for the OpenVAS Manager database are correct.
> OK: sqlite3 found, extended checks of the OpenVAS Manager installation
> enabled.
> OK: OpenVAS Manager database is at revision 184.
> OK: OpenVAS Manager expects database at revision 184.
> OK: Database schema is up to date.
> OK: OpenVAS Manager database contains information about 46995 NVTs.
> OK: At least one user exists.
> OK: OpenVAS SCAP database found in /var/lib/openvas/scap-data/scap.db.
> OK: OpenVAS CERT database found in /var/lib/openvas/cert-data/cert.db.
> OK: xsltproc found.
> Step 3: Checking user configuration …
> WARNING: Your password policy is empty.
> SUGGEST: Edit the /etc/openvas/pwpolicy.conf file to set a password policy.
> Step 4: Checking Greenbone Security Assistant (GSA) …
> OK: Greenbone Security Assistant is present in version 7.0.3.
> OK: Your OpenVAS certificate infrastructure passed validation.
> Step 5: Checking OpenVAS CLI …
> OK: OpenVAS CLI version 1.4.5.
> Step 6: Checking Greenbone Security Desktop (GSD) …
> SKIP: Skipping check for Greenbone Security Desktop.
> Step 7: Checking if OpenVAS services are up and running …
> OK: netstat found, extended checks of the OpenVAS services enabled.
> OK: OpenVAS Scanner is running and listening on a Unix domain socket.
> OK: OpenVAS Manager is running and listening on all interfaces.
> OK: Greenbone Security Assistant is running and listening on all interfaces.
> OK: Greenbone Security Assistant is listening on port 443, which is the
> default port.
> Step 8: Checking nmap installation …
> WARNING: Your version of nmap is not fully supported: 7.01
> SUGGEST: You should install nmap 5.51 if you plan to use the nmap NSE NVTs.
> Step 10: Checking presence of optional tools …
> OK: pdflatex found.
> OK: PDF generation successful. The PDF report format is likely to work.
> OK: ssh-keygen found, LSC credential generation for GNU/Linux targets is
> likely to work.
> OK: rpm found, LSC credential package generation for RPM based targets is
> likely to work.
> OK: alien found, LSC credential package generation for DEB based targets is
> likely to work.
> OK: nsis found, LSC credential package generation 

Re: [Openvas-discuss] SCAP and/or CERT database missing on OMP server

[Christian Fischer]

Hi,

On 21.09.2018 12:54, Luca Racca wrote:
> Hi everyone,
> I received this error on a fresh new install of gsm version 4.2.20.
> All secinfo database are missing. I've tried to sync cert end scap
> database from command line but openvas-certdata-sync and
> openvas-scapdata-sync commands are not found.

have you followed all steps outlined at [1], especially the following ones:

> Download Feed: Without a feed you can not do any scans and the SecInfo
> section remains empty. So the download is highly recommended, but
> requires internet access.

and

> The feed update now runs in the background and you are on the main
> menu of the administration. Via "About" you can have a look at the key
> properties of your setup, especially the address of the web interface
> and whether there still runs the Feed update as a system operation.

and

> Only after the feed update completed there will be all information in
> the SecInfo area and first scans possible. This could take half an
> hour or even longer.

As long as the feed updates are not finished / successful (please use
only the menu available via SSH and not the command line for this!) you
will get no SecInfo database like explained in the first quote.

[1] https://www.greenbone.net/en/install_use_gce/

> Thanks for the help.
> Luca
Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] task stop with SIGSEGV error

[Christian Fischer]

Hi,

On 17.09.2018 23:12, Alessandro Fiorenzi wrote:
> ==> openvassd.messages <==
> SIGSEGV occured !
> openvassd: Serving
/var/run/openvassd.sock(sighand_segv+0x81)[0x5561aa773e11]
> /lib/x86_64-linux-gnu/libc.so.6(+0x35fc0)[0x7f4940ef2fc0]
> /lib/x86_64-linux-gnu/libc.so.6(+0x3a850)[0x7f4940ef7850]
>
/usr/lib/x86_64-linux-gnu/libopenvas_base.so.9(nvticache_get_category+0x30)[0x7f494174f050]

this has been reported as a bug / issue at:

https://github.com/greenbone/openvas-scanner/issues/166

Regards,

On 17.09.2018 23:12, Alessandro Fiorenzi wrote:
> Hi,
> 
> after I update my kali to last distroupdate I Openvas Stop Work.
> 
> All daemons go up and seems ok but when I start a task of scanning... it 
> stops with a SIGSEGV  erro ras reported below:
> 
> ==> openvasmd.log <==
> event task:MESSAGE:2018-09-17 21h08.29 UTC:3556: Status of task Immediate 
> scan of IP 192.168.1.0/24 (fad05a3d-96cf-4f34-b7be-caa2fc8d39d4) has changed 
> to Requested
> event task:MESSAGE:2018-09-17 21h08.29 UTC:3556: Task Immediate scan of IP 
> 192.168.1.0/24 (fad05a3d-96cf-4f34-b7be-caa2fc8d39d4) has been requested to 
> start by admin
> event task:MESSAGE:2018-09-17 21h08.38 UTC:3559: Status of task Immediate 
> scan of IP 192.168.1.0/24 (fad05a3d-96cf-4f34-b7be-caa2fc8d39d4) has changed 
> to Running
> 
> ==> openvassd.messages <==
> SIGSEGV occured !
> openvassd: Serving /var/run/openvassd.sock(sighand_segv+0x81)[0x5561aa773e11]
> /lib/x86_64-linux-gnu/libc.so.6(+0x35fc0)[0x7f4940ef2fc0]
> /lib/x86_64-linux-gnu/libc.so.6(+0x3a850)[0x7f4940ef7850]
> /usr/lib/x86_64-linux-gnu/libopenvas_base.so.9(nvticache_get_category+0x30)[0x7f494174f050]
> openvassd: Serving 
> /var/run/openvassd.sock(plugins_scheduler_init+0x68)[0x5561aa772a28]
> openvassd: Serving 
> /var/run/openvassd.sock(attack_network+0x239)[0x5561aa76d499]
> openvassd: Serving /var/run/openvassd.sock(+0xb4cc)[0x5561aa7704cc]
> openvassd: Serving 
> /var/run/openvassd.sock(create_process+0xb7)[0x5561aa773be7]
> openvassd: Serving /var/run/openvassd.sock(+0xbf80)[0x5561aa770f80]
> openvassd: Serving /var/run/openvassd.sock(main+0x37f)[0x5561aa76c0cf]
> 
> ==> openvasmd.log <==
> md   main:WARNING:2018-09-17 21h08.42 UTC:3559: openvas_scanner_read: Failed 
> to read from scanner: Connection reset by peer
> event task:MESSAGE:2018-09-17 21h08.42 UTC:3559: Status of task Immediate 
> scan of IP 192.168.1.0/24 (fad05a3d-96cf-4f34-b7be-caa2fc8d39d4) has changed 
> to Stopped
> 
> I have try to uninstall and reinstall buti s the same
> 
> Anyone have had the same problem?
> 
> Thanks
> 
> Alessandro

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] use openvas to scan web applications that requires authentication

[Christian Fischer]

Hi,

On 14.09.2018 13:44, Dan Bar-Or wrote:
> but I could not find a way to define that these are for a web
> application. Is there a  way to scan a web application that requires
> basic authentication with OpenVas?

have a look at the following settings / script preferences:

HTTP account :
HTTP password (sent in clear) :

of the following NVT:

Name: Login configurations
OID: 1.3.6.1.4.1.25623.1.0.10870
Family: Settings

within your scan config where you can configure a basic authentication
which will be used by the scanner.

Note: You need to clone e.g. the "Full and Fast" scan config to be able
to change this setting.

Regards,

On 14.09.2018 13:44, Dan Bar-Or wrote:
> Hello,
> 
> I am new to OpenVas. I installed it in order to run penetration tests our
> web application. I created a task with a target web application. I created
> credentials but I could not find a way to define that these are for a web
> application. Is there a  way to scan a web application that requires basic
> authentication with OpenVas?
> 
> Thanks,
>   Dan

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Best os and method to install openvas?

[Christian Fischer]

Hi *

On 17.09.2018 21:10, Eero Volotinen wrote:
> centos 7 + atomic repo works for me.

keep in mind that the atomic repos currently might provide older
versions of the OpenVAS components like discussed here:

https://github.com/Atomicorp/openvas/issues/2

which are not matching whats available as a source release:

https://community.greenbone.net/t/gvm-9-stable-initial-release-2017-03-07/211

> ma 17. syysk. 2018 klo 22.07 Erdian Spaho 
> kirjoitti:
> 
>> Dear all,
>>
>> Can anyone who had experience wich is the best os and method of installing
>> openvas, as i have seen many methods and repos about this.
>>
>> Regards

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Unable to run (some) custom NVT's via GUI

[Christian Fischer]

Hi,

On 21.08.2018 17:21, Hodei Lopez Castrillejo wrote:
> Hi all,
> 
> I’ve been battling OpenVAS’ Greenbone Security Assistant (GSA) for about
> a week now. I’ve developed some NVT’s, and I’m perfectly able to run
> them using openvas-nasl. They show all of their output correctly, and I
> can monitor that the traffic OpenVAS is sending is what I’m looking for
> (using WireShark).
>
> Four of my NVT’s run without issues once ran through GSA. But the other
> three are having no effect. Meaning, they not only don’t show any log or
> security_message, they have no traffic at all on WireShark! Only traffic
> is a ping, and that’s it.
>
> I’m just going INSANE. Any ideas of what should I follow with? I’m stumped.

without seeing / showing the code it will be hard to tell why you're
stuck here. Some common pitfalls with own NVTs are:

1. One single OID (script_oid) assigned to multiple scripts (each NVT
needs to have its own unique OID).
2. No rebuild of scanner and manager databases done (SIGHUP to
openvasssd and a openvasmd --rebuild afterwards).
3. The script isn't included in your used scan config
4. Any of the script_required_keys, script_required_ports,
script_required_udp_ports, script_mandatory_keys or script_exclude_keys
isn't matching what was detected at the target.

Generally you can set the log_whole_attack scanner option to "yes" and
watch the openvassd.messages during the scan if your scripts where
started at all. This openvassd.messages is also including the info if
e.g. a target was marked "Dead" and not scanned at all.

> Regards,

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] All hosts are seens as dead while network is OK

[Christian Fischer]

Hi,

On 22.08.2018 16:33, Thomas Lionel SMETS - Prof wrote:
> I run an GSM installed from the iso image on VMWare.
> 
> When I run a scan of websites, the scan lasts for a few seconds and
> reports NOTHING.
> 
> Content of /val/log/openvas/openvasd.message indicates that all the
> hosts are DEAD.

Most likely the chosen "Alive Test" [1] of your target definition
doesn't match the requirements of your network / the scanned hosts to
detect them as "Alive".

[1]
https://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#creating-a-target

> Running a wget against one of the active hosts, retrieves the index.html
> page ... which tend to prove the network is not the culprit !
> 
> \T,

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS HTTP test OPTIONS requests

[Christian Fischer]

Hi,

On 22.08.2018 18:48, Xinhuan Zheng wrote:
> Hi Christian,
> 
> For some reason, our target host returns content as if they were getting
> GET requests, not returning Allow: header. I thought it may be redirect
> can cause that. I have to figure out how to change target host
> configuration to disabling OPTIONS requests.
> Thanks,
> 
> - xinhuan

OPTIONS requests are mainly used to catch/enumerate the supported HTTP
methods by the remote target like GET, POST, PUT and so on. If you see
additional requests i guess most of these might be related to the
following NVT:

Name: Apache HTTP Server OPTIONS Memory Leak Vulnerability (Optionsbleed)
OID: 1.3.6.1.4.1.25623.1.0.112048

but there is also an arbitrary amount of other NVTs which might send
OPTIONS requests as well.

Regards,

> On 8/22/18, 12:43 PM, "Christian Fischer"
>  wrote:
> 
>> Hi,
>>
>> On 17.08.2018 18:08, Xinhuan Zheng wrote:
>>> Hello,
>>>
>>> In our recent OpenVAS scan, our host has HTTP service running so the
>>> scanning software tests a lot of URLs. However, in the target host
>>> access
>>> log, we saw tons of OPTIONS requests being issued by scanning software.
>>> Per some research, OPTIONS is a type of HTTP request that is pre-flight
>>> in
>>> Cross-origin resource. The normal GET request would return a document
>>> with
>>> bunch of objects, like json, images, etc. Can I limit OpenVAS not
>>> issuing
>>> OPTIONS requests?
>>> Thank you,
>>
>> there is no such possibility included in OpenVAS besides excluding the
>> NVT(s) doing those OPTIONS requests from your scan configuration.
>>
>> Could you elaborate why you want to limit OpenVAS not issuing OPTIONS
>> requests?
>>
>> Regards,
>>
>> --
>>
>> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
>> Greenbone Networks GmbH | https://www.greenbone.net
>> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
>> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS HTTP test OPTIONS requests

[Christian Fischer]

Hi,

On 17.08.2018 18:08, Xinhuan Zheng wrote:
> Hello,
> 
> In our recent OpenVAS scan, our host has HTTP service running so the
> scanning software tests a lot of URLs. However, in the target host access
> log, we saw tons of OPTIONS requests being issued by scanning software.
> Per some research, OPTIONS is a type of HTTP request that is pre-flight in
> Cross-origin resource. The normal GET request would return a document with
> bunch of objects, like json, images, etc. Can I limit OpenVAS not issuing
> OPTIONS requests?
> Thank you,

there is no such possibility included in OpenVAS besides excluding the
NVT(s) doing those OPTIONS requests from your scan configuration.

Could you elaborate why you want to limit OpenVAS not issuing OPTIONS
requests?

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

[Openvas-discuss] Call for info: Unknown OS and Service Banner Reporting

[Christian Fischer]

Hi *,

as you might know the feed (and its Detection and Vulnerability-NVTs) is
heavily relying on the banner of services running / exposed on a remote
host.

In the last month we did some improvements to our unknown banner
reporting to consolidate this info into a single NVT. If you're
stumbling over the output of the following NVT within a report:

> Name: Unknown OS and Service Banner Reporting
> OID: 1.3.6.1.4.1.25623.1.0.108441
> Family: Service detection

it would be great if you could either post the information as a reply to
this mail or (if it contains sensitive info) privately to me via a
direct message.

This helps us to improve the feed and to detect a wider range of
different Operating Systems and Services.

Thank you for your contribution.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Openvas SSH BruteForce Attempt

[Christian Fischer]

Hi,

On 16.07.2018 11:26, Berkcan GEYİKCİ wrote:
> Hello sir
> 
> I am using Openvas 9 in my Ubuntu virtual machine for educational purposes.
> 
> When i scan my other virtual machines with given(username+password)
> credentials of  my local machines and try to listen ssh logs,
> 
> i realize that Openvas is trying to connect from ssh with different
> credentials(not my credential) and in the terminal it looks like this;
> 
> 
> -Failed password for invalid user netscreen from 192.168.45.1
> 
> -Failed password for invalid user super  from 192.168.45.1 port 12269 ssh2
> 
> -Received disconnected from 192.168.45.1 port 12269:11: Bye Bye 
> 
> -Failed password for invalid user chip from 192.168.45.1 port 12274 ssh2
> 
> -Received disconnected from 192.168.45.1 port 12274:11: Bye Bye 
> 
> -Failed password for root from 192.168.45.1 port 12271 ssh2
> 
> -Received disconnected from 192.168.45.1 port 12271:11: Bye Bye 
> 
> -İnvalid User admin from 192.168.45.1
> 
> -Input_userauth_request: invalid user admin
> 
> ...
> 
> 
> and bunch of stuff like that  
> 
> Why Openvas does that? 

Because OpenVAS is a vulnerability scanner and default/standard accounts
are vulnerabilities which needs to be tested as well.

> Even when i disable brute_force_attack and default_accounts from scan
> config it still tries to brute force my ssh.

Those are two new scan configuration settings which is not yet used by
all related NVTs so this is expected.

> How can i prevent this? 

You can clone the "full and fast" scan configuration and exclude the
"Default Accounts" family. This should disable most of the related NVTs
doing such brute force or default account checks.

> Thanks

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] NVT: Oracle MySQL Security Updates-06

[Christian Fischer]

Hi,

On 20.07.2018 15:28, Robert Fitzpatrick wrote:
> My question is why would OpenVAS detect on one
> server and not the other when the exact same versions?

with the currently provided info i'm guessing that the following two
things could be responsible for this:

1. There are different filters used for report generating where one
filter includes NVTs with a QoD of < 70 % and the another one is using
the defaults where the vulnerability isn't shown.

2. One system gets detected as Windows, the other as an Unixoide system
and thus different results are shown based on the QoD type of the
vulnerability.

You can read more about the QoD and filter topics here:

http://docs.greenbone.net/GSM-Manual/gos-4/en/gui_introduction.html#powerfilter

http://docs.greenbone.net/GSM-Manual/gos-4/en/glossary.html#quality-of-detection-qod

Regards,

> I recently ran a scan on our development server and this vulnerability
> was not detected. The server is running the exact same version of MySQL
> as the production server, both on FreeBSD 11.1 and packages are reported
> as up to date:
> 
> root@dev:~ # pkg info | grep mysql
> mysql57-client-5.7.22_1    Multithreaded SQL database (client)
> mysql57-server-5.7.22_2    Multithreaded SQL database (server)
> 
> After first detected, the production server was running
> mysql57-server-5.7.22_1, so I upgraded to same as the dev server, hoping
> the patch was applied in the '_2' version, and restarted the MySQL
> server. Re-scanned and still detected.
> 
> Looks like a new NVT since I scanned the dev server, so I re-scanned and
> it still does not detect. My question is why would OpenVAS detect on one
> server and not the other when the exact same versions?
> 
> Looking at the detection log, it appears the method of detection is
> simply the version in the banner of the MySQL banner.
> 
> Concluded from version/product identification result:
> 5.7.22-log
> 
> I've looked at both servers, they both show exactly the same info in the
> banner:
> 
> Server version: 5.7.22-log Source distribution
> 
> I am new to OpenVAS, perhaps there is an issue I'm not aware of with
> detection on the dev server. Would OpenVAS report such a problem when
> trying to run an NVT?
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] When I run sudo systemctl start openvas-scanner - the system times out

[Christian Fischer]

Hi,

> What does the redis config look like?
> sudo grep -vE '^.*#|^;|^$'  /etc/redis.conf
*snip*
> save 900 1
> save 300 10
> save 60 1

which effectively means that those are not commented out or removed as
initial assumed:

> I do not have items 1 or 2 in my configuration.
> > "most likely the known issue where redis is blocking any access
by the
> scanner due to unknown reasons. This should do the trick:
>
> 1. Delete dump.rdb (somewhere in /var/run/redis or similar)
> 2. Comment out/remove all "save xy z" (e.g. save 900 1) from your
redis.conf

Regards,
On 06.07.2018 15:58, Lance M. Caven wrote:
> Lance,
> 
> What does the status say?
> sudo systemctl -l status openvas-scanner.service
> 
> openvas-scanner.service - LSB: remote network security auditor - scanner
>    Loaded: loaded (/etc/init.d/openvas-scanner; generated)
>    Active: failed (Result: timeout) since Fri 2018-07-06 08:28:05 CDT;
> 19min ago
>      Docs: man:systemd-sysv-generator(8)
>   Process: 2241 ExecStart=/etc/init.d/openvas-scanner start
> (code=killed, signal=TERM)
>     Tasks: 1 (limit: 19660)
>    CGroup: /system.slice/openvas-scanner.service
>            └─2279 /usr/sbin/openvassd
> 
> Jul 06 08:23:05 lance-desktop systemd[1]: Starting LSB: remote network
> security auditor - scanner...
> Jul 06 08:28:05 lance-desktop systemd[1]: openvas-scanner.service: Start
> operation timed out. Terminating.
> Jul 06 08:28:05 lance-desktop systemd[1]: openvas-scanner.service:
> Failed with result 'timeout'.
> Jul 06 08:28:05 lance-desktop systemd[1]: Failed to start LSB: remote
> network security auditor - scanner.
> 
> How about for the redis service as well?
> sudo systemctl -l status redis.service
> 
> ● redis-server.service - Advanced key-value store
>Loaded: loaded (/lib/systemd/system/redis-server.service; enabled; vendor 
> preset: enabled)
>Active: active (running) since Fri 2018-07-06 08:22:58 CDT; 34min ago
>  Docs: http://redis.io/documentation,
>man:redis-server(1)
>   Process: 1746 ExecStart=/usr/bin/redis-server /etc/redis/redis.conf 
> (code=exited, status=0/SUCCESS)
>  Main PID: 1812 (redis-server)
> Tasks: 4 (limit: 19660)
>CGroup: /system.slice/redis-server.service
>└─1812 /usr/bin/redis-server 127.0.0.1:0 
> 
> Jul 06 08:22:58 lance-desktop systemd[1]: Starting Advanced key-value store...
> Jul 06 08:22:58 lance-desktop systemd[1]: redis-server.service: Can't open 
> PID file /var/run/redis/redis-serve
> Jul 06 08:22:58 lance-desktop systemd[1]: Started Advanced key-value store.
> 
> What does the redis config look like?
> sudo grep -vE '^.*#|^;|^$'  /etc/redis.conf
> 
> sudo grep -vE '^.*#|^;|^$' /etc/redis/redis.conf bind 127.0.0.1 ::1
> protected-mode yes port 0 tcp-backlog 511 timeout 0 tcp-keepalive 300
> daemonize yes supervised no pidfile /var/run/redis/redis-server.pid
> loglevel notice logfile /var/log/redis/redis-server.log databases 16
> always-show-logo yes save 900 1 save 300 10 save 60 1
> stop-writes-on-bgsave-error yes rdbcompression yes rdbchecksum yes
> dbfilename dump.rdb dir /var/lib/redis slave-serve-stale-data yes
> slave-read-only yes repl-diskless-sync no repl-diskless-sync-delay 5
> repl-disable-tcp-nodelay no slave-priority 100 lazyfree-lazy-eviction no
> lazyfree-lazy-expire no lazyfree-lazy-server-del no slave-lazy-flush no
> appendonly no appendfilename "appendonly.aof" appendfsync everysec
> no-appendfsync-on-rewrite no auto-aof-rewrite-percentage 100
> auto-aof-rewrite-min-size 64mb aof-load-truncated yes
> aof-use-rdb-preamble no lua-time-limit 5000 slowlog-log-slower-than
> 1 slowlog-max-len 128 latency-monitor-threshold 0
> notify-keyspace-events "" hash-max-ziplist-entries 512
> hash-max-ziplist-value 64 list-max-ziplist-size -2 list-compress-depth 0
> set-max-intset-entries 512 zset-max-ziplist-entries 128
> zset-max-ziplist-value 64 hll-sparse-max-bytes 3000 activerehashing yes
> client-output-buffer-limit normal 0 0 0 client-output-buffer-limit slave
> 256mb 64mb 60 client-output-buffer-limit pubsub 32mb 8mb 60 hz 10
> aof-rewrite-incremental-fsync yes unixsocket /var/run/redis/redis.sock
> unixsocketperm 755 timeout 0
> 
> 
> 
> 
> On Thu, Jul 5, 2018 at 1:34 PM Lance M. Caven  > wrote:
> 
> When I run sudo systemctl start openvas-scanner - the system times out
> Job for openvas-scanner.service failed because a timeout was exceeded.
> See "systemctl status openvas-scanner.service" and "journalctl -xe"
> for details.
> 
> The system worked on Ubuntu 18.04 on two days ago when I installed
> it.  I rebooted the computer and did run an apt update and upgrade
> on the instance.  Since that time I have not been able to get the
> Openvas-scanner to start.  
> 
> I found and attempted to follow this advice from Christian Fische -
> I do not have items 1 or 2 in my configuration.  
> 
> "most likely the known issue where redis is blocking any 

Re: [Openvas-discuss] BUG? all hosts given same asset id

[Christian Fischer]

Hi,

On 28.06.2018 16:04, Trent Townsend wrote:
> On a related note, what is the best way to report a bug like this?
> I'll be glad to follow a better procedure.

if you're sure it is a bug the best place probably would be the issue
tracker of the affected module. In this specific case
https://github.com/greenbone/gvm/issues could have fit.

Regards,

> Thanks, Christian.  I've seen it happen occasionally since then but its hit 
> or miss.  Reading your link, it would appear that it only happens when a new 
> host appeared which would explain the strangeness.
> 
> I appreciate the response.  On a related note, what is the best way to report 
> a bug like this?  I'll be glad to follow a better procedure.
> 
> Trent
> 
> 
> -Original Message-
> From: Openvas-discuss [mailto:openvas-discuss-boun...@wald.intevation.org] On 
> Behalf Of Christian Fischer
> Sent: Thursday, June 28, 2018 5:37 AM
> To: openvas-discuss@wald.intevation.org
> Subject: Re: [Openvas-discuss] BUG? all hosts given same asset id
> 
> Hi,
> 
> On 08.05.2018 16:37, Trent Townsend wrote:
>> Good day to all.  It would seem that this isn’t a widespread problem. 
>> Can anyone at least point me in the direction of how to officially 
>> report a bug to Greenbone?  I can’t even view the host details in the 
>> GSA because they all take me to the same, single host.
> 
> from what i can see it could be possible that this was fixed with the 
> following PRs to master:
> 
> https://github.com/greenbone/gvm/pull/124
> 
> and the OpenVAS 9 branch:
> 
> https://github.com/greenbone/gvm/pull/125
> 
>> Thanks,
>>
>>   Trent
> 
> Regards,
> 
>>
>> *From:* Trent Townsend
>> *Sent:* Tuesday, May 1, 2018 5:38 AM
>> *To:* 'openvas-discuss@wald.intevation.org'
>> 
>> *Subject:* RE: BUG? all hosts given same asset id
>>
>>  
>>
>> Just resending this.  It happened again yesterday.  On the Results 
>> page in GSA, I can click on any IP address in the Host column and 
>> every link takes me to the same Host (which is obviously the wrong one 
>> most of the time).  The XML report has the same problem although the 
>> HTML report does not.  This is a pretty big bug (it must be a problem in 
>> gsad).
>>
>>  
>>
>> I’m using the following versions on CentOS 7.4:
>>
>>  
>>
>> greenbone-security-assistant-7.0.2-2738.el7.art.x86_64
>>
>> openvas-libraries-9.0.1-2735.el7.art.x86_64
>>
>> openvas-scanner-5.1.1-2736.el7.art.x86_64
>>
>> openvas-9.0.0-2796.el7.art.noarch
>>
>> openvas-smb-1.0.2-1980.el7.art.x86_64
>>
>> openvas-manager-7.0.2-2737.el7.art.x86_64
>>
>> openvas-cli-1.4.5-2739.el7.art.x86_64
>>
>>  
>>
>> Has anyone else ever seen this problem?
>>
>>  
>>
>> TIA,
>>
>>   Trent
>>
>>  
>>
>>  
>>
>> *From:* Trent Townsend
>> *Sent:* Tuesday, April 24, 2018 10:09 AM
>> *To:* openvas-discuss@wald.intevation.org
>> <mailto:openvas-discuss@wald.intevation.org>
>> *Subject:* BUG? all hosts given same asset id
>>
>>  
>>
>> Has anyone see this before?  I’ve got a report with 25 hosts.  
>> However, when viewing the XML report and also the Hosts report in the 
>> GUI, I get the same asset_id for every system.
>>
>>  
>>
>> When I hover over IP #1, I get this link:
>>
>> /omp?cmd=get_asset=host_id=02155a5f-a34f-479b-8e80-c7c3c372
>> 31ae=a3b331f2-a76d-4d7c-9a7a-e481c8d2eb6b
>>
>>  
>>
>> When I hover over IP #1, I get this link:
>>
>> /omp?cmd=get_asset=host_id=02155a5f-a34f-479b-8e80-c7c3c372
>> 31ae=a3b331f2-a76d-4d7c-9a7a-e481c8d2eb6b
>>
>>  
>>
>> All 25 hosts have the same link and take me to the same wrong host page.
>>
>>  
>>
>> Same thing in the XML.  I get a different host IP every time but the 
>> asset_id is always the same.
>>
>>  
>>
>> 
>> > ee-b50f-c87d33144082-1.xml>10.x.x.x> asset_id="*02155a5f-a34f-479b-8e80-c7c3c37231ae*"/>
>>
>>  
>>
>> This would appear to be a bug in Openvas.  I haven’t changed the 
>> settings on the scanner for a month or more and this has happened 
>> several times but sometimes it works properly.
>>
>>  
>>
>> Any ideas?
>>
>>  
>>
>> Trent
>>
>>  
>>
>> --
>>
>> Trent Townsend, CISSP, CCNA
>>
>> CEO, Next Step Innovation
>>
>> 703 Hwy 80 W
>>
>> Clinton, MS 39056
>>
>> 601-708-4500 x1201
>>
>> trent_towns...@nextstepinnovation.com
>> <mailto:trent_towns...@nextstepinnovation.com>
>>
>> www.nextstepinnovation.com <http://www.nextstepinnovation.com>
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] BUG? all hosts given same asset id

[Christian Fischer]

Hi,

On 08.05.2018 16:37, Trent Townsend wrote:
> Good day to all.  It would seem that this isn’t a widespread problem. 
> Can anyone at least point me in the direction of how to officially
> report a bug to Greenbone?  I can’t even view the host details in the
> GSA because they all take me to the same, single host.

from what i can see it could be possible that this was fixed with the
following PRs to master:

https://github.com/greenbone/gvm/pull/124

and the OpenVAS 9 branch:

https://github.com/greenbone/gvm/pull/125

> Thanks,
> 
>   Trent

Regards,

> 
> *From:* Trent Townsend
> *Sent:* Tuesday, May 1, 2018 5:38 AM
> *To:* 'openvas-discuss@wald.intevation.org'
> 
> *Subject:* RE: BUG? all hosts given same asset id
> 
>  
> 
> Just resending this.  It happened again yesterday.  On the Results page
> in GSA, I can click on any IP address in the Host column and every link
> takes me to the same Host (which is obviously the wrong one most of the
> time).  The XML report has the same problem although the HTML report
> does not.  This is a pretty big bug (it must be a problem in gsad). 
> 
>  
> 
> I’m using the following versions on CentOS 7.4:
> 
>  
> 
> greenbone-security-assistant-7.0.2-2738.el7.art.x86_64
> 
> openvas-libraries-9.0.1-2735.el7.art.x86_64
> 
> openvas-scanner-5.1.1-2736.el7.art.x86_64
> 
> openvas-9.0.0-2796.el7.art.noarch
> 
> openvas-smb-1.0.2-1980.el7.art.x86_64
> 
> openvas-manager-7.0.2-2737.el7.art.x86_64
> 
> openvas-cli-1.4.5-2739.el7.art.x86_64
> 
>  
> 
> Has anyone else ever seen this problem?
> 
>  
> 
> TIA,
> 
>   Trent
> 
>  
> 
>  
> 
> *From:* Trent Townsend
> *Sent:* Tuesday, April 24, 2018 10:09 AM
> *To:* openvas-discuss@wald.intevation.org
> 
> *Subject:* BUG? all hosts given same asset id
> 
>  
> 
> Has anyone see this before?  I’ve got a report with 25 hosts.  However,
> when viewing the XML report and also the Hosts report in the GUI, I get
> the same asset_id for every system. 
> 
>  
> 
> When I hover over IP #1, I get this link:
> 
> /omp?cmd=get_asset=host_id=02155a5f-a34f-479b-8e80-c7c3c37231ae=a3b331f2-a76d-4d7c-9a7a-e481c8d2eb6b
> 
>  
> 
> When I hover over IP #1, I get this link:
> 
> /omp?cmd=get_asset=host_id=02155a5f-a34f-479b-8e80-c7c3c37231ae=a3b331f2-a76d-4d7c-9a7a-e481c8d2eb6b
> 
>  
> 
> All 25 hosts have the same link and take me to the same wrong host page.
> 
>  
> 
> Same thing in the XML.  I get a different host IP every time but the
> asset_id is always the same.
> 
>  
> 
> 
> 10.x.x.x asset_id="*02155a5f-a34f-479b-8e80-c7c3c37231ae*"/>
> 
>  
> 
> This would appear to be a bug in Openvas.  I haven’t changed the
> settings on the scanner for a month or more and this has happened
> several times but sometimes it works properly. 
> 
>  
> 
> Any ideas?
> 
>  
> 
> Trent
> 
>  
> 
> --
> 
> Trent Townsend, CISSP, CCNA
> 
> CEO, Next Step Innovation
> 
> 703 Hwy 80 W
> 
> Clinton, MS 39056
> 
> 601-708-4500 x1201
> 
> trent_towns...@nextstepinnovation.com
> 
> 
> www.nextstepinnovation.com 
> 
>  
> 
> 
> *
> 
> This email is confidential and intended solely for the use of the
> individual to whom it is addressed. Any views or opinions presented are
> solely those of the author, and do not necessarily represent those of
> Next Step Innovation. If you are not the intended recipient, be advised
> that you have received this email in error, and that any use,
> dissemination, forwarding, printing or copying of this email is strictly
> prohibited. If you have received this email in error, please contact the
> sender.
> 
> *
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Fwd: Openvas Kali Dependency Cycle Issues

[Christian Fischer]

usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
> ‘__builtin___snprintf_chk’ output between 16 and 50 bytes into a
> destination of size 16
>    return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
>   ^~~~
>     __bos (__s), __fmt, __va_arg_pack ());
>     ~
> /root/gvm-libs-9.0.2/nasl/nasl_isotime.c: In function
> ‘nasl_isotime_add’:
> /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:522:52: error: ‘%02d’
> directive output may be truncated writing between 2 and 5 bytes into
> a region of size between 0 and 5 [-Werror=format-truncation=]
>    snprintf (atime, ISOTIME_SIZE, "%04d%02d%02dT%02d%02d%02d",
>     ^~~~
> /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:522:34: note: directive
> argument in the range [-1936, 869]
>    snprintf (atime, ISOTIME_SIZE, "%04d%02d%02dT%02d%02d%02d",
>   ^~~
> /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:522:34: note: directive
> argument in the range [-1936, 869]
> In file included from /usr/include/stdio.h:862:0,
>  from /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:54:
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
> ‘__builtin___snprintf_chk’ output between 16 and 50 bytes into a
> destination of size 16
>    return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
>   ^~~~
>     __bos (__s), __fmt, __va_arg_pack ());
>     ~
> /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:483:56: error: ‘%02d’
> directive output may be truncated writing between 2 and 3 bytes into
> a region of size between 0 and 3 [-Werror=format-truncation=]
>    snprintf (atime, ISOTIME_SIZE, "%04d%02d%02dT%02d%02d%02d",
>     ^~~~
> /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:483:34: note: directive
> argument in the range [-59, 59]
>    snprintf (atime, ISOTIME_SIZE, "%04d%02d%02dT%02d%02d%02d",
>   ^~~
> In file included from /usr/include/stdio.h:862:0,
>  from /root/gvm-libs-9.0.2/nasl/nasl_isotime.c:54:
> /usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: note:
> ‘__builtin___snprintf_chk’ output between 16 and 44 bytes into a
> destination of size 16
>    return __builtin___snprintf_chk (__s, __n, __USE_FORTIFY_LEVEL - 1,
>   ^~~~~~~~
>     __bos (__s), __fmt, __va_arg_pack ());
>     ~
> cc1: all warnings being treated as errors
> nasl/CMakeFiles/openvas_nasl_shared.dir/build.make:1056: recipe for
> target 'nasl/CMakeFiles/openvas_nasl_shared.dir/nasl_isotime.c.o' failed
> make[2]: ***
> [nasl/CMakeFiles/openvas_nasl_shared.dir/nasl_isotime.c.o] Error 1
> CMakeFiles/Makefile2:344: recipe for target
> 'nasl/CMakeFiles/openvas_nasl_shared.dir/all' failed
> make[1]: *** [nasl/CMakeFiles/openvas_nasl_shared.dir/all] Error 2
> Makefile:162: recipe for target 'all' failed
> make: *** [all] Error 2
> 
> 
> On Sat, May 26, 2018 at 7:11 AM, Christian Fischer
>  <mailto:christian.fisc...@greenbone.net>> wrote:
> 
> Hi,
> 
> On 25.05.2018 18:26, Aaron Brown wrote:
> > Thanks and I apologize.  I thought I was sending to the wrong list
> > because the reply I got was that I was not on the mailing list.  
> Now I
> > use the discuss email address and it works.
> > 
> > As regards the issue, I guess I need to install Openvas 9 peice by 
> peice
> > from openvas site instead of using apt-get.
> 
> from what i know the packages of Kali Linux are pulled from
> Debian so
> you could also create an update request for the new packages
> (http://www.openvas.org/install-source.html
> <http://www.openvas.org/install-source.html>) at the Debian tracker:
> 
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-scanner 
> <https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-scanner>
> https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-manager 
> <https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-manager>
> https://bugs.debian.org/cgi-bin/pk

Re: [Openvas-discuss] NMAP timing template configuration

[Christian Fischer]

Hi,

On 07.06.2018 15:06, Alexandre Brasseur wrote:
> I checked every parameters you mentioned and I confirm those are not set
> (empty string) in my current scan config:

this currently works as expected with the recent OpenVAS releases listed
at http://www.openvas.org/install-source.html.

When changing e.g. the "Timing policy: " of Nmap (NASL wrapper) from the
Default of "Normal" to "Aggressive" the following can be seen via "ps
auxwww|grep [n]map":

root 14596  0.0  0.1  62396 15152 ?S16:53   0:00 nmap -n
-Pn -oG /tmp/nmap-192.168.0.2-236747157 -sT -sU -p
T:1-65535,U:7,9,17,19,49,53,67-69,80,88,111,120,123,135-139,158,161-162,177,427,443,445,497,500,514-515,518,520,593,623,626,631,996-999,1022-1023,1025-1030,1433-1434,1645-1646,1701,1718-1719,1812-1813,1900,2000,2048-2049,-2223,3283,3456,3703,,4500,5000,5060,5353,5632,9200,1,17185,20031,30718,31337,32768-32769,32771,32815,33281,49152-49154,49156,49181-49182,49185-49186,49188,49190-49194,49200-49201
-T4 192.168.0.2

(Note the -T4 for the "Aggressive" timing policy of nmap).

Regards,

>  * Nmap (NASL wrapper)
>      Do not randomize the order in which ports are scanned = "no"
>      Do not scan targets not in the file = "no"
>      Fragment IP packets (bypasses firewalls) = "no"
>      Log nmap output = "no"
>      RPC port scan = "no"
>      Run dangerous port scans even if safe checks are set = "no"
>      Service scan = "no"
>      Data length = ""
>      Host Timeout (ms) = ""
>      Initial RTT timeout (ms) = ""
>      Max RTT Timeout (ms) = ""
>      Max Retries = ""
>      Maximum wait between probes (ms) = ""
>      Min RTT Timeout (ms) = ""
>      Minimum wait between probes (ms) = ""
>      Ports scanned in parallel (max) = ""
>      Ports scanned in parallel (min) = ""
>      Source port = ""
>      File containing grepable results = ""
>      TCP scanning technique = connect()
>      Timing policy = Polite
> 
> And the same goes for:
> * Launch Nmap for Network Scanning
>      Aggressive OS detection = "no"
>      Disable DNS resolution = "no"
>      Fragment IP packets (bypasses firewalls) = "no"
>      Identify the remote OS = "no"
>      RPC port scan = "no"
>      Service scan = "no"
>      Trace hop path to each host = "no"
>      Treat all hosts as online = "no"
>      Exclude hosts = ""
>      Host Timeout (ms) = ""
>      Hosts scanned in parallel (max) = ""
>      Hosts scanned in parallel (min) = ""
>      Initial RTT timeout (ms) = ""
>      Max RTT Timeout (ms) = ""
>      Min RTT Timeout (ms) = ""
>      Minimum wait between probes (ms) = ""
>      Ports scanned in parallel (max) = ""
>      Ports scanned in parallel (min) = ""
>      Source port = ""
>      File containing XML results = ""
>      TCP scanning technique = connect()
>      Timing policy = Polite
> 
> Am I supposed to see an additionnal argument in the NMAP command lines
> like I expect?
> Any other idea why the "timing policy" is not taken into account?
> 
> Regards,
> 
> 
> On Thu, Jun 7, 2018 at 12:20 PM, Christian Fischer
>  <mailto:christian.fisc...@greenbone.net>> wrote:
> 
> Hi,
> 
> could you make sure that you havn't changed any of the following
> settings of the "nmap.nasl" preferences from the default / empty string:
> 
> Max Retries :
> Host Timeout (ms) :
> Min RTT Timeout (ms) :
> Max RTT Timeout (ms) :
> Initial RTT Timeout (ms) :
> Ports scanned in parallel (min)
> Ports scanned in parallel (max)
> Minimum wait between probes (ms)
> Maximum wait between probes (ms)
> 
> As soon as one or more of the above preferences has any data set the
> "Timing policy :" doesn't apply anymore.
> 
> Regards,
> 
> On 07.06.2018 08:53, Alexandre Brasseur wrote:
> >  Hi everyone,
> >
> > I am mostly performing scans on networks were bandwidth consumption is
> > critical and should therefore be as low as possible.
> > From my first observations, the most bandwidth-intensive part of
> the scan
> > is the beginning, were lots of NMAP processes are being triggered,
> like so:
> > ---openvassd: testing AAA.BBB.CCC.DDD
> (/var/lib/openvas/plugins/nmap.nasl)
> > ---n

Re: [Openvas-discuss] NMAP timing template configuration

[Christian Fischer]

Hi,

could you make sure that you havn't changed any of the following
settings of the "nmap.nasl" preferences from the default / empty string:

Max Retries :
Host Timeout (ms) :
Min RTT Timeout (ms) :
Max RTT Timeout (ms) :
Initial RTT Timeout (ms) :
Ports scanned in parallel (min)
Ports scanned in parallel (max)
Minimum wait between probes (ms)
Maximum wait between probes (ms)

As soon as one or more of the above preferences has any data set the
"Timing policy :" doesn't apply anymore.

Regards,

On 07.06.2018 08:53, Alexandre Brasseur wrote:
>  Hi everyone,
> 
> I am mostly performing scans on networks were bandwidth consumption is
> critical and should therefore be as low as possible.
> From my first observations, the most bandwidth-intensive part of the scan
> is the beginning, were lots of NMAP processes are being triggered, like so:
> ---openvassd: testing AAA.BBB.CCC.DDD (/var/lib/openvas/plugins/nmap.nasl)
> ---nmap -n -Pn -oG /tmp/nmap-AAA.BBB.CCC.DDD -sT -sU -p T:1-65535,U: ...
> 
> As a consequence, I am looking for a way to lower the "aggressiveness" of
> those NMAP processes (see "timing template" of NMAP MANPAGE)
> After looking in "/var/lib/openvas/plugins/nmap.nasl" and
> "/var/cache/openvas/nmap.nasl.nvti", such a configuration seems possible by
> modifying the "Scans Configs" using the "Greenbone" web interface.
> But even after switching from "Normal" to "Polite", the command line
> arguments remained the same, while I was expecting the option "-T<0-5>" to
> appear in those.
> 
> Here is my current working config under Debian Stretch 9.3 (Kernel
> 4.9.0-5-amd64):
> ii  greenbone-security-assistant6.0.11+dfsg.1-2
> amd64remote network security auditor - web interface
> ii  greenbone-security-assistant-common 6.0.11+dfsg.1-2all
> architecture independent files for greenbone-security-assistant
> ii  libopenvas8 8.0.8-2
> amd64remote network security auditor - shared libraries
> ii  openvas 6.0.9-2
> amd64remote network security auditor - metapackage
> ii  openvas-cli 1.4.5-1
> amd64Command Line Tools for OpenVAS
> ii  openvas-manager 6.0.9-2
> amd64Manager Module of OpenVAS
> ii  openvas-manager-common  6.0.9-2all
> architecture independent files for openvas-manager
> ii  openvas-scanner 5.0.7-3
> amd64remote network security auditor - scanner
> 
> Thanks in advance for your help,
> 
> Regards.
> 
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Fwd: Openvas Kali Dependency Cycle Issues

[Christian Fischer]

Hi,

On 25.05.2018 18:26, Aaron Brown wrote:
> Thanks and I apologize.  I thought I was sending to the wrong list
> because the reply I got was that I was not on the mailing list.  Now I
> use the discuss email address and it works.
> 
> As regards the issue, I guess I need to install Openvas 9 peice by peice
> from openvas site instead of using apt-get.

from what i know the packages of Kali Linux are pulled from Debian so
you could also create an update request for the new packages
(http://www.openvas.org/install-source.html) at the Debian tracker:

https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-scanner
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-manager
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=openvas-libraries
https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=greenbone-security-assistant

And if the packages got updated they should end up in Kali Linux as well.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

> On Fri, May 25, 2018 at 11:02 AM, Christian Fischer
> <christian.fisc...@greenbone.net
> <mailto:christian.fisc...@greenbone.net>> wrote:
> 
> Hi,
> On 25.05.2018 03:45, Aaron Brown wrote:
> > I have downloaded  openvas from "apt-get" and installed on Kali Linux.  
>  I
> > am reviewing the logs (openvassd.messages)and noticed alot of "Possible
> > Dependency Cycle" things detected.  I have grepped them out and listed 
> them
> > below that were identified in one scan of my home network.   Is this
> > normal?
> > 
> > [Sun Apr 29 20:02:19 2018][23551] Starts a new scan. Target(s) : 
> x.x.x.x/24
> > <http://10.0.0.0/24>, with max_hosts = 30 and max_checks = 10
> > [Sun Apr 29 20:02:19 2018][23551] exclude_hosts: Skipped 0 host(s).
> > Sun Apr 29 20:02:39 2018][23952] Possible dependency cycle detected
> > 1.3.6.1.4.1.25623.1.0.10330
> 
> i'm not sure if you're not registered to the mailinglist but you already
> got an answer to this question twice:
> 
> 
> http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-May/001381.html
> 
> <http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-May/001381.html>
> 
> 
> http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-May/001395.html
> 
> <http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-May/001395.html>
> 
> So yes, this is normal as you get outdated versions of the OpenVAS
> components from Kali containing a bug causing those messages.
> 
> Regards,
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Fwd: Openvas Kali Dependency Cycle Issues

[Christian Fischer]

Hi,
On 25.05.2018 03:45, Aaron Brown wrote:
> I have downloaded  openvas from "apt-get" and installed on Kali Linux.   I
> am reviewing the logs (openvassd.messages)and noticed alot of "Possible
> Dependency Cycle" things detected.  I have grepped them out and listed them
> below that were identified in one scan of my home network.   Is this
> normal?
> 
> [Sun Apr 29 20:02:19 2018][23551] Starts a new scan. Target(s) : x.x.x.x/24
> <http://10.0.0.0/24>, with max_hosts = 30 and max_checks = 10
> [Sun Apr 29 20:02:19 2018][23551] exclude_hosts: Skipped 0 host(s).
> Sun Apr 29 20:02:39 2018][23952] Possible dependency cycle detected
> 1.3.6.1.4.1.25623.1.0.10330

i'm not sure if you're not registered to the mailinglist but you already
got an answer to this question twice:

http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-May/001381.html

http://lists.wald.intevation.org/pipermail/openvas-plugins/2018-May/001395.html

So yes, this is normal as you get outdated versions of the OpenVAS
components from Kali containing a bug causing those messages.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | https://www.greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Forcing a deep scan

[Christian Fischer]

Hi,

On 15.05.2018 12:42, Corti Matteo (ID BD) wrote:
> I have a target configured with a "Full and fast ultimate” config. We now 
> installed a lot of new stuff on the targeted machines but I am not able to 
> tell OpenVAS to *temporarily* ignore the last scans and perform a “very deep” 
> scan.

this is a common misunderstanding of the "very deep" scan configs:

Generally no data between two independent scans of OpenVAS are shared in
a way that the first scan would influence the results of a second scan
done at some later point in time.

One except of the description above is the special "CVE Scanner" which
relies on the collected data within the asset database. To keep this
data up2date it is recommended to regularly run repeated scans,
especially if a infrastructure got changed.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] change global variable settings

[Christian Fischer]

Hi,

On 10.05.2018 16:24, Stelios Barberakis wrote:
> Thank you for your help. I managed to resolve the issue back then,
> cloning and modifying the scan config template.
> Unfortunately after Monday update, I haven't been able to reproduce the
> "printer detection" situation (default scan configs obviously). The
> issue seems to have been resolved for me.

mhhh thats quite strange but the mis-identification could be caused by
the following:

> I am probably *getting off topic* here, but in case this helps in some way:
> 
> Since then, the issue is that the scans take ages to complete(~20 hours
> for default: full and very deep), while sometimes it remains at 1%
> forever. High cpu usage (over 70% for every core during the scan ~ when
> it passes over 1%).
> 
> I was thinking that I may be getting blocked by host provider's firewall
> and I tried with:
> /Maximum concurrently executed NVTs per host: 1
> Maximum concurrently scanned hosts: 1
> /which didn't change anything, as far as I can tell.
> 
> My server is a debian Managed VPS at a2hosting.
> 
> I set log_whole_attack=yes,  but it didn't give me any usefull info,
> besides what I am attaching.

this sounds to me like outdated components of the OpenVAS framework. The
current releases of the OpenVAS 9 components available at:

http://www.openvas.org/install-source.html

have a fix included for exactly such an issue you're describing.

Regards,

> On 7 May 2018 at 17:17, Christian Fischer
> <christian.fisc...@greenbone.net
> <mailto:christian.fisc...@greenbone.net>> wrote:
> 
> Hi,
> 
> did you had a chance to re-scan your server with the updated feed to see
> the extended output?
> 
> Regards,
> 
> On 30.04.2018 15:33, Stelios Barberakis wrote:
> > thanks Christian
> >
> > On 28 April 2018 at 16:04, Christian Fischer <
> > christian.fisc...@greenbone.net
> <mailto:christian.fisc...@greenbone.net>> wrote:
> >
> >> Hi,
> >>
> >> On 28.04.2018 01:30, Stelios Barberakis wrote:
> >>> I apologise if this is a double post, but I think the previous
> one was
> >>> not delivered.
> >>
> >> you can check the delivering status on your own if you browse the
> >> mailing list archives available at:
> >>
> >> http://lists.wald.intevation.org/pipermail/openvas-discuss/
> <http://lists.wald.intevation.org/pipermail/openvas-discuss/>
> >>
> >> where you can see that your previous mail was delivered as well:
> >>
> >> http://lists.wald.intevation.org/pipermail/openvas-discuss/
> <http://lists.wald.intevation.org/pipermail/openvas-discuss/>
> >> 2018-April/012012.html
> >>
> >>> Using the web UI, I can see the settings, including 'Exclude
> printers
> >>> from scan' (screenshot attached in the link).
> >>>
> >>> but I can't find out *how to change it*. The configuration files
> doesn't
> >>> include any such option:
> >>
> >> The openvassd.conf is the wrong place you're looking at. You
> would need
> >> to clone the "Full and Fast" scan configuration to be able to change
> >> this setting.
> >>
> >> But instead of changing the scan configuration i'm quite
> interested in
> >> why your server is detected as a printer. Starting with the next feed
> >> update (around Monday next week) the following NVTs will print
> out the
> >> reason why your system was detected as a printer:
> >>
> >> Do not scan printers
> >> OID: 1.3.6.1.4.1.25623.1.0.11933
> >>
> >> Do not print on AppSocket and socketAPI printers
> >> OID: 1.3.6.1.4.1.25623.1.0.12241
> >>
> >> It would be great if you could share the output of the NVTs either
> >> privately or here at the mailing list.
> >>
> >> Thanks,
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] change global variable settings

[Christian Fischer]

Hi,

did you had a chance to re-scan your server with the updated feed to see
the extended output?

Regards,

On 30.04.2018 15:33, Stelios Barberakis wrote:
> thanks Christian
> 
> On 28 April 2018 at 16:04, Christian Fischer <
> christian.fisc...@greenbone.net> wrote:
> 
>> Hi,
>>
>> On 28.04.2018 01:30, Stelios Barberakis wrote:
>>> I apologise if this is a double post, but I think the previous one was
>>> not delivered.
>>
>> you can check the delivering status on your own if you browse the
>> mailing list archives available at:
>>
>> http://lists.wald.intevation.org/pipermail/openvas-discuss/
>>
>> where you can see that your previous mail was delivered as well:
>>
>> http://lists.wald.intevation.org/pipermail/openvas-discuss/
>> 2018-April/012012.html
>>
>>> Using the web UI, I can see the settings, including 'Exclude printers
>>> from scan' (screenshot attached in the link).
>>>
>>> but I can't find out *how to change it*. The configuration files doesn't
>>> include any such option:
>>
>> The openvassd.conf is the wrong place you're looking at. You would need
>> to clone the "Full and Fast" scan configuration to be able to change
>> this setting.
>>
>> But instead of changing the scan configuration i'm quite interested in
>> why your server is detected as a printer. Starting with the next feed
>> update (around Monday next week) the following NVTs will print out the
>> reason why your system was detected as a printer:
>>
>> Do not scan printers
>> OID: 1.3.6.1.4.1.25623.1.0.11933
>>
>> Do not print on AppSocket and socketAPI printers
>> OID: 1.3.6.1.4.1.25623.1.0.12241
>>
>> It would be great if you could share the output of the NVTs either
>> privately or here at the mailing list.
>>
>> Thanks,
>>
>>
>> --
>>
>> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
>> Greenbone Networks GmbH | http://greenbone.net
>> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
>> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
>>
> 
> 
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVas Command Line Scan Plugin Options

[Christian Fischer]

Hi,

just to note that you have written your last two mails only as a private
mail directly to me.

If you're writing responses to a mailing list posting please keep at
least the mailing list address in CC (or even better only in the To:
without private / direct mail).

Regards,

On 04.05.2018 09:32, Tom Parker wrote:
> Hi Folks,
> 
> Any comments on command line selection of plugins and if that is possible?
> 
> On Sat, Apr 28, 2018 at 5:01 PM, Tom Parker <tomparker...@gmail.com> wrote:
> 
>> Thanks for the response Christian.
>>
>> Do you know if there is a way to select plugins from the command line if I
>> wanted to avoid the UI?
>>
>>
>>
>> On Sat, Apr 28, 2018 at 2:18 PM, Christian Fischer <
>> christian.fisc...@greenbone.net> wrote:
>>
>>> Hi,
>>>
>>> On 27.04.2018 22:07, Tom Parker wrote:
>>>> I don't want to fire the kitchen sink at the target. If it is a Windows
>>>> box then I don't want to fire Linux plugins at it. This will also help
>>>> cut down the scan time.
>>>
>>> this doesn't make much sense these days. Most plugins are optimized in a
>>> way that a Linux-NVT isn't launched at all against a detected Windows
>>> system.
>>>
>>> Regards,
>>>
>>> --
>>>
>>> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
>>> Greenbone Networks GmbH | http://greenbone.net
>>> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
>>> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
>>> ___
>>> Openvas-discuss mailing list
>>> Openvas-discuss@wald.intevation.org
>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/o
>>> penvas-discuss
>>
>>
>>
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVas Command Line Scan Plugin Options

[Christian Fischer]

Hi,

On 27.04.2018 22:07, Tom Parker wrote:
> I don't want to fire the kitchen sink at the target. If it is a Windows
> box then I don't want to fire Linux plugins at it. This will also help
> cut down the scan time.

this doesn't make much sense these days. Most plugins are optimized in a
way that a Linux-NVT isn't launched at all against a detected Windows
system.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] change global variable settings

[Christian Fischer]

Hi,

On 28.04.2018 01:30, Stelios Barberakis wrote:
> I apologise if this is a double post, but I think the previous one was
> not delivered.

you can check the delivering status on your own if you browse the
mailing list archives available at:

http://lists.wald.intevation.org/pipermail/openvas-discuss/

where you can see that your previous mail was delivered as well:

http://lists.wald.intevation.org/pipermail/openvas-discuss/2018-April/012012.html

> Using the web UI, I can see the settings, including 'Exclude printers
> from scan' (screenshot attached in the link).
>
> but I can't find out *how to change it*. The configuration files doesn't
> include any such option:

The openvassd.conf is the wrong place you're looking at. You would need
to clone the "Full and Fast" scan configuration to be able to change
this setting.

But instead of changing the scan configuration i'm quite interested in
why your server is detected as a printer. Starting with the next feed
update (around Monday next week) the following NVTs will print out the
reason why your system was detected as a printer:

Do not scan printers
OID: 1.3.6.1.4.1.25623.1.0.11933

Do not print on AppSocket and socketAPI printers
OID: 1.3.6.1.4.1.25623.1.0.12241

It would be great if you could share the output of the NVTs either
privately or here at the mailing list.

Thanks,


--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] verinice integration status

[Christian Fischer]

Hi,

On 28.04.2018 14:12, Alex Smirnoff wrote:
> does anyone here use Verinice integration for any practical purpose, or
> was it just a government-sponsored compliance oriented project that
> turned out not to be really applicable for real life? Could you please
> share your impressions?

i'm not using it on my own but i know that the verinice integration is
used productively.

You can find some resources on this topic at e.g.

https://verinice.com/en/greenbone/
http://docs.greenbone.net/GSM-Manual/gos-4/en/connecting.html#verinice

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Is too much power disruptive?

[Christian Fischer]

Hi,

On 26.04.2018 11:16, Thijs Stuurman wrote:
> (I always have the feeling my Nessus scanner performs the same tests
way faster and with a lot less CPU stress)

to have some sort of comparable numbers / data here you would need to
enable CGI Scanning and Throughout Tests in Nessus if not already done.

In OpenVAS CGI Scanning is enabled by default and the Throughout Test
was removed some time ago and all plugins are "Throughout". But IIRC
both are disabled by default in Nessus.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Tasks Autostart plugin for openvas ?

[Christian Fischer]

Hi,

On 25.04.2018 15:21, tatooin wrote:
> but unfortunately I cannot upgrade to 9 yet

its still recommended to start planning the migration to OpenVAS 9 as
OpenVAS 8 will reach its EOL in a few months:

http://lists.wald.intevation.org/pipermail/openvas-announce/2018-March/000216.html

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

[Openvas-discuss] OpenVAS 9 Scanner 5.1.2 - lib kb_redis-CRITICAL **: fetch_max_db_index:

[Christian Fischer]

Hi,

On 10.04.2018 19:38, Pete @ GREENUP ENGINEERING wrote:
> Hi folks
> 
> I got the following error on a 2 out of 3 servers im running after
> leaving  scan /24's. I have to flush redis, restart services and rebuild
> openvas to fix it. Can someone point me in the right direction for
> discovering what maybe causing it?
> 
>  openvas-scanner.service - LSB: remote network security auditor - scanner
>    Loaded: loaded (/etc/init.d/openvas-scanner; bad; vendor preset:
> enabled)
>    Active: active (exited) since Mon 2018-04-09 22:34:08 UTC; 18h ago
>  Docs: man:systemd-sysv-generator(8)
>   Process: 1349 ExecStart=/etc/init.d/openvas-scanner start
> (code=exited, status=0/SUCCESS)
> 
> Apr 09 22:33:07 02 systemd[1]: Starting LSB: remote network
> security auditor - scanner...
> Apr 09 22:33:08 02 openvas-scanner[1349]: (openvassd:1409): lib 
> kb_redis-CRITICAL **: fetch_max_db_index: cannot retrieve max DB number:
> LOADING Redis is loading the dataset in memory
> Apr 09 22:34:08 02 systemd[1]: Started LSB: remote network
> security auditor - scanner.

this could be related to:

http://lists.wald.intevation.org/pipermail/openvas-discuss/2017-June/011219.html

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Scanning for vulnerabilities in Oracle Database

[Christian Fischer]

Hi,

On 12.04.2018 05:01, Anantha Raghava wrote:
> It appears that unless the credentials are set,
> Oracle tns listner will not allow connection attempt. But how do we set
> it is the question.

there is no such configuration possible in the Detection-NVT. You would
need to allow the Scanner IP (similar to MySQL/MariaDB) to connect to
the Oracle Database.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] "Are you dead?" Really?

[Christian Fischer]

Hi,

On 10.04.2018 17:46, Andrew Robinson wrote:
> Yes, _I_ appreciate the humor and irony. But the client didn’t find it even 
> slightly humorous, particularly when the nurses in the hospital almost 
> triggered the lockdown protocol because they thought they were under an 
> active threat. An over-reaction for sure, but as I try to advance OpenVAS as 
> a professional tool on par with it’s commercial sibling, Nessus, this doesn’t 
> make my job any easier.

independently from the sent string by this host alive probe you really
shouldn't used a scan config with disabled safe checks for unknown and
productive environments where you don't know how they behave / react on
such scans. See also my previous mail about this.

If using such a config is preferred i would at least make all staff
aware of the side-effects which could be caused by such scans to avoid
situations like this.

Besides that and as long as you havn't set the "Exclude printers from
scan" option to "no" in the "Global variable settings" of the scan
config a printer shouldn't be touched at all during a scan by default.

But this heavily depends if it was possible to detect the printer from
exposed banners (e.g. via HTTP, FTP, SNMP, Telnet etc.). Reports
containing such information, name of the printer or similar are very
welcome at the following mailing list:

http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-plugins

> I manually patched libopenvas_nasl.so.9.0.1 to change the string from “are 
> you dead ?” to “function check” 
> 
> Something like this should be done in the OpenVAS source. Or at least make it 
> a string that can be set, and NOT default to “are you dead ?” no matter how 
> ironic or humorous that default might be.

If you think this string should be changed it probably would be the best
to open a pull request with your changes and a rationale to the github
repository at:

https://github.com/greenbone/gvm-libs/

Regards,

>> On Apr 10, 2018, at 11:14, Alex Smirnoff <a...@eltex.net> wrote:
>>
>> If it asks "Are you alive? Prove it!" then it might be more scary. Even
>> if it is a printer, not a toaster ;-)
>>
>> On Mon, Apr 09, 2018 at 07:05:46PM +, Stewart Joseph wrote:
>>> You must admit, there is more than a touch of ironic humor there.  I ran a 
>>> scan of a Deli's network and when it hit their receipt printer it printed 
>>> out about 3 feet with the word "Hello" in it.  I wasn't there when it hit.  
>>> They thought the printer had become self-aware.
>>>
>>> Stewart Joseph, CTO
>>> LEK Technology Consultants
>>> 407-877-6505 x1103
>>> www.lekcomp.com
>>>
>>> -Original Message-
>>> From: Openvas-discuss <openvas-discuss-boun...@wald.intevation.org> On 
>>> Behalf Of Andrew Robinson
>>> Sent: Thursday, March 29, 2018 1:48 PM
>>> To: openvas-discuss@wald.intevation.org
>>> Subject: [Openvas-discuss] "Are you dead?" Really?
>>>
>>> Running an openvas scan with printer scanning enabled CAN result in several 
>>> pages containing the string “are you dead?” being printed. In this case, in 
>>> a hospital, in the ob/gyn suite.
>>>
>>> Not good.
>>>
>>> I’ve searched through the NVTs and can’t find where this string is sourced. 
>>> Does anyone know?
>>> ___
>>> Openvas-discuss mailing list
>>> Openvas-discuss@wald.intevation.org
>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
>>> ___________
>>> Openvas-discuss mailing list
>>> Openvas-discuss@wald.intevation.org
>>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
> 
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] [WORKAROUND] unknown or invalid Host header

[Christian Fischer]

Hi,

On 10.04.2018 17:18, Aaron Couts wrote:
> In any case I couldn't find any config settings that
> addressed this.

have a look at the following mailing list post for the config option and
how to configure it:

http://lists.wald.intevation.org/pipermail/openvas-discuss/2018-April/011929.html

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS9 hanging nasl tasks (REDUX)

[Christian Fischer]

Hi,

On 06.04.2018 00:43, Pete @ GREENUP ENGINEERING wrote:
> "The request contained an unknown or invalid Host header. If you are
> trying to access GSA via its hostname or a proxy, make sure GSA is set
> up to allow it."

the related Pull Request with those changes can be found here:

https://github.com/greenbone/gsa/pull/318

Have a look at the --allow-header-host parameter of gsad (gsad --help)
on how to add additional IP addresses and hostnames.

If you e.g. access the GSA via https://gsa.example.com you need to start
gsad with:

gsad --allow-header-host "gsa.example.com"

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS9 hanging nasl tasks (REDUX)

[Christian Fischer]

Hi,

On 04.04.2018 03:19, Pete Greenup wrote:
> would i be better to either install that from source, or see if/when Mohammad 
> will
> update the repo to include the latest code?

those are the two options you currently have to work around this which
is already fixed in the latest available versions of scanner and
libraries available at http://www.openvas.org/install-source.html

Working around this issue on NVT side doesn't make a sense anymore as
the behavior might be triggered by any NVT (not only the mentioned)
depending on e.g. the available services on a target or the dependency
chain of specific NVTs.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Does OPenVAS9 perform authenticated Scan of Remote target

[Christian Fischer]

Hi,

On 28.03.2018 20:14, aditya pratti wrote:
> I want to perform authenticated scan or internal scan of remote host.Is it 
> possible with OpenVAS ?Let me know. Thank you. Have a good day.

see the documentation available here for all information on this topic:

http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#authenticated-scan-using-local-security-checks

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] "Are you dead?" Really?

[Christian Fischer]

Hi,

On 29.03.2018 19:48, Andrew Robinson wrote:
> I’ve searched through the NVTs and can’t find where this string is sourced. 
> Does anyone know?

looks like this string is sent if a NVT is calling the "end_denial()"
function defined here:

https://github.com/greenbone/gvm-libs/blob/v8.0.10/nasl/nasl_misc_funcs.c#L291

Currently only NVTs launched in the "Ultimate" scan configs or in own
defined scan configurations with disabled safe checks are calling this
function.

If hosts, especially printers are scanned with such scan configs
side-effects like this (or even worse like killed hosts) can happen at
any time.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Problems installing OpenVAS 9 in Ubuntu 17.10

[Christian Fischer]

Hi,

On 26.03.2018 01:15, Konstantin Boyandin wrote:
> Whom shall I contact to request a more permanent fix for the above?

that should be the maintainer of your used packages. If the packages are
directly from Ubuntu you should find the issue trackers at launchpad:

https://launchpad.net/ubuntu/+source/openvas/+bugs
https://launchpad.net/ubuntu/+source/openvas-scanner/+bugs

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Schedule

[Christian Fischer]

Hi,

On 23.03.2018 09:16, Beadle, Bruce wrote:
> Excuse me if this question has been asked before, I am trying to create
> a new schedule but the First Time drop down does not offer years later
> than 2017?
> 
> Is there a manual edit I can do or do I need to upgrade?

have a look at the following mailing list post for some instructions
which file to edit to get the possibility to create schedules for 2018:

http://lists.wald.intevation.org/pipermail/openvas-discuss/2018-February/011796.html

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] how to minimize harm when introducing vuln scanning to a network

[Christian Fischer]

Hi *,

On 14.03.2018 20:59, TJ wrote:
> I would exclude networked printers as the scans can cause them to
> produce volumes of printed gibberish (found out the hard way)

we have tried to work around this in the last year and implemented a few
additional mitigations which showed quite good results as long as the
printer was detected.

This is handled in the following NVT:

http://plugins.openvas.org/nasl.php?oid=12241

by excluding common ports (namely 9100-9103 and 9112-9116 / tcp) by
default which are known to print gibberish if touched.

There might be still quite a lot printers out there which we don't
detect. If you're still facing issues like this any additional
information about your printer (HTTP, SNMP SysDesc, Telnet, FTP banners
etc.) are welcome.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Virtual Appliance, No Configuration -> Schedule menu item

[Christian Fischer]

Hi,

On 23.02.2018 20:52, Ian Harding wrote:
> but I can't seem to find a couple menu items that are supposed to be
> available
maybe the feature comparison available at [1] explains why you're not
seeing a couple menu items like Schedules in the Community Edition?

[1] https://www.greenbone.net/en/community-edition/

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Windows Authenticated Scans

[Christian Fischer]

Hi,

On 20.02.2018 19:19, Ali Khalfan wrote:
> Is there anything else that needs to be done?  Shouldn't the scan at
> least scan the registry/drivers/.net framework/browser for any
> vulnerabilities?

all requirements for successful authenticated scans are documented at
[1]. The following NVTs and their log messages might give some
additional hints:

SMB log in
OID: 1.3.6.1.4.1.25623.1.0.10394

SMB Login Failed For Authenticated Checks
OID: 1.3.6.1.4.1.25623.1.0.106091

Check for SMB accessible registry
OID: 1.3.6.1.4.1.25623.1.0.10400


[1]
http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#requirements-on-target-systems-with-windows

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Timeout when scanning all UDP ports

[Christian Fischer]

Hi,

On 16.02.2018 13:59, Yves Gattegno wrote:
> I'd like to set the parameters so that I can scan all UDP ports but I
> can't figure our which parameters to tune and what values to set.

you probably need to raise the "scanner_plugins_timeout" [1] of your
scan configuration which is a timeout (in seconds) a Port Scanner NVT is
allowed to run.

> I guess than in the port scanner settings, I must change some nmap
> settings, such as host time out and set it to a reasonable value, maybe
> 3 or 5 seconds
> 
> What other parameter should I change to allow an efficicent scanning of
> all UDP ports, knowing that I don't care if such a scan takes more than
> 24 hours?

The NVT "Nmap (NASL wrapper)" OID: 1.3.6.1.4.1.25623.1.0.14259 from the
"Port scanners" family has various tuning options for nmap. You might
need to consult the nmap manual for more information on those options
and how to configure those to achieve what you're looking for.

> Thanks in advance
> 
> - Yves Gattegno

Regards,

[1]
http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html?highlight=scanner_plugins_timeout#general-preferences

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openvas not getting installed

[Christian Fischer]

Hi,

On 13.02.2018 14:48, Amit Bhatia wrote:
> I am trying to install Openvas but getting the attached error.

The "ERROR" text shows your issue and the "FIX" shows what to do to
solve this. Please consult the redis manpage/manual or the Kali Linux
support forums how to apply the "FIX" to your operating system.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Private or Corporate CAs

[Christian Fischer]

Hi,

On 02.02.2018 22:18, Gareth Williams wrote:
> I can't add to this list (as far as my understanding
> goes) as the file is signed.

i think allowing this still makes sense in the scope of Private or
Corporate CAs. The "SSL/TLS: Certificate Signed Using A Weak Signature
Algorithm" was updated to allow this.

After one of the next feed updates you should see a new script
preference where you can add additional SHA-1 fingerprints of CAs to the
predefined list (see the NVT description for the detailed syntax).

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS VM - No option to print PDFs

[Christian Fischer]

Hi,

On 31.01.2018 00:00, Brandon Bass wrote:
> I recently stood up an OpenVAS VM  and for some reason it doesn't show
> any option to print a report in any format.  Under the drop down it
> shows "No Results Found".  I found a site saying that I would need to
> install Latex, which I tried but it says it's already on the most recent
> version.

By "OpenVAS VM" you're referring to the "GCE"? If yes you might give the
todays released new version [1] which lists the following change:

> One noteworthy bugfix: In GCE 4.1 the report plugins were missing and
now are back.

[1]
http://lists.wald.intevation.org/pipermail/openvas-announce/2018-February/000213.html

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] SIGSEGV and Connection reset by peer

[Christian Fischer]

Hi,

On 31.01.2018 01:09, Lang, Adam wrote:
> [Wed Jan 31 00:05:57 2018][2448] Possible dependency cycle detected 
> 1.3.6.1.4.1.25623.1.0.81
> SIGSEGV occured !
> openvassd: testing 10.200.0.226(sighand_segv+0x7d)[0x40d0cd]
> /lib64/libc.so.6(+0x35270)[0x7f49c32bd270]
> openvassd: testing 10.200.0.226(common+0x43)[0x40d153]
> openvassd: testing 10.200.0.226(plugin_launch+0x81)[0x40af71]
> openvassd: testing 10.200.0.226[0x406c4a]
> openvassd: testing 10.200.0.226[0x40710a]
> openvassd: testing 10.200.0.226(create_process+0xdd)[0x40cedd]
> openvassd: testing 10.200.0.226(attack_network+0x7f7)[0x407a47]
> openvassd: testing 10.200.0.226[0x40a3e3]
> openvassd: testing 10.200.0.226(create_process+0xdd)[0x40cedd]
> [Wed Jan 31 00:06:26 2018][2593] internal_send->os_recv(12): Connection reset 
> by peer

this has most likely the same source / reason like explained here:

https://lists.wald.intevation.org/pipermail/openvas-discuss/2018-January/011783.html

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] SSH authenticated scan fails

[Christian Fischer]

Hi,

On 23.01.2018 08:07, Ghislain Lévêque wrote:

> Jan 11 17:04:33 webapps-01 sshd[6148]: debug1: Client protocol version
2.0; client software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.8

it seems that your scanning machine is at Ubuntu 14.04 or earlier?

> Could anyone point me to the right direction to debug this problem ?

Depending on the OpenSSH configuration (host key types, algorithms etc.)
 of the target it might be required that you're upgrading the libssh*
packages to a version > 0.7.0 and to rebuild the OpenVAS installation
against this newer libssh packages.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Scan Duration

[Christian Fischer]

Hi,

On 23.01.2018 08:49, Helmut Koers wrote:
> Dear all,
> we are having a couple of regular repeating scans and have recognized that 
> all scan durations have more than doubled starting in December 2017.
> 
> Can anyone confirm to see that behavior as well?

if this is OpenVAS 9 then it could be possible that this is caused by a
bug in the plugin scheduler of the scanner. This specific bug got fixed
in the openvas-scanner-5.1 branch last year but is not released yet in a
new OpenVAS 9 release.

> May that be related to the number and/or kind of NVTs that have been added 
> ever since?

The bug might be triggered sooner or later by any new NVT added to the
feed which moves the "dependency chain" of NVTs to execute some of them
earlier or later. Depending on the exposed services on the target it
might be also possible that it isn't triggered at all.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS does not recongnize Firefox 57

[Christian Fischer]

Hi,

On 10.01.2018 11:12, Christian Reiter wrote:
> Does anybody know if this is a local problem which I can solve or if there is 
> anything else which I can do?

unfortunately some Firefox versions tend to leave registry entries
behind causing such false detection. We did a few tests on this and
could confirm your observations:

A base install of Firefox 56.0 in 32-bit will be upgraded first to 57.0
including a migration to a 64-bit version of Firefox. After a restart a
new update to 57.0.4 will be offered and a second restart is required.
As a result the following registry key wasn't deleted by the upgrade /
migration routine:

HKLM\SOFTWARE\Wow6432Node\mozilla.org\Mozilla -> CurrentVersion -> 56.0

causing a detection of Firefox 57.0.4 AND 56.0.

On the other hand a base install of Firefox 56.0.2 in 32-bit will be
upgraded directly to 57.0.4 including a migration to a 64-bit version of
Firefox. In this case the upgrade / migration routine is removing the
old registry entry correctly and only Firefox 57.0.4 is detected.

Unfortunately there is not that much we can do from NVT side if a
software is behaving inconsistently like this and you would need to
clean up the left-over registry keys from the registry.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openvas-feed-update - what is this part 0 thing?

[Christian Fischer]

Hi,

On 24.12.2017 10:43, Hans wrote:
> Doing so (after not updating for a week or so) will appear this behaviour.

i think this finally explains why you're seeing a message which isn't
showing up for others.

It's highly recommended to run the feed updates daily. The longer the
time between the last feed update is the more data needs to be
processed. If you're checking the greenbone-scapdata-sync around line
1220 there is some code located in there which is splitting too large
feed .xml files into smaller parts and the "part 0 Done" is probably
just a logging of this.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openvas-feed-update - what is this part 0 thing?

[Christian Fischer]

Hi,

none of the sync scripts provided / installed with the current stable
source archives published at http://www.openvas.org/install-source.html
are showing this behavior or the "part 0" messages.

Regards

On 22.12.2017 16:23, Hans wrote:
> Hi Christian,
> 
> if you take a look at the script, it is just calling greenbone-nvt-sync, 
> greenbone-scapdata-sync and greenbone-certdata-sync, which are IMO part of 
> openvas.
> 
> I am not sure, which one of these three commands is causing the mentioned 
> messages, but one of this is clearly the cause.
> 
> BTW, you can answer in German as well, if you like, or write directly to my 
> mail address.
> 
> Thanks for your efforts.
> 
> Best
> 
> Hans
> 
>> openvas-feed-update is a 3rdparty script and not part of OpenVAS.
>>
>> If you don't get an answer here at this list it is recommended to get in
>> contact with the author of this script to get more background info what
>> the script is actually doing and whats the purpose / meaning of these
>> "part" messages.
>>
>> Regards,
>>
>> --
>>
>> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
>> Greenbone Networks GmbH | http://greenbone.net
>> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
>> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
>> ___
>> Openvas-discuss mailing list
>> Openvas-discuss@wald.intevation.org
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openvas-feed-update - what is this part 0 thing?

[Christian Fischer]

Hi,

On 19.12.2017 14:23, Hans wrote:
> every time I am running openvas-feed-update script, I get messages like

openvas-feed-update is a 3rdparty script and not part of OpenVAS.

If you don't get an answer here at this list it is recommended to get in
contact with the author of this script to get more background info what
the script is actually doing and whats the purpose / meaning of these
"part" messages.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] No Java detection during authenticated scan

[Christian Fischer]

Hi,

On 20.12.2017 09:39, gleve...@itrust.fr wrote:
> The first thing we found is that OpenVAS needs the "Remote Registry"
> service to be running on the target asset to be able to find java
> version.
> 
> But enabling it manually or activating the "Windows Services Start"
> plugin preference didn't help.

maybe you first should have a look if this is a general configuration
issue on the target system and an authenticated scan is not working at
all or if you have just issues with the Java detection.

From the "Remote Registry" service statement it seems you're not aware
of the following documentation and the requirements for authenticated
scans which might be the source of your problem:

http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#requirements-on-target-systems-with-windows

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Alive Test “Scan Config Default” set to TCP ping in OpenVAS 9?

[Christian Fischer]

Hi,

On 14.12.2017 18:15, Luca Bas wrote:
> Is it possible that the default preference has been set to TCP ping in
OpenVAS 9?

it seems it was chosen in the past to always add -sP (alias for -sn) to
the nmap command which is described as the following in the nmap manual:

> The default host discovery done with -sn consists of an ICMP echo
request, TCP SYN to port 443, TCP ACK to port 80, and an ICMP timestamp
request by default.

You can either have a look at the ping_host.nasl or set the "Log nmap
output" Option of the "Ping Host" (Port scanners family) to "yes" to see
the used nmap commands for this Alive test.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reporting on delta's between scans on same host

[Christian Fischer]

Hi,

On 15.12.2017 10:58, tatooin wrote:
> HiOn Thu, 2017-12-14 at 19:05 +0100, Christian Fischer wrote:
>> Hi,
>>
>> On 14.12.2017 18:36, tatooin wrote:
>>>
>>> However, that still doesn't explain why such an important native
>>> feature
>>> of OpenVAS just don't work.  
>> have you considered that a explanation for this cloud be that there
>> might be no support for delta reports implemented for CSV reports?
>>
>> So it might be just a "is not supported/implemented" rather then a
>> "don't work".
> That's possible, indeed. But the documentation doesn't mention any
> exclusion; I would assume that if this feature is documented without
> any exclusion, then it's suppose to work whatever format natively
> supported by OpenVAS. 
> Now if delta reports isn't supported by csv then discussion is closed;
> this should just be highlighted in the documentation to avoid bothering
> the openvas community uselessly. 

a documentation about the "Delta" feature is available at:

http://docs.greenbone.net/GSM-Manual/gos-4/en/reports.html#delta-reports

which explicitly states the following:

> Subsequently you will receive the delta report. As usual, it can be
displayed in different formats and exported as PDF.

> Thanks !
>> Regards,

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reporting on delta's between scans on same host

[Christian Fischer]

Hi,

On 14.12.2017 18:36, tatooin wrote:
> However, that still doesn't explain why such an important native feature
> of OpenVAS just don't work.  

have you considered that a explanation for this cloud be that there
might be no support for delta reports implemented for CSV reports?

So it might be just a "is not supported/implemented" rather then a
"don't work".

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Scanner Doesn't Start After Running Openvasmd --update

[Christian Fischer]

Hi,

On 07.12.2017 22:01, Tyler Doman wrote:
>     ERROR: OpenVAS Scanner is NOT running!
>     FIX: Start OpenVAS Scanner (openvassd).

your openvassd.messages might give you some pointers why the scanner is
not starting anymore. Tools like strace are good debugging tools as well.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Install Openvas 9 with Postgres on Kali Linux Rolling

[Christian Fischer]

Hi,

On 08.12.2017 23:15, Josemar Maso wrote:
> I have OPENVAS9 on Kali Linux 2017.3.
> I'm trying to compile openvas-manager with postgres but errors are occuring 
> as per attached log.
> I performed step by step as per the document in the link 
> https://forums.kali.org/showthread.php?37859-Install-Openvas-9-with-Postgres-on-Kali-linux-Rolling
> The error happens when I execute the command "dpkg-buildpackage -uc -us"
> Someone could help?
> Thankful

this looks to me like some really Kali / Debian packaging specific topic
where you should look for help outside of this mailing list.

Maybe contact the author of that referenced Kali forum thread and ask
for further help?

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Openvas9 scanning issue

[Christian Fischer]

Hi,
On 08.12.2017 12:04, sandeep dubey wrote:
> openvassd.messages -
> /[Fri Dec  8 05:40:10 2017][4354] Starts a new scan. Target(s) :
> localhost, with max_hosts = 30 and max_checks = 10
> [Fri Dec  8 05:40:10 2017][4354] exclude_hosts: Skipped 0 host(s).
> [Fri Dec  8 05:40:10 2017][4354] Testing localhost (127.0.0.1) [4358]
> [Fri Dec  8 05:40:10 2017][4358] Finished testing 127.0.0.1. Time : 0.02
> secs
> [Fri Dec  8 05:40:10 2017][4354] Test complete
> [Fri Dec  8 05:40:10 2017][4354] Total time to scan all hosts : 0 seconds/

as pointed out in IRC this is most likely caused by the "Alive Test"
setting of your target definition:

http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#creating-a-target

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS Setup

[Christian Fischer]

Hi,

On 07.12.2017 19:58, Douglas Funk wrote:
> Then when I do a openvas-check-setup I get No OpenVAS SCAP database
> found. Run a SCAP sync script like greenbone-scapdata-sync.
> 
> So I run that command and nothing happens.

you could try to run the script with e.g.

greenbone-scapdata-sync --selftest

to check if all prerequisites are fulfilled to run it.

Besides that the openvas-setup script (don't confuse with
openvas-check-setup) is not provided by OpenVAS so people here might not
know what it is doing. So it might require that you get some help with
that on the Kali forums.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Produce OVAL System Characteristics

[Christian Fischer]

Hi,

On 16.11.2017 20:51, ArkanoiD wrote:
> There are more bugs, yet this one is most significant. Took whole evening
> for me to pin it down.

i wouldn't call no support for other distributions then Debian and Red
Hat "a bug". This code probably was just tested against those two
distros back then in 2012 when it was implemented.

Testing with other Non-Red Hat/Debian based distros is more then welcome
by e.g. replacing:

if( "DEB" >< release ) {

with

if( "DEB" >< release || "UBUNTU" >< release ) {

in kb_2_sc.nasl.

Nevertheless the above point i have also updated the kb_2_sc.nasl to
fill in the system info and network interfaces when running such
currently unsupported distros.

If there is anything else missing / wrong in kb_2_sc.nasl feel free to
post a follow-up with suggestions and / or patches.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] REDIS-SERVER SOCKET PROBLEM

[Christian Fischer]

Hi,

On 26.11.2017 10:24, Παναγιώτης Λεόντιος wrote:
> Could you please help with the fails of the redis-server as shown below in 
> service status (e.g. Advanced key-value store)?

as Redis is no part of OpenVAS its probably strongly recommended to seek
out for help at e.g. [1] or another community related/dedicated to your
used Linux distribution.

[1] https://redis.io/community

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openVAS Cookie stealer report email

[Christian Fischer]

Hi,

just as a follow-up to this:

On 07.11.2017 23:51, Paul A wrote:
> Hi, recently I got an email with the subject, "Cookie stealer report " I
> looked at my apache logs and notice a particular ip scanning my server at
> that time using OpenVAS which I had never heard of it before.

I highly doubt that the mail was sent out by the OpenVAS scan itself.
There is no NVT using anything like "Cookie stealer report" as a mail
subject.

Its more likely that you have a script like e.g. shown in [1] or [2]
somewhere accessible on your web server which got called / accessed from
the scanner.

[1]
http://aspirantz.in/blog/2012/02/04/how-to-make-cookies-and-hack-orkut-accounts/

[2] https://blog4hacks.blogspot.de/2009/07/cookie-stealing-basics.html

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reg: Vulnerability in windows 2012 R2

[Christian Fischer]

Hi,

On 24.11.2017 07:10, Manimaran N wrote:
> As the previous email, I have updated my feed to the last version but
> still, the vulnerability remains same.

please have a look at the mentioned NVT in my previous mail to see the
reason why Windows 8 was detected:

On 20.11.2017 08:22, Christian Fischer wrote:
> you can check the following NVT for the method which was
> used to detect the Windows 8 OS:
>
> Name: OS Detection Consolidation and Reporting
> OID: 1.3.6.1.4.1.25623.1.0.105937

Regards,
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Reg: Vulnerability in windows 2012 R2

[Christian Fischer]

Hi,

On 20.11.2017 06:35, Manimaran N wrote:
> We found there was a vulnerability in Windows 2012 R2 server that  (OS End
> Of Life Detection The Operating System on the remote host has reached the
> end of life and should not be used anymore).
> 
> *And Vulnerability Detection Result:* *The "Windows 8" Operating System on
> the remote host has reached the end of life.*
> 
> Do let me know that the vulnerability has false possible or I have to work
> around.
> 
> PFA for your reference.

the output (Version used: $Revision: 6494$) shows that you're using a
feed which is more then two weeks old. Please always use a current feed
version (Current Plugin Set: 201711171027) before reporting any issues.

Nevertheless the feed date you can check the following NVT for the
method which was used to detect the Windows 8 OS:

Name: OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVas9: cannot retrieve max DB number...

[Christian Fischer]

Hi,

On 15.11.2017 15:47, Christiaan De Vries wrote:
> Nov 15 14:20:48 DMZ-NVT-01 systemd[1]: Starting LSB: remote network
> security auditor - scanner...
> 
> Nov 15 14:20:48 DMZ-NVT-01 openvas-scanner[1198]: (openvassd:1246): lib 
> kb_redis-CRITICAL **: fetch_max_db_index: cannot retrieve max DB number:
> LOADING Redis is loading the dataset in memory
> 
> Nov 15 14:25:48 DMZ-NVT-01 systemd[1]: openvas-scanner.service: Start
> operation timed out. Terminating.
> 
> Nov 15 14:25:48 DMZ-NVT-01 systemd[1]: Failed to start LSB: remote
> network security auditor - scanner.
> 
> Nov 15 14:25:48 DMZ-NVT-01 systemd[1]: openvas-scanner.service: Unit
> entered failed state.
> 
> Nov 15 14:25:48 DMZ-NVT-01 systemd[1]: openvas-scanner.service: Failed
> with result 'timeout'.

This is probably the known issue where redis is blocking / doesn't
accept any connections anymore. Make sure that you have commented out all:

save xyz

statements in your redis.conf, delete the dump.rdb of redis and then
restart redis.

There are quite a lot posts here at the channel or at the mailinglists
about that where updating redis like explained above helped.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Size of /var/lib/openvas/mgr

[Christian Fischer]

Hi,

On 16.11.2017 09:28, Romain Fritz wrote:
> In this folder there is a tasks.db file (I assume it's a database) is it
> possible to purge this database in order to have almost the same size as
> the master ?

have a look at the help output of openvasmd (openvasmd --help) which
provides the following commands:

--optimize=Run an optimization:
vacuum, analyze, cleanup-config-prefs, remove-open-port-results,
cleanup-port-names, cleanup-result-severities, cleanup-schedule-times,
rebuild-report-cache or update-report-cache.

vacuum and/or analyze might be the commands you're looking for.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Customizing Reports OpenVAS

[Christian Fischer]

Hi,

On 08.11.2017 22:14, Josemar Maso wrote:
> Hello Everyone,
> 
> I use OpenVAS 9 in Kali Linux.
> Does anyone know how to configure report generation in order of
> vulnerability and not per host (default), both in pdf or html formats.
> This would make the report less.

the OpenVAS Manager Sources [1] provides a basic documentation on how to
write an own report format which might be something you're looking for.

[1]
https://wald.intevation.org/scm/viewvc.php/tags/openvas-manager-release-7.0.2/doc/report-format-HOWTO?root=openvas=markup

> tks.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] How does openvas enumerate RPC services?

[Christian Fischer]

Hi,

On 08.11.2017 16:30, OpenVAS User wrote:
> If OpenVAS scans a Windows machine with port 135 open I can see that it
> is able to successfully enumerate services under a vulnerability found: 
> DCE/RPC and MSRPC Services Enumeration Reporting
> 
> However I am not able to replicate this "manually" from command line on
> the same box where OpenVAS is installed. 
> The command that I am using is nmap 10.20.10.12 --script=msrpc-enum -vvv -n
> and this is the result that I am getting:
> 
> Host script results:
> |_msrpc-enum: NT_STATUS_DUPLICATE_NAME
> 
> What is OpenVAS using to be able to enumerate those services?

OpenVAS is not using anything special besides own code which you can
find here:

http://plugins.openvas.org/nasl.php?oid=108044

If you have problems with the usage of specific nmap scripts or if they
are not working as expected you could have a look at https://nmap.org/
to see if they provide any support.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] NetScaler web management interface detection

[Christian Fischer]

Hey,

On 08.11.2017 15:07, Helmut Koers wrote:
> I have looked at the detections to verify the mentioned URLs and strings 
> as requested.

thanks again for providing this information.

> Almost all detections have been identified on the URL: 
> https://example.com/vpn/index.html. In addition, I have found detections 
> on an URL not mentioned: https://example.com/vpn/tmindex.html.
> 
> Almost all identified URL's included the netscaler gateway 
> string, except for https://example.com/vpn/tmindex.html, where some did 
> include netscaler gateway and some did not include any of 
> the strings, but all of them have been detected for "NetScaler web 
> management interface" occurrence.

So if there is an netscaler title we can conclude that the
detection is correct or do i misunderstand you?

Maybe its just a matter of renaming "NetScaler web management interface
detection" to "NetScaler Web Detection" to make it clear that not only
the management interface but a general detection of NetScaler products
and their Web interfaces is done there.

Nevertheless there will be a few updates in one of the next feed update
to detect the devices from the mentioned /vpn/tmindex.html as well as to
print out the URL where the detection happened.

Thanks again.

Regards,

> Regards,
> Helmut
> 
> 
> "Openvas-discuss" <openvas-discuss-boun...@wald.intevation.org> wrote on 
> 08.11.2017 07:35:59:
> 
>> From: Christian Fischer <christian.fisc...@greenbone.net>
>> To: openvas-discuss@wald.intevation.org, 
>> Date: 08.11.2017 07:36
>> Subject: Re: [Openvas-discuss] NetScaler web management interface 
> detection
>> Sent by: "Openvas-discuss" <openvas-discuss-boun...@wald.intevation.org>
>>
>> Hi,
>>
>> thanks for your report.
>>
>> On 07.11.2017 11:11, Helmut Koers wrote:
>>> the "References" link within the above mentioned vulnerability seems 
> to be 
>>> not valid anymore. Can anyone provide an alternative link?
>>
>> as this is no vulnerability but just a detection of a product it
>> probably should have pointed to the product homepage like seen at e.g.:
>>
>> https://web.archive.org/web/20071103112113/http://www.citrix.com/
>> lang/English/ps2/index.asp
>>
>> which is now at:
>>
>> https://www.citrix.com/products/netscaler-adc/
>>
>>> In addition there is a NetScaler web management interface detected, 
> but 
>>> there is no management interface running on that target.
>>> Can I check why it has been detected?
>>
>> The Detection-Script is reporting such an interface if one of the
>> following URLs:
>>
>> http://example.com/
>> http://example.com/vpn/index.html
>> http://example.com/index.html
>>
>> contains one of the following strings:
>>
>> Citrix Login
>> netscaler gateway (Case insensitive match)
>> citrix access gateway (Case insensitive match)
>> action="/login/do_login"
>> action="/ws/login.pl"
>>
>> I guess the last two ones could be too generic and matching on your
>> system. Could it be possible that you have a short look at the mentioned
>> URLs to see which string is matching there?
>>
>> Nevertheless we will look into updating both, the URL and the pattern.
>>
>> Thanks again.
>>
>> Regards,
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] NetScaler web management interface detection

[Christian Fischer]

Hi,

thanks for your report.

On 07.11.2017 11:11, Helmut Koers wrote:
> the "References" link within the above mentioned vulnerability seems to be 
> not valid anymore. Can anyone provide an alternative link?

as this is no vulnerability but just a detection of a product it
probably should have pointed to the product homepage like seen at e.g.:

https://web.archive.org/web/20071103112113/http://www.citrix.com/lang/English/ps2/index.asp

which is now at:

https://www.citrix.com/products/netscaler-adc/

> In addition there is a NetScaler web management interface detected, but 
> there is no management interface running on that target.
> Can I check why it has been detected?

The Detection-Script is reporting such an interface if one of the
following URLs:

http://example.com/
http://example.com/vpn/index.html
http://example.com/index.html

contains one of the following strings:

Citrix Login
netscaler gateway (Case insensitive match)
citrix access gateway (Case insensitive match)
action="/login/do_login"
action="/ws/login.pl"

I guess the last two ones could be too generic and matching on your
system. Could it be possible that you have a short look at the mentioned
URLs to see which string is matching there?

Nevertheless we will look into updating both, the URL and the pattern.

Thanks again.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Not able to download reports.

[Christian Fischer]

Hi,

On 31.10.2017 12:49, Abhishek Girme wrote:
> Let me know once you find anything which can resolve this issue.

just quoting my post from today in [1]:

> IIRC the GSM CE 4.1.7 doesn't ship any of the report format plugins.
> The next release (which will be 4.2.something) should include them
> again so you probably have to wait for the next GSM CE release.

[1]
http://lists.wald.intevation.org/pipermail/openvas-discuss/2017-November/011584.html

Regards

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] I: Openvas 9 report issue

[Christian Fischer]

Hi,

On 02.11.2017 14:14, Luca Racca wrote:
> can anyone help about this issue? Maybe someone of you already experienced 
> same issue.
> Thanks for the help,

IIRC the GSM CE 4.1.6 doesn't ship any of the report format plugins. The
next release (which will be 4.2.something) should include them again so
you probably have to wait for the next GSM CE release.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Searching for more information regarding Ultimate scans

[Christian Fischer]

Hi,

On 30.10.2017 17:45, None wrote:
> Hi, I'm trying to find more information about what an 'ultimate' scan
> does as opposed to a 'regular' scan. The description referring to NVT's
> that can stop services/hosts doesn't provide much of an explanation and
> I'd like to know more about what that means. I'm specifically trying to
> see if OpenVAS will initiate any type of prolonged 'ping of death'
> attacks on devices or corruption on networking devices. Could someone
> point me in the right direction? Thanks.

the "Ultimate" scan configs will run plugins from the following categories:

ACT_FLOOD
ACT_KILL_HOST
ACT_DENIAL
ACT_DESTRUCTIVE_ATTACK

additionally besides the others shown here:

https://wald.intevation.org/scm/viewvc.php/trunk/openvas-scanner/misc/nvt_categories.h?root=openvas=markup

as well as the "else" block from something like:

if(safe_checks()){
  do version check
} else {
  do active check
}

You can grep through the plugins folder of OpenVAS to find any plugins
matching the previous two things.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVAS 9 PDF report issue

[Christian Fischer]

Hi,

On 24.10.2017 23:43, None wrote
> I confirmed I have 'texlive-latex-extra --no-install-recommends' since
> I am running this on Ubuntu Xenial.

which is most likely your issue as it doesn't install the following package:

texlive-fonts-recommended

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Can OpenVAS 9 email completed scan results in .pdf format?

[Christian Fischer]

Hi,

On 24.10.2017 22:55, None wrote:
> I'm looking for a way to do this. I've seen previous releases of OpenVAS
> be able to automate email reports after a scan was finished, but I don't
> see any documentation for OpenVAS 9 where that is possible.

see the documentation here on how to use alerts which are capable of
sending e-mails with pdf attachments:

http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#alerts

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Url scan openvas

[Christian Fischer]

Hi,

On 25.10.2017 20:30, Thiago Cardoso wrote:
> Hi everyone, i would like to know how can i scan as an url as:
> http://cppmet.ufpel.edu.br/site/teste.html

you should keep in mind that OpenVAS is not an web application scanner
like w3af or similar. There are some basic checks for SQL Injection or
Directory Traversals. For those you can add the "site" path (not the
complete URL) to the cgi_path setting shown here:

http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#general-preferences

But for a deeper coverage you should use one of the OSP wrappers like
the one for w3af listed here:

http://www.openvas.org/install-source.html

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Upgrading OpenVAS 8 to 9

[Christian Fischer]

Hi,

On 16.10.2017 08:13, Buddhika De Alwis wrote:
> Hi,
> 
> Can anyone please tell me how to upgrade Openvas 8 to 9 in Ubundu? Command
> to run?

upgrading OpenVAS is basically possible with the following steps:

1. Stop all OpenVAS services
2. Make a backup of your OpenVAS installation
3. Install new OpenVAS release to the same location as your previous
installation
4. Run openvasmd --migrate
5. Check your start scripts against new introduced command line
arguments of the OpenVAS services (e.g. OpenVAS 9 introduced socket
communication between all services)
6. Start all OpenVAS services

> Thanks in advance

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Difference between CVE (Mitre Site x OpenVAS)

[Christian Fischer]

Hi,

On 02.10.2017 23:48, Josemar Maso wrote:
> Hello Everyone,
> 
> I use OpenVAS 9 in Kali Linux.
> On the mitre site (https://cve.mitre.org/cve), the TOTAL CVE IDs = 91108
> (until today).
> In OpenVAS, this number is higher "CVEs by CVSS (Total: 95242)".
> Does anyone know how to explain?
> 
> tks.
> 
> Maso, J

looks like the Mitre Count isn't up to date. If you check e.g.
https://nvd.nist.gov/general/nvd-dashboard you will get similar numbers
(Total  95564) like in OpenVAS.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Dead host detection

[Christian Fischer]

Hi,

On 02.10.2017 11:28, Not Fed wrote:
> Hello,
> 
> Does anybody know how well Openvas copes with devices which leave a
> network part way through a scan? I've been running some very
> unscientific tests, and it seems to hang for a very long period of time
> in such a case.
> 
> Is there any way I can speed up marking a host as failed / departed? 
> 
> Thanks in advance.

OpenVAS is currently not capable of what you're looking for. Since a few
weeks there are the NVTs like
http://plugins.openvas.org/index.php?oid=108215 but this is more like a
workaround and not a real solution.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Looking for a LOG of actual performed vulnerability test

[Christian Fischer]

Hi,

On 11.09.2017 12:59, r.m6 wrote:
> Hi!
> 
> Thanks a lot! This setting sounds promising!
> 
> What I did:
> ) I cloned an existing scanner configuration and set the
> log_whole_attack setting to true in the clone.
> ) Created a new scan task using the new (cloned) scanner configuration.
> ) Ran the task
> 
> Expected result:
> ) Open the "Scan Result" for this scan task in the Web UI and get the
> additional information presented in the Summary view (see screenshot) or
> additional potential "NVTs" section in this dropdown selector - similar
> to the other scan result meta data.
> 
> Actual result:
> ) I am not able to find the additional NVT log information generated
> through the log_whole_attack setting.
> 
> Do you have a hint where to find the information generated through
> log_whole_attack?

ah, yes. I forgot to mention that this info will end up in your
openvassd.messages on your local file system ($prefix/var/log/openvas)
rather then in the report itself.

>> "log_whole_attack" described in
>> http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#general-preferences
>> is probably the setting you're looking for.

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Produce OVAL System Characteristics

[Christian Fischer]

Hi,

On 09.09.2017 17:39, dabrunzofeder...@libero.it wrote:
> Hi,
> 
> I read on the OVAL website that OpenVAS is a "System Characteristics 
> Producer" but I can not figure out how to make a SC file using OpenVAS.
> 
> can someone help me?

the documentation available at the following link should help you on
this topic:

http://docs.greenbone.net/GSM-Manual/gos-4/en/compliance.html#oval-system-characteristics

> Thanks

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Looking for a LOG of actual performed vulnerability test

[Christian Fischer]

Hi,

On 04.09.2017 16:23, r.m6 wrote:
> Dear community,
> 
> I am looking for a log (file) which shows me all nvt tests ACTUALLY
> performed against a host and its actually reachable ports (not only for
> which there was a finding).
> We would like to compare this information against the events seen on a
> newly implemented IPS - scanned by our openVAS instance - to get a
> feeling for its behavior.
> 
> Would be great if someone could give me a hint! Many thanks in advance!

"log_whole_attack" described in
http://docs.greenbone.net/GSM-Manual/gos-4/en/vulnerabilitymanagement.html#general-preferences
is probably the setting you're looking for.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] DSS PCI NVT family missing

[Christian Fischer]

Hi,

On 24.08.2017 09:07, Ahmad Al-Talafha wrote:
> Dears,
> 
> Hope this mail finds you well
> 
> I am using openvas Version 7.0.2, and I am trying to run a PCI
> compliance scan but I cant find PCI family in the NVTs.
> 
> My NVTs status shows “*Too old (14 days)* - Please check the automatic
> synchronization of your system”
> 
> Please advise on this case, what I am missing

the PCI DSS family is part of the Greenbone Security Feed [1] shipped
with the Greenbone appliances [2].

[1] https://www.greenbone.net/en/security-feed/
[2] https://www.greenbone.net/en/product-comparison/

> Best Regards,
> 
> *Ahmad Al Talafha***

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] openvas9 scheduler fails to launch tasks correctly

[Christian Fischer]

Hi,

On 20.08.2017 23:42, TMC wrote:
> All
> 
> I have configured my openvas 9 with a scan task and a schedule.
> Taks runs fine when launched manually. No issues at all.
> 
> However when I try to have it run from a schedule, it fails and I get
> this in oepnvasmd.log: 
> 
> md manage:WARNING:2017-08-20 21h31.56 utc:9395: manage_schedule: child
> failed
> md manage:WARNING:2017-08-20 21h31.56 utc:9395: reschedule_task:
> rescheduling task '494eae90-ed23-443d-b548-fac5113b00f5'
> md manage:WARNING:2017-08-20 21h32.12 utc:9398: manage_schedule: child
> failed
> md manage:WARNING:2017-08-20 21h32.12 utc:9398: reschedule_task:
> rescheduling task '494eae90-ed23-443d-b548-fac5113b00f5'
> md manage:WARNING:2017-08-20 21h32.27 utc:9401: manage_schedule: child
> failed
> md manage:WARNING:2017-08-20 21h32.27 utc:9401: reschedule_task:
> rescheduling task '494eae90-ed23-443d-b548-fac5113b00f5'
> md manage:WARNING:2017-08-20 21h32.42 utc:9404: manage_schedule: child
> failed
> md manage:WARNING:2017-08-20 21h32.42 utc:9404: reschedule_task:
> rescheduling task '494eae90-ed23-443d-b548-fac5113b00f5'
> md manage:WARNING:2017-08-20 21h32.58 utc:9407: manage_schedule: child
> failed
> md manage:WARNING:2017-08-20 21h32.58 utc:9407: reschedule_task:
> rescheduling task '494eae90-ed23-443d-b548-fac5113b00f5'
> 
> Any clues on how to fix this? Is this a configuration issue or a code issue?
> 
> Details of this have previously been reported as bug 6928 in
> the wald.intevation.org/tracker <http://wald.intevation.org/tracker> 
> 
> Any help would be appreceated, as this is really getting annoying. 
> 
> Tomasz Ciolek

there was a commit a few days ago which should fix this:

https://lists.wald.intevation.org/pipermail/openvas-commits/2017-August/029526.html

You could try to rebuild from source with that patch applied or wait for
the next OpenVAS maintenance release.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Fwd: FP on Server 2012 for MS Windows Kernel-Mode Drivers Remote Code Execution Vulnerabilities (2870008)

[Christian Fischer]

Hi,

On 15.08.2017 03:42, Jeremy Pennington wrote:
> Thanks for this additional information. It looks like the check for
> fontsub.dll is what is causing the FP. According to
> https://support.microsoft.com/en-us/help/2847311/ms13-081-description-of-the-security-update-for-kernel-mode-drivers-oc,
> the patched file version for 2012 is 6.2.9200.16384, which is the version
> my 2012 server is reporting.
> 
> Is this something that can be corrected in the plugin?
> Thanks

thanks again for your reply. The plugin was updated to report the
version of the file where the detection happened and the vulnerable
range. This update arrived the feed once the plugin has reached revision
6938.

But i'm still wondering about the Fontsub.dll version. According to your
posted link:

https://support.microsoft.com/en-us/help/2847311/ms13-081-description-of-the-security-update-for-kernel-mode-drivers-oc

the Fontsub.dll is listed twice:

Fontsub.dll 6.2.9200.16453  96,256  08-Nov-2012 04:20   x64

Fontsub.dll 6.2.9200.16384  96,256  26-Jul-2012 03:05   x64

The plugin is checking for a version < 6.2.9200.16453 against Windows
Server 2012 but you have installed 6.2.9200.16384.

Not quite sure if this is an issue in the advisory or at the target
system where the second update in Nov 2012 was missed.

Regards,

> On Mon, Aug 14, 2017 at 3:45 AM, Christian Fischer <
> christian.fisc...@greenbone.net> wrote:
> 
>> Hi,
>>
>> On 14.08.2017 04:18, Jeremy Pennington wrote:
>>> It appears the plugin for MS Windows Kernel-Mode Drivers Remote Code
>>> Execution Vulnerabilities (2870008) is producing a false positive on
>> Server
>>> 2012 (version 6.2 build 9200). If I understand the plugin's logic
>>> correctly, it is looking at the file version of
>>> %systemroot%\Windows\System32\win32k.sys. On the server the file
>> version is
>>> showing as 6.2.9200.22210, which is higher than the version that
>> addresses
>>> this Security Bulleting according to https://support.microsoft.com/
>>> en-us/help/2883150.
>>>
>>> Let me know if there is any additional information that would be helpful
>> in
>>> reviewing this or if there is a better forum or method for discussing
>> FPs.
>>>
>>> Thanks for reviewing this.
>>> JP
>>
>> thanks for your report. On a Windows Server 2012 it checks not only for
>> win32k.sys but also for various files and their version:
>>
>> %systemroot%\system32\Fontsub.dll
>> -> less then 6.2.9200.16453
>>
>> %systemroot%\system32\drivers\usbd.sys
>> -> less then 6.2.9200.16654
>> OR
>> -> in range of 6.2.9200.2 and 6.2.9200.20760
>>
>> %systemroot%\system32\drivers\hidparse.sys"
>> -> less then 6.2.9200.16654
>> OR
>> -> in range of 6.2.9200.2 and 6.2.9200.20762
>>
>> %systemroot%\system32\win32k.sys
>> -> less then 6.2.9200.16699
>> OR
>> -> in range of 6.2.9200.2 and 6.2.9200.20806
>>
>> %systemroot%\system32\Wdfres.dll"
>> -> less then 6.2.9200.16384
>>
>> Might be possible that either one of those files didn't get updated
>> correctly on your system (not that likely IMHO) or that one of those
>> version checks doesn't match what the patch has actually patched.
>>
>> Regards,
>>
>> --
>>
>> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
>> Greenbone Networks GmbH | http://greenbone.net
>> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
>> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
>> ___
>> Openvas-discuss mailing list
>> Openvas-discuss@wald.intevation.org
>> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Vulnerability found on blocked port

[Christian Fischer]

Hi,

On 16.08.2017 11:52, Rémi Liquete wrote:
> Here is the OID number : 1.3.6.1.4.1.25623.1.0.10927

this is a NVT from the ACT_FLOOD category. This means it may interrupt
services / kill hosts and is not running within the highly recommended
"Full and Fast" scan config (you're probably using an "Ultimate" one).

If OpenVAS sees the host as up/alive before starting that specific test
(there are some internal functions which are determining this, i guess
they include more then ICMP for this) and then the host/firewall doesn't
respond anymore after the test you will get this seen result /
vulnerability.

Besides that you really shouldn't use any of the "Ultimate" scan configs
if you can't live with getting false positives or killed hosts.

> Regards,
> Rémi

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

> 2017-08-16 11:28 GMT+02:00 Thijs Stuurman
> <thijs.stuur...@internedservices.nl
> <mailto:thijs.stuur...@internedservices.nl>>:
> 
> Remi,
> 
> __ __
> 
> What is the vulnerability OID number?
> 
> (This should be mentioned in the details of the vulnerability, at
> the bottem under the Log Method section)
> 
> __ __
> 
> Thijs Stuurman
> 
> Security Operations Center | KPN Internedservices
> 
> thijs.stuur...@internedservices.nl
> <mailto:thijs.stuur...@internedservices.nl> | thijs.stuur...@kpn.com
> <mailto:thijs.stuur...@kpn.com>
> 
> T: +31(0)299476185 <tel:+31%20299%20476%20185> | M: +31(0)624366778
> <tel:+31%206%2024366778>
> 
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
> 
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
> 
> __ __
> 
> W: https://www.internedservices.nl
> <https://www.internedservices.nl/>| L:
> http://nl.linkedin.com/in/thijsstuurman
> <http://nl.linkedin.com/in/thijsstuurman>
> 
> __ __
> 
> *Van:*Rémi Liquete [mailto:remi.l...@gmail.com
> <mailto:remi.l...@gmail.com>]
> *Verzonden:* woensdag 16 augustus 2017 11:04
> *Aan:* Thijs Stuurman <thijs.stuur...@internedservices.nl
> <mailto:thijs.stuur...@internedservices.nl>>
> *CC:* openvas-discuss@wald.intevation.org
> <mailto:openvas-discuss@wald.intevation.org>
> *Onderwerp:* Re: [Openvas-discuss] Vulnerability found on blocked
> port
> 
> __ __
> 
> Thank you for your answer.
> 
> Sorry for not being as clear as I wanted to.
> 
> I performed a scan on a server. This server is behind a firewall
> that blocks all port except 3 I am scanning, and blocks ICMP
> protocol.
> 
> At the end of the scan, I've checked the report and in this report,
> there is a vulnerability on ping flood in location "general/icmp".
> 
> As my firewall is supposed to block this protocol, how can OpenVAS
> find any vulnerability with this protocol ?
> 
> I hope I'm clear enough this time !
> 
> __ __
> 
> 2017-08-16 10:53 GMT+02:00 Thijs Stuurman
> <thijs.stuur...@internedservices.nl
> <mailto:thijs.stuur...@internedservices.nl>>:
> 
> Rémi,
> 
>  
> 
> Your question is not very clear to me but I will try to answer.
> 
> First of all, which found vulnerability on the ICMP protocol?
> Detail your questions please.
> 
>  
> 
> Second, you cannot bypass the firewall … it’s a firewall, there
> doing what it is supposed to.
> 
> So either you find nothing, because of the firewall, and confirm
> your firewalling is OK.
> 
> Or you whitelist your scanner in the firewall and test the
> system regardless.
> 
>  
> 
>  
> 
> Thijs Stuurman
> 
> Security Operations Center | KPN Internedservices
> 
> thijs.stuur...@internedservices.nl
> <mailto:thijs.stuur...@internedservices.nl> |
> thijs.stuur...@kpn.com <mailto:thijs.stuur...@kpn.com>
> 
> T: +31(0)299476185 <tel:+31%20299%20476%20185> | M:
> +31(0)624366778 <tel:+31%206%2024366778>
> 
> PGP Key-ID: 0x16ADC048 (https://pgp.surfnet.nl/)
> 
> Fingerprint: 2EDB 9B42 D6E8 7D4B 6E02 8BE5 6D46 8007 16AD C048
> 
>  
> 

Re: [Openvas-discuss] Openvas Internal Error

[Christian Fischer]

Hi,

On 15.08.2017 23:13, Edgar Sinchi wrote:
> Greetings,
> 
> Install openvas on a computer with centos 7 operating system but at the
> time of the scan presents the following message (Internal Error)
> 
> I check the logs and find these errors
> 
> event task:MESSAGE:2017-08-15 18h00.21 UTC:3557: Status of task Immediate
> scan of IP xx.xx.xx.xx (6dcf9d34-23be-4613-b34c-f0b21fcb3f91) has changed
> to Requested
> event task:MESSAGE:2017-08-15 18h00.21 UTC:3557: Task Immediate scan of IP
> xx.xx.xx.xx (6dcf9d34-23be-4613-b34c-f0b21fcb3f91) has been requested to
> start by admin
> md manage:WARNING:2017-08-15 18h00.32 UTC:3559: sql_prepare_internal:
> sqlite3_prepare failed: near "(": syntax error
> md manage:WARNING:2017-08-15 18h00.32 UTC:3559: init_iterator: sql_prepare
> failed
> md manage:WARNING:2017-08-15 18h00.32 UTC:3559:
> manage_cleanup_process_error: Error exit, setting running task to Internal
> Error
> md manage:WARNING:2017-08-15 18h00.32 UTC:3559: sql_prepare_internal:
> sqlite3_prepare failed: near "(": syntax error
> md manage:WARNING:2017-08-15 18h00.32 UTC:3559: init_iterator: sql_prepare
> failed
> event target:MESSAGE:2017-08-15 18h00.50 UTC:3643: Target Target for
> immediate scan of IP xx.xx.xx.xx (ee9cc689-c63c-4e0a-b3a6-80f939bbb08b) has
> been modified by admin
> event report:MESSAGE:2017-08-15 18h01.01 UTC:3695: Report
> 5705b8b8-ad1e-4fe5-87da-5fe137894760 has been deleted by admin
> event report:MESSAGE:2017-08-15 18h01.03 UTC:3703: Report
> e98ce644-dfca-4463-a7b1-c8f428f20fe8 has been deleted by admin
> event task:MESSAGE:2017-08-15 18h01.10 UTC:3712: Status of task Immediate
> scan of IP xx.xx.xx.xx (6dcf9d34-23be-4613-b34c-f0b21fcb3f91) has changed
> to Requested
> event task:MESSAGE:2017-08-15 18h01.10 UTC:3712: Task Immediate scan of IP
> 172.16.22.61 (6dcf9d34-23be-4613-b34c-f0b21fcb3f91) has been requested to
> start by admin
> md manage:WARNING:2017-08-15 18h01.21 UTC:3714: sql_prepare_internal:
> sqlite3_prepare failed: near "(": syntax error
> md manage:WARNING:2017-08-15 18h01.21 UTC:3714: init_iterator: sql_prepare
> failed
> 
> md   main:MESSAGE:2017-08-14 21h10.37 utc:16015:OpenVAS Manager version
> 7.0.2 (DB revision 184)
> md manage:   INFO:2017-08-14 21h10.37 utc:16015:Checking alerts.
> md manage:WARNING:2017-08-14 21h10.37 utc:16015: sql_prepare_internal:
> sqlite3_prepare failed: no such table: main.meta
> md manage:WARNING:2017-08-14 21h10.37 utc:16015: sql_x_internal:
> sql_prepare failed
> md manage:WARNING:2017-08-14 21h10.37 utc:16015: database must be
> initialised from scanner (with --update or --rebuild)
> md manage:MESSAGE:2017-08-14 21h10.37 utc:16015: *No SCAP database found*
> 
> *Does someone know how to solve this problem?*

please see the recent posts at the mailinglists, e.g.:

https://lists.wald.intevation.org/pipermail/openvas-discuss/2017-August/011362.html

> Regards,
> 
> Edgar

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Openvas-discuss Digest, Vol 127, Issue 11

[Christian Fischer]

3a237aec45) could not be resumed by admin
>>>> event task:MESSAGE:2017-08-11 14h30.13 -03:20836: Status of task
>>>> localhost
>>>> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) has changed to Requested
>>>> event task:MESSAGE:2017-08-11 14h30.13 -03:20836: Task localhost
>>>> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) has been requested to start by
>>>> admin
>>>> md manage:WARNING:2017-08-11 14h30.23 -03:20838: sql_prepare_internal:
>>>> sqlite3_prepare failed: near "(": syntax error
>>>> md manage:WARNING:2017-08-11 14h30.23 -03:20838: init_iterator:
>>>> sql_prepare
>>>> failed
>>>> md manage:WARNING:2017-08-11 14h30.23 -03:20838:
>>>> manage_cleanup_process_error: Error exit, setting running task to
>>>> Internal
>>>> Error
>>>> md manage:WARNING:2017-08-11 14h30.23 -03:20838: sql_prepare_internal:
>>>> sqlite3_prepare failed: near "(": syntax error
>>>> md manage:WARNING:2017-08-11 14h30.23 -03:20838: init_iterator:
>>>> sql_prepare
>>>> failed
>>>> ---
>>>>
>>>> [root@CentOS7 ~]# openvas-check-setup --v9
>>>> openvas-check-setup 2.3.7
>>>>   Test completeness and readiness of OpenVAS-9
>>>>
>>>>   Please report us any non-detected problems and
>>>>   help us to improve this check routine:
>>>>   http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
>>>>
>>>>   Send us the log-file (/tmp/openvas-check-setup.log) to help analyze the
>>>> problem.
>>>>
>>>>   Use the parameter --server to skip checks for client tools
>>>>   like GSD and OpenVAS-CLI.
>>>>
>>> ---
>> Follows attachment as requesed.
>> tks.
>>
>>
>>
> 
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Openvas-discuss Digest, Vol 127, Issue 11

[Christian Fischer]

08-11 14h27.15 -03:20796: Status of task
> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) has changed to New
> event task:MESSAGE:2017-08-11 14h27.16 -03:20796: Task localhost
> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) has been created by admin
> event task:MESSAGE:2017-08-11 14h30.13 -03:20836: Task localhost
> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) could not be resumed
> by admin
> event task:MESSAGE:2017-08-11 14h30.13 -03:20836: Status of
> task localhost
> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) has changed to Requested
> event task:MESSAGE:2017-08-11 14h30.13 -03:20836: Task localhost
> (ad2dd79e-cf4d-45a3-8b06-c23a237aec45) has been requested to
> start by admin
> md manage:WARNING:2017-08-11 14h30.23 -03:20838:
> sql_prepare_internal:
> sqlite3_prepare failed: near "(": syntax error
> md manage:WARNING:2017-08-11 14h30.23 -03:20838:
> init_iterator: sql_prepare
> failed
> md manage:WARNING:2017-08-11 14h30.23 -03:20838:
> manage_cleanup_process_error: Error exit, setting running
> task to Internal
> Error
> md manage:WARNING:2017-08-11 14h30.23 -03:20838:
> sql_prepare_internal:
> sqlite3_prepare failed: near "(": syntax error
> md manage:WARNING:2017-08-11 14h30.23 -03:20838:
> init_iterator: sql_prepare
> failed
> ---
> 
> [root@CentOS7 ~]# openvas-check-setup --v9
> openvas-check-setup 2.3.7
>   Test completeness and readiness of OpenVAS-9
> 
>   Please report us any non-detected problems and
>   help us to improve this check routine:
>  
> http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
> 
> <http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss>
> 
>   Send us the log-file (/tmp/openvas-check-setup.log) to
>     help analyze the
> problem.
> 
>   Use the parameter --server to skip checks for client tools
>   like GSD and OpenVAS-CLI.
> 
> ---
> Follows attachment as requesed.
> tks.

just a few references about the very same issue:

https://lists.wald.intevation.org/pipermail/openvas-devel/2017-August/003837.html

https://wald.intevation.org/tracker/?func=detail=220=6931_id=29

https://forums.atomicorp.com/viewtopic.php?f=31=8587

https://forums.atomicorp.com/viewtopic.php?f=31=8588

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] compiling from source in Debian 9 Stretch

[Christian Fischer]

Hi,

On 07.08.2017 23:41, John Ratliff wrote:
> I can't seem to compile OpenVAS 9 on Debian 9/Stretch. I'm trying to build
> the openvas-smb package, but it fails with a lot of linker errors on what
> appear to be the kerberos libraries. I installed libkrb5-dev, deleted the
> build directory, reran cmake .. and make, but it didn't help. I don't
> think it's looking for this. It didn't even list this as a necessary
> package on Jessie.
> 
> Full log from cmake to make at https://pastebin.com/urTc0Caq
> 
> Please let me know any additional information I can provide that would be
> helpful.

try to build either the current trunk of openvas-smb or apply the patch
from here:

https://lists.wald.intevation.org/pipermail/openvas-commits/2017-January/027148.html

which should fix the:

> ../samba/libsamba-static.a(tls.c.o): In function `tls_init_client':
tls.c:(.text+0x103e): undefined reference to
`gnutls_certificate_type_set_priority'

Regards,

-- 

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] NVT feed too old (15 days)

[Christian Fischer]

Hi,

On 09.08.2017 14:22, jratl...@bluemarble.net wrote:
> Why is my OpenVAS NVT feed always more than 14 days old even after a sync?
> I've tried the ISO install from the openvas site and the ubutnu 16.04 PPA
> packages, but I get the same result on both.
> 
> Is the feed supposed to lag this much?

this is currently expected, see the following announcement for some
background info:

http://lists.wald.intevation.org/pipermail/openvas-announce/2017-June/000202.html

> If so, why does it say "too old" when I check the feed status?
> 
> Thanks.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] SCAP and/or CERT Database missing on the OMP Server

[Christian Fischer]

Hi,

On 09.08.2017 14:54, Neeraj Shah wrote:
> Hello,
> Today i downloaded the virtual appliance and set it up.  The version # i
> see upon logging in to Web UI is GreenBorne OS 4.0.5.   I am getting 2
> notifications in the Web UI.
> (1)  SCAP and/or CERT Database missing on the OMP Server
> (2) The NVT Feed is 14 days old. 

(2) is currently expected, see the following announcement for some
background info:

http://lists.wald.intevation.org/pipermail/openvas-announce/2017-June/000202.html

> As for (1), I have clicked on the Run Feed Update option in the virtual
> appliance menu. If i do a "ps -ef | grep sync" in the command line, i
> see there are 2 process running " ./bin/sh /usr/bin/greenborne-nvt-sync"
> and " "/usr/bin/greenborne-feed-sync".  But these are running forever. 
> I have 1GBPS connection and it shouldn't take this long to update a feed. 
> (2) When i was setting up the Virtual appliance, i clicked on update the
> feed now option.  Why does this process then download a NVT feed that is
> 14 days old in the first place ?
> 
> 
> I created a ticket with Greenborne support and they are saying version
> 4.0.5 is unsupported.  I am surprised that OpenVAS (being a security
> product) is still publishing this version for users. How can i get a
> Virtual appliance with the latest Greenborne OS version in that case ?
> 
> 
> *Neeraj Shah,  CyberSecurity Engineer*
> 
> *Dakota Consulting Incorporated* 
> Corporate Headquarters: 1110 Bonifant Street, Suite 310 | Silver Spring,
> MD 20910-3358 
> *Mobile* ': 6073728057 | Fax 7 240.307.0102
> <tel:+12403070102> | Email *: neeraj.s...@dakota-consulting.com 
> Website þ: www.Dakota-Consulting.com <http://www.dakota-consulting.com/>

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] Windows 8 EOL false positive

[Christian Fischer]

Hi Matt,

On 30.07.2017 13:00, Christian Fischer wrote:
> Hi Matt,
> 
> On 26.07.2017 17:48, Matt Koivisto wrote:
>> Thanks Christian, you are correct, I was looking at two separate reports by 
>> mistake. I have noticed that this issue seems to "flap" sometimes - one scan 
>> will report the issue, then a subsequent scan it won't. When looking into 
>> the differences in the Detection Consolidation and Reporting (OID: 
>> 1.3.6.1.4.1.25623.1.0.105937) between the two runs, I notice that when it 
>> incorrectly identifies the host as windows 8 this is the result:
>>
>>> Best matching OS:
>>>
>>> OS: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft 
>>> Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 
>>> Update 1
>>> CPE: cpe:/o:microsoft:windows_8
>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL 
>>> wrapper))
>>> Concluded from Nmap TCP/IP fingerprinting:
>>> OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, 
>>> Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or 
>>> Windows 8.1 Update 1
>>> OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows 
>>> cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 
>>> cpe:/o:microsoft:windows_8
>>> Setting key "Host/runs_windows" based on this information
>>>
>>> Other OS detections (in order of reliability):
>>>
>>> OS: Microsoft Windows
>>> CPE: cpe:/o:microsoft:windows
>>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
>>> Concluded from ICMP based OS fingerprint:
>>> (95% confidence)
>>>
>>> Microsoft Windows
>>
>> IE, it appears to not have used the NVT 1.3.6.1.4.1.25623.1.0.102011 (SMB 
>> NativeLanMan) to determine the OS. When SMB is used, it correctly identifies 
>> the host as windows 7.
>>
>> Looking into SMB NVT in the same runs, I see that in the false positive case 
>> the NVT 1.3.6.1.4.1.25623.1.0.90011 (SMB Test with 'smbclient') is getting 
>> errors:
>>
>>> OS Version = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>>> Domain = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>>> SMB Serverversion = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>>
>> But in the proper identification case:
>>
>>> OS Version = WINDOWS 7 PROFESSIONAL 7601 SERVICE PACK 1
>>> Domain = 
>>> SMB Serverversion = WINDOWS 7 PROFESSIONAL 6.1
> 
> Thanks for this additional info. I thought that the issue might related
> to the nmap OS detection and this info confirms that.
> 
> That nmap based OS detection is more or less the "last" fallback as the
> ICMP based OS Fingerprinting isn't also that reliable, especially
> against virtual machines.
> 
> I will update the nmap based OS detection in the next few days to only
> set a detailed CPE (e.g cpe:/o:microsoft:windows_8) if one single CPE
> was returned. If more then one CPE is returned (like in your posted
> example) we need to go for a generic cpe:/o:microsoft:windows CPE to
> avoid such false positives.

for this specific scenario a generic Windows should be detected now once
the following NVT is reaching the feed in revision r6289:

os_detection.nasl
OS Detection Consolidation and Reporting
OID: 1.3.6.1.4.1.25623.1.0.105937

>> So it looks like the root cause is SMB being intermittent on windows 7 when 
>> OpenVAS is accessing it.
> 
> It looks like this is related to the memory management on the Windows 7
> machine:
> 
> https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai
> 
> I had scanned tons of Windows 7 machines in the past and never had such
> ERRDOS:ERRnomem messages. Currently quite unsure why this is showing up
> at your setup but it might worth to try the suggestion in the
> superuser.com thread linked above.
> 
> Regards,
> 
> --
> 
> Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
> Greenbone Networks GmbH | http://greenbone.net
> Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
> Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
> 
>> -Original Message-
>> From: Christian Fischer [mailto:christian.fisc...@greenbone.net] 
>> Sent: Wednesday, July 19, 2017 11:07 AM
>> To: Matt Koivisto <matt.koivi...@rootcellartech.com>
>> Cc: openvas-discuss <openvas-discuss@wald.intevation.org>
>> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive
>>
>

Re: [Openvas-discuss] Windows 8 EOL false positive

[Christian Fischer]

Hi Matt,

On 26.07.2017 17:48, Matt Koivisto wrote:
> Thanks Christian, you are correct, I was looking at two separate reports by 
> mistake. I have noticed that this issue seems to "flap" sometimes - one scan 
> will report the issue, then a subsequent scan it won't. When looking into the 
> differences in the Detection Consolidation and Reporting (OID: 
> 1.3.6.1.4.1.25623.1.0.105937) between the two runs, I notice that when it 
> incorrectly identifies the host as windows 8 this is the result:
> 
>> Best matching OS:
>>
>> OS: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, Microsoft 
>> Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 
>> Update 1
>> CPE: cpe:/o:microsoft:windows_8
>> Found by NVT: 1.3.6.1.4.1.25623.1.0.108021 (Nmap OS Identification (NASL 
>> wrapper))
>> Concluded from Nmap TCP/IP fingerprinting:
>> OS details: Microsoft Windows Server 2008 SP2 or Windows 10 Tech Preview, 
>> Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or 
>> Windows 8.1 Update 1
>> OS CPE: cpe:/o:microsoft:windows_server_2008::sp2 cpe:/o:microsoft:windows 
>> cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 
>> cpe:/o:microsoft:windows_8
>> Setting key "Host/runs_windows" based on this information
>>
>> Other OS detections (in order of reliability):
>>
>> OS: Microsoft Windows
>> CPE: cpe:/o:microsoft:windows
>> Found by NVT: 1.3.6.1.4.1.25623.1.0.102002 (ICMP based OS Fingerprinting)
>> Concluded from ICMP based OS fingerprint:
>> (95% confidence)
>>
>> Microsoft Windows
> 
> IE, it appears to not have used the NVT 1.3.6.1.4.1.25623.1.0.102011 (SMB 
> NativeLanMan) to determine the OS. When SMB is used, it correctly identifies 
> the host as windows 7.
> 
> Looking into SMB NVT in the same runs, I see that in the false positive case 
> the NVT 1.3.6.1.4.1.25623.1.0.90011 (SMB Test with 'smbclient') is getting 
> errors:
> 
>> OS Version = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>> Domain = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
>> SMB Serverversion = PROTOCOL NEGOTIATION FAILED: ERRDOS:ERRNOMEM
> 
> But in the proper identification case:
> 
>> OS Version = WINDOWS 7 PROFESSIONAL 7601 SERVICE PACK 1
>> Domain = 
>> SMB Serverversion = WINDOWS 7 PROFESSIONAL 6.1

Thanks for this additional info. I thought that the issue might related
to the nmap OS detection and this info confirms that.

That nmap based OS detection is more or less the "last" fallback as the
ICMP based OS Fingerprinting isn't also that reliable, especially
against virtual machines.

I will update the nmap based OS detection in the next few days to only
set a detailed CPE (e.g cpe:/o:microsoft:windows_8) if one single CPE
was returned. If more then one CPE is returned (like in your posted
example) we need to go for a generic cpe:/o:microsoft:windows CPE to
avoid such false positives.

> So it looks like the root cause is SMB being intermittent on windows 7 when 
> OpenVAS is accessing it.

It looks like this is related to the memory management on the Windows 7
machine:

https://superuser.com/questions/857324/connecting-with-smbclient-to-windows-7-produces-error-protocol-negotiation-fai

I had scanned tons of Windows 7 machines in the past and never had such
ERRDOS:ERRnomem messages. Currently quite unsure why this is showing up
at your setup but it might worth to try the suggestion in the
superuser.com thread linked above.

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

> -Original Message-
> From: Christian Fischer [mailto:christian.fisc...@greenbone.net] 
> Sent: Wednesday, July 19, 2017 11:07 AM
> To: Matt Koivisto <matt.koivi...@rootcellartech.com>
> Cc: openvas-discuss <openvas-discuss@wald.intevation.org>
> Subject: Re: [Openvas-discuss] Windows 8 EOL false positive
> 
> Hey,
> 
> On 18.07.2017 22:18, Matt Koivisto wrote:
>> Thanks Christian,
>>
>> Here's the output of that nvt. It seems to report the expected value for 
>> best matching OS:
> 
> thanks for passing this info. Unfortunately its technically not possible
> that:
> 
> OS End of Life Detection (http://plugins.openvas.org/nasl.php?oid=103674)
> 
> is reporting Windows 8 as EOL with an output of Detection Consolidation and 
> Reporting (OID: 1.3.6.1.4.1.25623.1.0.105937) you have passed to me below.
> 
> All detected and registered OS types which are evaluated by the "OS End of 
> Life Detection" are showing up there.

Re: [Openvas-discuss] 1 openvas Manager , multiple scanners (distributed architecture)

[Christian Fischer]

Hi,


On 28.07.2017 11:39, Calado, Rui wrote:
> Hi Roger,
> 
> First of all, thank you for your answer!
> 
> I tried to install openvas-manager in the remote scanner machine, but
> got no improvement. Can you give me your source? To follow all the steps
> of your suggestion

there is blogpost on how to setup such a master / slave setup available
here:

https://blog.haardiek.org/setup-openvas-as-master-and-slave.html

> I do not have more ideas for this..
> 
> - Rui

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner

> *From:*Roger Davies [mailto:rog.dav...@gmail.com]
> *Sent:* segunda-feira, 24 de julho de 2017 10:52
> *To:* Calado, Rui
> *Cc:* openvas-discuss@wald.intevation.org
> <mailto:openvas-discuss@wald.intevation.org>
> *Subject:* Re: [Openvas-discuss] 1 openvas Manager , multiple scanners
> (distributed architecture)
> 
>  
> 
> Hi there Rui
> 
> The scanner service changed the way it works in version 9, it does not
> now advertise directly on the network.
> 
> I've not tried this yet myself, but it's been suggested that you can
> install the manager process on the remote scanners and use that for the
> main manager connection, the remote manager process will report back all
> results from the scan. I currently have version 8 scanners on remote sites.
> 
> Roger
> 
>  
> 
>  
> 
> On 21 July 2017 at 16:48, Calado, Rui wrote:
> 
> Hello,
> 
>  
> 
> I'm having a hard time implementing a distributed architecture with
> OpenVAS 9. As I said, my goal is to have only one manager on one machine
> and then have scanners installed on client machines that do the scans,
> and the manager gets all the results. Is this possible? Has anyone got it?
> 
>  
> 
> I done a complete openvas installation (manager, libraries, scanner) at
> the “central station”. On the “clients”, I have only the openvas scanner
> installed. I've tried connecting certificates and private keys, with
> credentials, and it's not working. The connection between machines
> exists because if the manager decides to scan the client machine (where
> deamon is installed), using its default scanner, there is connection and
> results.
> 
>  
> 
> Any help will be nice
> 
>  
> 
> - Rui Calado
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> <mailto:Openvas-discuss@wald.intevation.org>
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
> 
> 
> 
> 
> ___
> Openvas-discuss mailing list
> Openvas-discuss@wald.intevation.org
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
> 
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss

Re: [Openvas-discuss] OpenVas setup

[Christian Fischer]

Hi,

On 17.07.2017 12:10, Derek Jackson wrote:
> Hi,
> 
> I'm trying to setup Openvas and it has failed twice now.  I attach the
> output of the last attempt and would appreciate any help you can offer
> to 'uninstall' and to initiate again.
> 
> I'm running the openvas setup process from a virtual machine via Kali if
> that helps.
> 
> Please see attached text file for output information.  The same problem
> seems to occur: unable to create the OpenVas library.
> 
> Happy to discuss if you have a UK number i can call.
> 
> Kind regards
> 
> Derek Jackson

the openvas-setup script is no part of the OpenVAS distribution but a
part of Kali Linux. It might be unknown to members at this mailinglist
what the script is actually doing so it could be needed that you get in
touch with the Kali support community at:

https://forums.kali.org/

Regards,

--

Christian Fischer | PGP Key: 0x54F3CE5B76C597AD
Greenbone Networks GmbH | http://greenbone.net
Neumarkt 12, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Geschäftsführer: Lukas Grunwald, Dr. Jan-Oliver Wagner
___
Openvas-discuss mailing list
Openvas-discuss@wald.intevation.org
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss