Following on from more work with OpenVAS and after resolving issues around PHP/MySQL the next largest priority was flagged as issues with the Remote Desktop Server (this applies if the server is being used as a Session Host or is just running Windows Server/Client). Here are two pointers in the right direction to get these port 3389 issues resolved!
SSL/TLS: Report Weak Cipher Suites and SSL/TLS: Diffie-Hellman Key Exchange Insufficient DH Group Strength Vulnerability
To resolve this issue I would suggest you look at the free IISCrypto tool (https://www.nartac.com/Products/IISCrypto) which (after a reboot) disables weak cipher suites and ensures that the correct key exchange mechanisms are used on your servers and clients. Note this software doesn’t just apply to IIS (Internet Information Services) but also Remote Desktop and any other Microsoft technology that makes use of schannel.
Although it takes a little while longer you can also examine the registry (see https://www.nartac.com/Support/IISCrypto/FAQ) and deploy a Group Policy to apply the same settings to your machines.
If you can I would suggest you opt for the PCI 3.1 template (which also culls TLS1.0 support) however as I found out you may have to resort to the ‘Best Practices’ which keeps TLS1.0 enabled and in turn allows things like 802.1x EAPOL and older versions of Microsoft SQL Server to work. Really is worth doing extensive testing with all of your applications (network services included!) before you go and roll this tool out to your full environment!
SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
In this case we are looking at the self signed Remote Desktop Protocol certificate which just so happens to be SHA1. To resolve this issue have a look at this blog post – https://www.darkoperator.com/blog/2015/3/26/rdp-tls-certificate-deployment-using-gpo which covers in great detail how to use an Active Directory Certificate Services Server to issue SHA256 certificates to your machines to use with Remote Desktop.
Following on from some recent OpenVAS testing and in turn discovering that some of our PHP versions were sorely out of date I’ve set about to patch and document all of the installations. In turn we have a simple guide on how to update PHP security releases!
Please note – this guide is aimed at really simple single server instances of PHP that are being used by Microsoft IIS, be sure to test the upgrade outside of your production environment before deploying it.
For this guide you will also need this link – http://windows.php.net which contains the downloads for PHP on Windows.
- If you encounter an error message during the overwrite of the existing PHP install consider stopping the IIS server service first and then restarting it with the following commands from an elevated command/PowerShell prompt.
- net stop WAS
- net start W3SVC
Following on from the previous post (A Windows SysAdmin installs and uses OpenVAS – End to end guide – Simple Beginnings) in this post we’ll be using PowerShell, OpenVAS and the OMP (Open Management Protocol from Greenbone) to create a Target (a machine/device) to conduct some Pen Testing against, create a Task to scan the target and then generate a report.
The final step is quite possibly the most important though; it’s worth pointing out (hopefully the obvious) that you could have the most amazing Pen Testing software package on the planet but unless you then absorb the reports and take action to Mitigate/Resolve/Eliminate the risks identified it’s all just a horrible waste of CPU cycles.
A quick note – this guide is shown as only a small example of how you can get started with OpenVAS, stay tuned for more in depth guides!
In this first stage we will download the OMP client for Windows (from http://docs.greenbone.net/GSM-Manual/gos-4/en/tools.html#omp), get it into the right place on our computer as well as create a omp.config file (you can download an example from below) which will provide settings and credentials to the OMP client.
Example OMP File (hosted on GitHub – https://gist.github.com/jamesfed/4ed9be7de2adb83d1d442cc06ea1dbeb).
In addition to follow through with this guide you should download the .ps1 file below which contains the PowerShell code for the steps shown in the screenshots.
OpenVAS-Simple-Example.ps1 (hosted on GitHub – https://gist.github.com/jamesfed/6a5c6634abc12c180f125e25c2764d1f).
Creating a Target
Creating and kicking off a Task
Exporting the Report
Reading the Report
To discover more about the omp.exe tool take a look here – http://docs.greenbone.net/GSM-Manual/gos-4/en/omp.html#access-with-omp.
In the next post of this series I’ll be covering how we can take these simple beginnings and start to build something more in depth through OMP and PowerShell.
As anyone who has been keeping tabs on my work will know I’ve recently started making use of GitHub (https://github.com/jamesfed) but was quite surprised today when logging in and I received the message below.
Your account has been flagged.
Because of that, your profile is hidden from the public. If you believe this is a mistake, contact support to have your account status reviewed.
In contacting support I received an email less than a few minutes later stating that this was an error by their spam detection system and that the account was reinstated.
This guide covers one (of I’m sure a 1,000) ways to deploy and use OpenVAS 9 in your environment on Ubuntu Server 16.04 for the purpose of White Hat Penetration Testing, more so it’s also written from the viewpoint of a SysAdmin who mainly works with Windows Systems (Windows Server/Hyper-V/PowerShell/suchlike) and so takes a very simplistic approach to the setup.
The goals of this project are to
- Install Ubuntu Server 16.04 LTS on Hyper-V
- Deploy OpenVAS to that server
- Execute scripted commands against OpenVAS from a remote system
- Light up with a big warning sign all of the unknown issues within a network
Lets get started!
To start out you will need
- A Hyper-V host (although no reason not to run it on VMWare/whatnot)
- The latest ISO for Ubuntu Server 16.04 LTS saved somewhere your Hyper-V server can get to
- Download from – https://www.ubuntu.com/download/server
- Worth noting that only the 16.04 LTS release is going to work with this guide, when I first tried getting OpenVAS to work with 17.04 (a newer release) there were various blocking issues that I could not overcome. In short – use 16.04!!!
Step 0 – Get DNS in the right place
Configuring DNS correctly in particular with relation to Reverse Lookup will help your OpenVAS deployment loads, for a good guide on how to setup Reverse Lookup take a look at this link – http://de.community.dell.com/techcenter/os-applications/w/wiki/684.how-to-configure-dns-reverse-lookup-zone-in-windows-server-2012 (don’t worry about the de. its in English!).
Step 1 – Configure a Hyper-V VM for OpenVAS
In this next step we configure a Hyper-V VM running on Windows Hyper-V Server 2016 (which is free by the way!).
Step 2 – Install Ubuntu Server
Next up the install of Ubuntu Linux, as I understand OpenVAS can be installed on all kinds of flavours of Linux however the support I’ve seen in the past around Ubuntu seems much better than other options. This portion of the guide assumes you are not running your OpenVAS server on a network that’s got DHCP enabled (in this example it’s on our Servers VLAN).
Step 3 – First Boot
Next up we have some housekeeping for Ubuntu, making sure it’s up to date and getting OpenSSH server running so we can move to using something like PuTTY (download from – https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html) to manage the server.
For this portion of the guide you will need the following lines of script-
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install openssh-server
Step 4 – Install OpenVAS
Here comes the good bit! The initial installation of OpenVAS and downloading of the lists of vulnerabilities.
For this portion of the guide you will need the following lines of script-
Step 5 – Change the default password!!!
Now that OpenVAS is running it’ll be using the default username/password combination of admin/admin, how brilliant is that!
Step 6 – Allow API Access
For the last step in this guide we will set it so that the port for API Access to OpenVAS is enabled on every boot of the machine.
sudo nano /etc/rc.local
sudo openvasmd -p 9390 -a 0.0.0.0
So that’s things setup, in the next guide (hopefully following in a day or two) we will be using the API to create a list of victims to test against and generate reports for a ‘list of things to do’.
Having recently setup OpenVAS (something I will likely blog about in further detail soon) I have found out that the default out of box deployment of Aruba-OS (formally ProCurve) supports a number of insecure SSH Algorithms with messages similar to the ones below logged even when running the latest firmware releases (YA.16.03.0004 on the 2530 series).
SSH Weak Encryption Algorithms Supported
The remote SSH server is configured to allow weak encryption algorithms.
SSH Weak MAC Algorithms Supported
The remote SSH server is configured to allow weak MD5 and/or 96-bit MAC algorithms.
To secure the switch simply run the following commands while logged into the switch
no ip ssh cipher aes128-cbc
no ip ssh cipher 3des-cbc
no ip ssh cipher aes192-cbc
no ip ssh cipher aes256-cbc
no ip ssh cipher firstname.lastname@example.org
no ip ssh cipher aes128-ctr
no ip ssh cipher aes192-ctr
no ip ssh mac hmac-md5
no ip ssh mac hmac-sha1-96
no ip ssh mac hmac-md5-96
In this release we have…
- Get-SympaLogin (to login and get a session cookie – the result of which is used with all other functions)
- Get-SympaMailingListMember (get the members of a list or list(s))
- Add-SympaMailingListMember (add a member(s) to a list)
- Remove-SympaMailingListMember (removes a member(s) from a list)
- Test-SympaMailingListMember (checks to see if someone is a Subscriber, Owner or Editor of a list)
- Sync-SympaMailingList (based on the contents of a reference CSV makes changes to the membership of a list)
- How a CSV storing credentials might look (samplecredsfile.csv)
- How a CSV that is used to Add/Remove members in bulk to/from a single list (samplememberslist.csv)
- How a CSV that is used with the Sync- function would look (samplesynclist.csv)
Super Awesome Features
- Credentials can be stored in a CSV to avoid them being typed in as part of a wider script
- Pipeline support for members in lists
How to get it
The PowerShell Gallery is the best route to get your hands on the Module, see this link – https://www.powershellgallery.com/packages/PSSympa for the full details in short though you should only need to run the following command at your PowerShell prompt (assuming you are running a recent version of PowerShell) to install the module on your PC.
Install-Module -Name PSSympa
With the continued rise of ‘Next Generation’ Anti-Virus like Sophos Intercept X and PaloAlto Traps the question from many SysAdmins might be well how do I deploy these?
If you are looking at Intercept X and you already are Running Sophos Central (with Endpoint Protection) the simple answer is a press a few buttons in the Admin Console.
In short, login to Sophos Central (https://cloud.sophos.com/manage/login) go to Endpoint Protection > Computers > Manage Endpoint Software > Intercept X > Add your computers from the displayed list > click Save.
For a more in depth walkthrough take a look at the screenshots below. One quick note – due to the changing nature of Sophos Central (previously Sophos Cloud) its quite possible that the look/feel of the Admin Console will have changed between the time I published this article and you read it.
Once you have deployed Intercept X to your existing machines be sure to update your installers to use when deploying new computers. You can download these from the ‘Protect Devices’ button on the Admin Console Dashboard.
Over the past year or so I’ve come to realise that although my Surface Pro 3 (i5/4GB/128GB) is an awesome machine I just don’t take it out of the house as much as I should be for fear of breaking it. On that note I’ve decided to sell it and in turn replace it with a true beast of the computing world – a Panasonic Toughpad FZ-G1 (link to Panasonic product page).
The astute of you will probably realise that bought new that is a very expensive bit of kit and such I’ve opted for (what I believe to be) a refurbished 1st generation model from Fully Rugged.
- Intel i5-3437U Dual Core @ 1.9ghz (details on the Intel website)
- 4GB RAM DDR3 RAM @ 1,333mhz
- 128GB SSD
- USB 3.0 Port
- HDMI Port
- Ethernet Port (see the photos below!)
- Front and Rear Cameras
- N class WiFi
- Active Digitiser Pen and Capacitive Touch Screen
- LTE Mobile Data Connectivity (WWAN)
- 1.8m drop safe (please don’t test this!)
- IP65 compliant (see link for more details on what this means)
- 1.1kg in weight (yep that’s heavy compared to your iPad Air Gen 88 and no I don’t care! :))
Thus far I am very impressed; the build quality is excellent, I may not feel tempted to drop it from 1.8m to test the specification however I’ve been out in the rain with the tablet and are it didn’t show any issues at all. Having access to a WWAN connection against using the mobile hotspot on my phone is very liberating and Windows 10 will manage connecting to the mobile network for you whenever you are away from WiFi. I haven’t done any real work on battery life as yet however I’ve used it on and off over the course of an 8 hour day and battery life didn’t drop into my head once as something to be concerned by. Resume from standby is as fast as my Surface ever was and performance running web browsing/document editing/playing UWP games is top notch (don’t expect to be gaming on it though).
Over all I am very impressed!
One of my favourite features of PowerShell is the Invoke-RestMethod cmdlet which (among a great many other things) can download the data from an RSS feed. One application I’ve found for this is to stay on top of security bulletins from organisations like Adobe and Drupal.
However just downloading the data from the feed and kicking it out in an email isn’t quite good enough for my needs thus the script below gets data from a CSV which contains the URL to the feed as well as some extra details to inject into any email notification (e.g. a link to the guide on how to deploy Adobe Updates).
In my production environment this script creates tickets on a FreskDesk helpdesk to log and manage any new update notifications. In the attached example below the script just fires off email notifications.
Have a look at the screenshot sequence below for more info!
Get-Rss (4.0 KiB, 213 hits)
Update 09/05/2017 – v0.2 – Now handles XML and Arrays in the link and title objects (good for reddit and blogspot!)