James Preston

This entry is part 1 of 4 in the series A Windows SysAdmin installs and uses OpenVAS

This guide covers one (of I’m sure a 1,000) ways to deploy and use OpenVAS 9 in your environment on Ubuntu Server 16.04 for the purpose of White Hat Penetration Testing, more so it’s also written from the viewpoint of a SysAdmin who mainly works with Windows Systems (Windows Server/Hyper-V/PowerShell/suchlike) and so takes a very simplistic approach to the setup.

The goals of this project are to

  • Install Ubuntu Server 16.04 LTS on Hyper-V
  • Deploy OpenVAS to that server
  • Execute scripted commands against OpenVAS from a remote system
  • Light up with a big warning sign all of the unknown issues within a network

Lets get started!

To start out you will need

  • A Hyper-V host (although no reason not to run it on VMWare/whatnot)
  • The latest ISO for Ubuntu Server 16.04 LTS saved somewhere your Hyper-V server can get to
    • Download from – https://www.ubuntu.com/download/server
    • Worth noting that only the 16.04 LTS release is going to work with this guide, when I first tried getting OpenVAS to work with 17.04 (a newer release) there were various blocking issues that I could not overcome. In short – use 16.04!!!

Step 0 – Get DNS in the right place

Configuring DNS correctly in particular with relation to Reverse Lookup will help your OpenVAS deployment loads, for a good guide on how to setup Reverse Lookup take a look at this link – http://de.community.dell.com/techcenter/os-applications/w/wiki/684.how-to-configure-dns-reverse-lookup-zone-in-windows-server-2012 (don’t worry about the de. its in English!).

Step 1 – Configure a Hyper-V VM for OpenVAS

In this next step we configure a Hyper-V VM running on Windows Hyper-V Server 2016 (which is free by the way!).

Step 2 – Install Ubuntu Server

Next up the install of Ubuntu Linux, as I understand OpenVAS can be installed on all kinds of flavours of Linux however the support I’ve seen in the past around Ubuntu seems much better than other options. This portion of the guide assumes you are not running your OpenVAS server on a network that’s got DHCP enabled (in this example it’s on our Servers VLAN).

Step 3 – First Boot

Next up we have some housekeeping for Ubuntu, making sure it’s up to date and getting OpenSSH server running so we can move to using something like PuTTY (download from – https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) to manage the server.

For this portion of the guide you will need the following lines of script-

sudo apt-get update
sudo apt-get upgrade

sudo apt-get install openssh-server

sudo reboot

Step 4 – Install OpenVAS

Here comes the good bit! The initial installation of OpenVAS and downloading of the lists of vulnerabilities.

For this portion of the guide you will need the following lines of script-

Step 5 – Change the default password!!!

Now that OpenVAS is running it’ll be using the default username/password combination of admin/admin, how brilliant is that!

Step 6 – Allow API Access

For the last step in this guide we will set it so that the port for API Access to OpenVAS is enabled on every boot of the machine.

sudo nano /etc/rc.local

sudo openvasmd -p 9390 -a 0.0.0.0

sudo /etc/rc.local

Next up….

So that’s things setup, in the next guide (hopefully following in a day or two) we will be using the API to create a list of victims to test against and generate reports for a ‘list of things to do’.

Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).

SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.

and

SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.

To secure the switch simply run the following commands while logged into the switch

config
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher rijndael-cbc@lysator.liu.se
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
write memory

If you are running (or use) the Sympa Mailing List but also use Windows PowerShell then you may want to be aware of PSSympa which recently went v1.0 on GitHub and the PowerShell Gallery.

In this release we have…

Functions

  • Get-SympaLogin (to login and get a session cookie – the result of which is used with all other functions)
  • Get-SympaMailingListMember (get the members of a list or list(s))
  • Add-SympaMailingListMember (add a member(s) to a list)
  • Remove-SympaMailingListMember (removes a member(s) from a list)
  • Test-SympaMailingListMember (checks to see if someone is a Subscriber, Owner or Editor of a list)
  • Sync-SympaMailingList (based on the contents of a reference CSV makes changes to the membership of a list)

Samples

  • How a CSV storing credentials might look (samplecredsfile.csv)
  • How a CSV that is used to Add/Remove members in bulk to/from a single list (samplememberslist.csv)
  • How a CSV that is used with the Sync- function would look (samplesynclist.csv)

Super Awesome Features

  • Credentials can be stored in a CSV to avoid them being typed in as part of a wider script
  • Pipeline support for members in lists

How to get it

The PowerShell Gallery is the best route to get your hands on the Module, see this link – https://www.powershellgallery.com/packages/PSSympa for the full details in short though you should only need to run the following command at your PowerShell prompt (assuming you are running a recent version of PowerShell) to install the module on your PC.

Install-Module -Name PSSympa

Continue reading

With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?

If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.

In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.

For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.

Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.

Over the past year or so I’ve come to realise that although my Surface Pro 3 (i5/4GB/128GB) is an awesome machine I just don’t take it out of the house as much as I should be for fear of breaking it. On that note I’ve decided to sell it and in turn replace it with a true beast of the computing world – a Panasonic Toughpad FZ-G1 (link to Panasonic product page).

The astute of you will probably realise that bought new that is a very expensive bit of kit and such I’ve opted for (what I believe to be) a refurbished 1st generation model from Fully Rugged.

Hardware Specification

  • Intel i5-3437U Dual Core @ 1.9ghz (details on the Intel website)
  • 4GB RAM DDR3 RAM @ 1,333mhz
  • 128GB SSD
  • USB 3.0 Port
  • HDMI Port
  • Ethernet Port (see the photos below!)
  • Front and Rear Cameras
  • N class WiFi
  • Active Digitiser Pen and Capacitive Touch Screen
  • LTE Mobile Data Connectivity (WWAN)
  • 1.8m drop safe (please don’t test this!)
  • IP65 compliant (see link for more details on what this means)
  • 1.1kg in weight (yep that’s heavy compared to your iPad Air Gen 88 and no I don’t care! :))

Initial Thoughts

Thus far I am very impressed; the build quality is excellent, I may not feel tempted to drop it from 1.8m to test the specification however I’ve been out in the rain with the tablet and are it didn’t show any issues at all. Having access to a WWAN connection against using the mobile hotspot on my phone is very liberating and Windows 10 will manage connecting to the mobile network for you whenever you are away from WiFi. I haven’t done any real work on battery life as yet however I’ve used it on and off over the course of an 8 hour day and battery life didn’t drop into my head once as something to be concerned by. Resume from standby is as fast as my Surface ever was and performance running web browsing/document editing/playing UWP games is top notch (don’t expect to be gaming on it though).

Over all I am very impressed!

Gallery

One of my favourite features of PowerShell is the Invoke-RestMethod cmdlet which (among a great many other things) can download the data from an RSS feed. One application I’ve found for this is to stay on top of security bulletins from organisations like Adobe and Drupal.

However just downloading the data from the feed and kicking it out in an email isn’t quite good enough for my needs thus the script below gets data from a CSV which contains the URL to the feed as well as some extra details to inject into any email notification (e.g. a link to the guide on how to deploy Adobe Updates).

In my production environment this script creates tickets on a FreskDesk helpdesk to log and manage any new update notifications. In the attached example below the script just fires off email notifications.

Have a look at the screenshot sequence below for more info!

  Get-Rss (4.0 KiB, 142 hits)

Update 09/05/2017 – v0.2 – Now handles XML and Arrays in the link and title objects (good for reddit and blogspot!)

For the past few months I’ve been using an in house script to manage the rebooting of Virtual Machines on Hyper-V hosts following Windows Updates. These Virtual Machines also take part in Hyper-V Replica Replication to a DR host. On occasion I’ve spotted that when shutting down (as part of the reboot sequence) the Hyper-V Replica state will go into a Error ‘Critical’ state.

As it transpires this happens when the machine is shutting down and Hyper-V replica is attempting to create a reference point to send replica data over to the DR host.

The best fix I have at the moment for this issue is to suspend replication (you can use the Suspend-VMReplication PowerShell Cmdlet as documented here – https://technet.microsoft.com/en-us/itpro/powershell/windows/hyper-v/suspend-vmreplication to accomplish this) before shutting down the machine and then resuming replication (Resume-VMReplication and https://technet.microsoft.com/en-us/itpro/powershell/windows/hyper-v/resume-vmreplication) once shutdown is complete.

You will also note this issue noted under Hyper-V-VMMS in Event Viewer with Event IDs along the lines of 19060, 33680, 32546 and 32026.

While carrying out the steps to move our network devices from a flat network to one with purposeful VLANs I had changed the IP address of one of our HP CP3505 printers (using the web based management console) to discover that with the new IP I could not print to the printer over the network.
Oddly enough the web based management console was still accessible, the printer replied to PINGs and SNMP requests but would not print (that includes from Mac and PC!).

With no error messages other than ‘Error – Printing’ on the server, and nothing in the logs of the printer it seemed like this issue would not have a simple solution.

In trying to troubleshoot the issue I tried…

  • Changing the printers IP address to other options (indeed changing the IP back to its original one sorted the problem but was not what I wanted)
  • Firmware updating the printer
  • Pressing all of the ‘reset’ and ‘clear settings’ buttons I could find on the printer through the WBMC and front panel
  • Attaching a network cable between a laptop and the printer direct (no server or switches)
  • Removing the jet direct card and leaving it for 30 minutes while the printer was unplugged (oddly enough the jet direct card has a button battery which cannot be removed on it)

All to no success!

In the end and on a complete whim I changed the network settings of the printer to use DHCP instead of Manual IP, reset the printer and then set it back to Manual IP. It was evident that the IP address I had set previously had been forgotten and I set upon the task of configuring the IP address through the front panel. Long behold this worked and the printer is now happyily printing under its new IP address.

As some readers may know I currently work in Higher Education and while all of the business data is trivial to backup providing any level of backup service to students and academics is significantly harder. The challenges faced include the myriad of Operating Systems in use (Windows/OSX/Linux), the fact that the devices being backed up are inherently ‘untrusted’ (i.e. owned by the individual) and that they are often on networks (be it eduroam/public/home) that have no direct connectivity back to the internal trusted network.

Most enterprise class backup systems just aren’t suited to this kind of environment in that they cannot be securely published through a firewall or have exorbitant licencing costs for the number of devices to be protected (a few file servers vs 500+ student owned laptops).

One solution to this issue cropped up at a recent trade show where Synology were demonstrating their Synology DiskStation Manager NAS software which set itself apart from the traditional enterprise backup solutions with…

  • Support up to 16,000 users on high end models (and 2048 on the kind of model that we would consider using) with no extra licencing costs, users can have storage quotas set either by group or per user
  • Secure remote access (simply publish a single port which can be protected by HTTPS for encryption in transit)
  • Home grown backup clients for modern versions of Windows, OSX/macOS and Linux
  • On the point of OSX/macOS the backup client for Synology does not rely on Time Machine and so overcomes the issues associated with having to be on the same network as your backup device
  • Home grown Btrfs file system which auto detects (and fixes) corrupted files through metadata along with extensive snapshot support
  • Up to 32 recovery points and real-time file protection (when connected to the DiskStation)

So time for some screenshots! Below we have the initial setup of the Disk Station Manager and the installation of the client on a Windows PC.

Then restoring a file that has been deleted on the Windows PC; note that you can restore either individual files or entire folders to a point in time.

The same but for OSX…

So that’s all of the good, the only downside we have found thus far is while shared drives can be protected with encryption it is not possible to protect each individual home area (per user) with a unique encryption key thus opening up issues with data privacy. However, if you consider the following scenario…

  • A business needs to provide backup to remote workers
    • Those remote workers do not connect to the trusted network often
      • Perhaps they don’t like VPNs/DirectAccess (and so rules out using Offline Files)
    • and those remote workers do not use a commercial ‘cloud’ service to protect their data with
      • Perhaps trusting a 3rd party to host the data is not an option
    • The remote workers use OSX/macOS

…then using a Synology DiskStation should be a serious consideration for that business.

When working with a lab full of HPE ProCurve/Aruba switches (or you just want to know who is who in a stack of switches) the chassislocate CLI command comes in really handy by either blinking or holding solid the blue locator light. See the screenshots below for a little more info.