From jonas at andradas.es Fri Jan 8 13:17:56 2010 From: jonas at andradas.es (Jonas Andradas) Date: Fri, 8 Jan 2010 13:17:56 +0100 Subject: [Openvas-discuss] "False negative" and strange UDP 32789 port Message-ID: Hello, I am using OpenVAS 2 Debian packages, versions: libopenvas2 2.0.4-2 libopenvasnasl2 2.0.2-2 openvas-client 2.0.5-1intevation1 openvas-plugins-base 1.0.7-5+svn20090920 openvas-plugins-dfsg 1.0.7-5+svn20090920 openvas-server 2.0.3-3 I work as a security auditor, and at my company we are using Nessus 4, and introducing OpenVAS (hopefully, soon it will replace our Nessus). Related to the false positive Fidel Castro reported on December 18th, I wanted to share a "false negative". I am scanning an APC Smart-UPS 1000 RM device (with version 3.5.5 of APC OS). On port 80 , there is a web server which, upon an empty GET request, freezes or, at least, becomes unresponsive. This also makes unresponsive the Telnet server running on the device. After a while, services are restored. OpenVAS did not report this issue, but Nessus 4 did report it as "Linksys WRT54G Empty GET Request Remote DoS". Another host, running OpenSuse 11 and TightVNC 1.2.9, presents the same issue on the VNC-HTTP port 5801. This was also not identified by OpenVAS. It seems that more than only the WRT54G has these issues, so maybe a generic result could be done so that if safe checks are disabled, and the server does freeze after sending an empty GET, it gets reported, even if the host is not identified as an WRT54G router or any other device where this vulnerability might be known. The other issue I would like to comment and ask about is that on some of my recent scans, I've seen that, when there is an SNMP service with default credentials ("public" and/or "private", for example), sometimes I get a result in the report for a Security Hole on port 32789 UDP, which states that an SNMP server responds to these default community names. I was not scanning that UDP port on the Options (and I have checked the parameter that makes consider all unscanned ports as closed). Later, I am unable to manually verify the existance of this SNMP service listening on port 32789, nor using SNMP polling software, nor running NMAP against UDP port 32789 (it appears as "closed"). I don't know if this is an OpenVAS false positive or if the execution of some plugins somehow makes the remote host answer SNMP requests on this port. I have seen this behaviour on APC Smart-UPS and Allied Telesyn 8326GB switches. Best Regards, Jon?s Andradas. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100108/f52f74b0/attachment.htm From felix.wolfsteller at intevation.de Fri Jan 8 13:29:20 2010 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Fri, 8 Jan 2010 13:29:20 +0100 Subject: [Openvas-discuss] "False negative" and strange UDP 32789 port In-Reply-To: References: Message-ID: <201001081329.20889.felix.wolfsteller@intevation.de> Thanks a lot Jonas. While I cannot comment on the content, I am cross-posting to the openvas-plugins mailinglist. On Friday 08 January 2010 13:17:56 Jonas Andradas Jonas wrote: > Hello, > > I am using OpenVAS 2 Debian packages, versions: > > libopenvas2 2.0.4-2 > libopenvasnasl2 2.0.2-2 > openvas-client 2.0.5-1intevation1 > openvas-plugins-base 1.0.7-5+svn20090920 > openvas-plugins-dfsg 1.0.7-5+svn20090920 > openvas-server 2.0.3-3 > > I work as a security auditor, and at my company we are using Nessus 4, and > introducing OpenVAS (hopefully, soon it will replace our Nessus). > > Related to the false positive Fidel Castro reported on December 18th, I > wanted to share a "false negative". I am scanning an APC Smart-UPS 1000 RM > device (with version 3.5.5 of APC OS). On port 80 , there is a web server > which, upon an empty GET request, freezes or, at least, becomes > unresponsive. This also makes unresponsive the Telnet server running on the > device. After a while, services are restored. OpenVAS did not report this > issue, but Nessus 4 did report it as "Linksys WRT54G Empty GET Request > Remote DoS". Another host, running OpenSuse 11 and TightVNC 1.2.9, > presents the same issue on the VNC-HTTP port 5801. This was also not > identified by OpenVAS. It seems that more than only the WRT54G has these > issues, so maybe a generic result could be done so that if safe checks are > disabled, and the server does freeze after sending an empty GET, it gets > reported, even if the host is not identified as an WRT54G router or any > other device where this vulnerability might be known. > > > The other issue I would like to comment and ask about is that on some of my > recent scans, I've seen that, when there is an SNMP service with default > credentials ("public" and/or "private", for example), sometimes I get a > result in the report for a Security Hole on port 32789 UDP, which states > that an SNMP server responds to these default community names. I was not > scanning that UDP port on the Options (and I have checked the parameter > that makes consider all unscanned ports as closed). Later, I am unable to > manually verify the existance of this SNMP service listening on port 32789, > nor using SNMP polling software, nor running NMAP against UDP port 32789 > (it appears as "closed"). I don't know if this is an OpenVAS false > positive or if the execution of some plugins somehow makes the remote host > answer SNMP requests on this port. I have seen this behaviour on APC > Smart-UPS and Allied Telesyn 8326GB switches. > > Best Regards, > > Jon?s Andradas. -- Felix Wolfsteller | ++49 541 335083-783 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From robert.berkowitz at gmail.com Wed Jan 13 14:41:41 2010 From: robert.berkowitz at gmail.com (Robert Berkowitz) Date: Wed, 13 Jan 2010 08:41:41 -0500 Subject: [Openvas-discuss] Fwd: Turkish chapter In-Reply-To: <1cc8bdd01001130425o6053792i97ce118e43a3f5ec@mail.gmail.com> References: <1cc8bdd01001130425o6053792i97ce118e43a3f5ec@mail.gmail.com> Message-ID: <8ce3eb501001130541p73a8aba3ic06e18a91dcca121@mail.gmail.com> All: I received this offer to host a mirror in Turkey for download of OpenVAS. Please let me know if you all agree to this and we can get them set up. Regards, Robert ---------- Forwarded message ---------- From: Ozgur Ozdemircili Date: Wed, Jan 13, 2010 at 7:25 AM Subject: Turkish chapter To: robert.berkowitz at gmail.com Hi, Im Ozgur. As one of the many people Id like to congratulate you guys for the awesome job. Me and my team would like to offer you mirroring service in our server under acikkod.org, a Turkish opensource web site, publishing tips and news. And in the future, depending on the people I can collect we can start to do the localization of the website and the software. Let me know if I can be of assist in any kind. Have a good day. ?zg?r ?zdemircili IT Department ozgur.ozdemircili at grupserhs.com www.serhstourism.com SERHS TOURISM, S.A. - GRUP SERHS C/ Garb?, 88-90 - 08397 PINEDA DE MAR (BARCELONA) 937629300 937629301 Sent from Santa Barbara, CT, Spain Aquest missatge pot contenir informacio privilegiada o confidencial. Si voste no n'es el destinatari o l'ha rebut per error, li preguem que ens ho faci saber immediatament i el destrueixi. Queda notificat que qualsevol utilitzacio, divulgacio i/o copia sense autoritzacio esta prohibida i pot ser il.legal. Este mensaje puede contener informacion privilegiada o confidencial. Si no es Vd. el destinatario o lo ha recibido por error, le rogamos que nos lo comunique inmediatamente y lo destruya. Queda notificado de que cualquier utilizacion, divulgacion y/o copia sin autorizacion esta prohibida y puede ser ilegal. This e-mail may contain confidential or privileged information. If you are not the intended recipient or have received it in error, please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden and may be illegal. -- Robert Berkowitz 919.244.5704 robert.berkowitz at gmail.com From jonas at andradas.es Thu Jan 14 15:49:33 2010 From: jonas at andradas.es (Jonas Andradas) Date: Thu, 14 Jan 2010 15:49:33 +0100 Subject: [Openvas-discuss] Informing that identified services have stopped being available during a scan Message-ID: Hello, together with Michael Meyer, we found out that running several plugins against some embedded web servers, on APC UPS or Enterasys switches, froze those services for a while (about 3 minutes on APC UPS and 30-40 seconds on Enterasys switches). Along with the HTTP service, Telnet, FTP or SSH services also stopped responding, but how to handle this is another issue. The problem with causing a temporary failure on the service is that, while the service is down, other plugins are still run against the host. Some even for the same service or port. When this happens, these plugins don't report or get any results, as they cannot perform the checks they need to. I was wondering if it would make sense to provide these plugins or the OpenVAS server/scanner with same awareness on this issue, which would get reported at the end of the scan. For example, if on the KB the presence of a web server on port 80 is noted, and after running plugins that use this port, they exit because of a timeout or the server not responding, this could be seen as if something might have caused the service to stop working. If on the report a note is included, saying something like "A Web Server was found running on this port, but some plugins could not perform their checks because at times during the scan, the service was found unavailable", one could re-run the test with some other options. Probably it includes lots of work, but if instead of a simple note as the one I said before, a more complete/complex one is provided, specifying a list of plugins run against the service/port correctly and a list of failed plugins, a re-scan could be performed without the successful plugins which, if enabled, could cause again the temporary DoS and prevent the failed plugins to report correctly. I tried to specify the problem and the idea the best I could but, please, if something I am talking about is not clear, tell me and I'll try to explain myself better. I don't know if this issue happens very often, but I guess that, running with safe-checks disabled could cause more than one DoS to be successful, but any tests done after it the first one, or if the service recovers by itself, between the first time and when the service is available again, would not provide an accurate result, maybe resulting in false negatives. Best Regards, Jon?s -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100114/40eb16e0/attachment.html From lists at securityspace.com Thu Jan 14 16:23:21 2010 From: lists at securityspace.com (Thomas Reinke) Date: Thu, 14 Jan 2010 10:23:21 -0500 Subject: [Openvas-discuss] Informing that identified services have stopped being available during a scan In-Reply-To: References: Message-ID: <4B4F36E9.6020102@securityspace.com> Welll.... my first instinct would be to ask if there is any way to uniquely identify these particular embedded servers via a banner, and to then specifically generate a warning on exactly this issue. If the above is not possible, I'd probably go for the approach of ensuring that one particular plugin (a new one?) replicates the problem (albeit probably not in safe mode), and then if a server is found that trips on this, report the issue in a possibly generic fashion, enumerating the problem with having the server be temporarily unavailable during the audit. Hmm... would it make any sense to have one of several different type of "connectivity" meters running during an audit, and report on unexpected outages? I'm thinking something like the host up measure using TCP/ICMP connectivity checks at the start of an audit. Instead, however, how about running these, if they are able, at a low level through an audit, Then, at the end of an audit, report on any anomalous readings. You could probably do this through a plugin that continuously updated the kb with detected "outages" as they are in progress, and have one of the last scripts run have the means to terminate the plugin and report on the results. My thoughts above are related to the fact that we see this problem regularly, and it's not always due to the equipment being audited. Sometimes network hiccups cause outages for minutes or more at a time. Sometimes IPS' kick in. There's all sorts of reasons why an audit may be incomplete, which can affect any plugin. A generic solution might be in order. Thomas Jonas Andradas wrote: > Hello, > > together with Michael Meyer, we found out that running several plugins > against some embedded web servers, on APC UPS or Enterasys switches, > froze those services for a while (about 3 minutes on APC UPS and 30-40 > seconds on Enterasys switches). Along with the HTTP service, Telnet, FTP > or SSH services also stopped responding, but how to handle this is > another issue. > > The problem with causing a temporary failure on the service is that, > while the service is down, other plugins are still run against the host. > Some even for the same service or port. When this happens, these plugins > don't report or get any results, as they cannot perform the checks they > need to. > > I was wondering if it would make sense to provide these plugins or the > OpenVAS server/scanner with same awareness on this issue, which would > get reported at the end of the scan. For example, if on the KB the > presence of a web server on port 80 is noted, and after running plugins > that use this port, they exit because of a timeout or the server not > responding, this could be seen as if something might have caused the > service to stop working. If on the report a note is included, saying > something like "A Web Server was found running on this port, but some > plugins could not perform their checks because at times during the scan, > the service was found unavailable", one could re-run the test with some > other options. > > Probably it includes lots of work, but if instead of a simple note as > the one I said before, a more complete/complex one is provided, > specifying a list of plugins run against the service/port correctly and > a list of failed plugins, a re-scan could be performed without the > successful plugins which, if enabled, could cause again the temporary > DoS and prevent the failed plugins to report correctly. > > I tried to specify the problem and the idea the best I could but, > please, if something I am talking about is not clear, tell me and I'll > try to explain myself better. I don't know if this issue happens very > often, but I guess that, running with safe-checks disabled could cause > more than one DoS to be successful, but any tests done after it the > first one, or if the service recovers by itself, between the first time > and when the service is available again, would not provide an accurate > result, maybe resulting in false negatives. > > Best Regards, > > Jon?s > > > ------------------------------------------------------------------------ > > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From jonas at andradas.es Fri Jan 15 09:08:37 2010 From: jonas at andradas.es (Jonas Andradas) Date: Fri, 15 Jan 2010 09:08:37 +0100 Subject: [Openvas-discuss] Informing that identified services have stopped being available during a scan In-Reply-To: <4B4F36E9.6020102@securityspace.com> References: <4B4F36E9.6020102@securityspace.com> Message-ID: Hello Thomas, On Thu, Jan 14, 2010 at 4:23 PM, Thomas Reinke wrote: > Welll.... my first instinct would be to ask if there is any way to > uniquely identify these particular embedded servers via a banner, > and to then specifically generate a warning on exactly this issue. > > There is a plugin that tries to identify Embedded web servers. Some of these web servers identify themselves as "Embedded Web Servers", but other don't identify themselves at all, or they do, but not using the "Server:" keyword in the HTTP response (even using the keyword "Webserver:" with an empty value after that). One of the ideas at hand was to identify these web servers with this plugin, and then prevent some of the other plugins from running against them. > If the above is not possible, I'd probably go for the approach of > ensuring that one particular plugin (a new one?) replicates the > problem (albeit probably not in safe mode), and then if a server > is found that trips on this, report the issue in a possibly > generic fashion, enumerating the problem with having the server > be temporarily unavailable during the audit. > Hmm... would it make any sense to have one of several different > type of "connectivity" meters running during an audit, and report > on unexpected outages? I'm thinking something like the host up > measure using TCP/ICMP connectivity checks at the start of an > audit. Instead, however, how about running these, if they are > able, at a low level through an audit, Then, at the end of an > audit, report on any anomalous readings. You could probably do > this through a plugin that continuously updated the kb with > detected "outages" as they are in progress, and have one of the > last scripts run have the means to terminate the plugin and > report on the results. > > I was thinking something like that. Like "a web server has been detected on this port". Then, all web-server plugins run against it, could return some kind of error or value indicating if they could connect to the web server or not, and these "exit values" would have to be "read" by some other plugin or the server/scanner itself. Unfortunately, my programming skills are very forgotten (for the server/scanner), and my NASL skills are at a very early stage, so I cannot assess as to how complicated or how much work or overload this could introduce. The idea would be to have something like this for every service detected, not only web servers. Issues with them during an audit made me start thinking about this behavior. My thoughts above are related to the fact that we see this problem > regularly, and it's not always due to the equipment being audited. > Sometimes network hiccups cause outages for minutes or more at a > time. Sometimes IPS' kick in. There's all sorts of reasons why > an audit may be incomplete, which can affect any plugin. A generic > solution might be in order. > > As you say, probably a starting point could be to develop a way to identify or register which plugins were supposed to run properly (whether they find the vulnerability they search for or not) but failed because the identified port/service was closed/unresponsive. Thomas > > > Best Regards, Jon?s. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100115/2cd2f602/attachment.html From ray.hague at Iowa.gov Fri Jan 22 21:18:39 2010 From: ray.hague at Iowa.gov (Hague, Raymond [IDR]) Date: Fri, 22 Jan 2010 14:18:39 -0600 Subject: [Openvas-discuss] Windows client for version 3 Message-ID: <1BF719C7B7ED51468E5F99B11F0910D808FFDCB3@IDRDSMEX01.idr.gov.state.ia.us> Allow me to start by saying thank you for a *less expensive* alternative to pay-for services. We really appreciate it in these times of layoffs and budget cuts in government. I am a newbe, so please forgive me. I was able to get v3 up and running on OpenSUSE 11.2 and I got thru testing using the Linux client on the scanner/server. I want to move the operations to a Windows XP client and that's where I ran into problems. It appears from what I've read in my research that the v1 Windows client won't run against the v3 scanner. If this is true, does anyone have a time frame for when a v3 Windows client will become available? Thanks in advance for the help. -RH -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100122/421d0f15/attachment.html From ray.hague at Iowa.gov Fri Jan 22 21:47:23 2010 From: ray.hague at Iowa.gov (Hague, Raymond [IDR]) Date: Fri, 22 Jan 2010 14:47:23 -0600 Subject: [Openvas-discuss] Windows client for version 3 Message-ID: <1BF719C7B7ED51468E5F99B11F0910D808FFDCB5@IDRDSMEX01.idr.gov.state.ia.us> Allow me to start by saying thank you for a *less expensive* alternative to pay-for services. We really appreciate it in these times of layoffs and budget cuts in government. I am a newbe, so please forgive me. I was able to get v3 up and running on OpenSUSE 11.2 and I got thru testing using the Linux client on the scanner/server. I want to move the operations to a Windows XP client and that's where I ran into problems. It appears from what I've read in my research that the v1 Windows client won't run against the v3 scanner. If this is true, does anyone have a time frame for when a v3 Windows client will become available? Thanks in advance for the help. -RH -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100122/d9b2bf22/attachment.htm From matthew.mundell at intevation.de Sat Jan 23 18:54:32 2010 From: matthew.mundell at intevation.de (Matthew Mundell) Date: 23 Jan 2010 17:54:32 GMT Subject: [Openvas-discuss] Windows client for version 3 In-Reply-To: Message of Fri, 22 Jan 2010 14:47:23 -0600. <1BF719C7B7ED51468E5F99B11F0910D808FFDCB5@IDRDSMEX01.idr.gov.state.ia.us> Message-ID: <20100123175431.C4AD4DEBE8@mail.ukfsn.org> > Allow me to start by saying thank you for a *less expensive* alternative > to pay-for services. We really appreciate it in these times of layoffs > and budget cuts in government. Besides the price, it's also Free Software. So you can get anybody to extend or support the software, and you benefit from work that anyone puts into the software. > I am a newbe, so please forgive me. I was able to get v3 up and running > on OpenSUSE 11.2 and I got thru testing using the Linux client on the > scanner/server. I want to move the operations to a Windows XP client > and that's where I ran into problems. It appears from what I've read in > my research that the v1 Windows client won't run against the v3 scanner. > If this is true, does anyone have a time frame for when a v3 Windows > client will become available? Thanks in advance for the help. Right now there's the option of running the Greenbone Security Assistant (GSA) alongside the Scanner. The GSA serves a web interface to OpenVAS, so any client with a browser can manage scans. The initial release of the GSA should happen pretty soon. -- Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From mattias at fareoffice.com Tue Jan 26 10:09:57 2010 From: mattias at fareoffice.com (Mattias Hemmingsson) Date: Tue, 26 Jan 2010 10:09:57 +0100 (CET) Subject: [Openvas-discuss] *Openvas and ssh In-Reply-To: <1460074866.561264496517984.JavaMail.root@fo-dev-mail> Message-ID: <1314522795.581264496997564.JavaMail.root@fo-dev-mail> Hello Im working on setting upp an openvas server to scan my network Im using openvas to scan my network and im looking in to use the openvas to loggin to the server using ssh to scan. Im only using the terminal clinet and i cant find any dokument hos to get this set upp properly. Has anyone done this before ? // Matte From felix.wolfsteller at intevation.de Tue Jan 26 10:32:47 2010 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Tue, 26 Jan 2010 10:32:47 +0100 Subject: [Openvas-discuss] *Openvas and ssh In-Reply-To: <1314522795.581264496997564.JavaMail.root@fo-dev-mail> References: <1314522795.581264496997564.JavaMail.root@fo-dev-mail> Message-ID: <201001261032.47307.felix.wolfsteller@intevation.de> Hi Mattias. Which versions are you running? In principle, the openvasrc you use should have following lines SSH Authorization[entry]:SSH login name: = something SSH Authorization[password]:SSH password (unsafe!): = something Replace with the real values for login name and password. Note that this is quite "old style" (OpenVAS <= 2.0) and the Gtk-client and upcoming clients allow different (and better) ways to specify credentials to use for Local Security Checks. -- felix On Tuesday 26 January 2010 10:09:57 Mattias Hemmingsson wrote: > Hello > > Im working on setting upp an openvas server to scan my network > Im using openvas to scan my network and im looking in to use the openvas to > loggin to the server using ssh to scan. Im only using the terminal clinet > and i cant find any dokument hos to get this set upp properly. > > Has anyone done this before ? > > > // Matte > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Felix Wolfsteller | ++49 541 335083-783 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From felix.wolfsteller at intevation.de Tue Jan 26 11:11:42 2010 From: felix.wolfsteller at intevation.de (Felix Wolfsteller) Date: Tue, 26 Jan 2010 11:11:42 +0100 Subject: [Openvas-discuss] *Openvas and ssh In-Reply-To: <86872919.631264499970622.JavaMail.root@fo-dev-mail> References: <86872919.631264499970622.JavaMail.root@fo-dev-mail> Message-ID: <201001261111.42986.felix.wolfsteller@intevation.de> [forwarding reply to openvas-discuss] On Tuesday 26 January 2010 10:59:30 you wrote: > hi > Thanks for teh fast replay > Have read this also but where is this file wher you put this lines ? > > I dont have any x on the server so the terminal is the only way > to do this. Should be in ~/.openvasrc , but you can also specify the file to use. -- felix > ----- Ursprungligt meddelande ----- > Fr?n: "Felix Wolfsteller" > Till: openvas-discuss at wald.intevation.org > Kopia: "Mattias Hemmingsson" > Skickat: tisdag, 26 jan 2010 10:32:47 GMT +01:00 > Amsterdam/Berlin/Bern/Rom/Stockholm/Wien ?mne: Re: [Openvas-discuss] > *Openvas and ssh > > Hi Mattias. > > Which versions are you running? > In principle, the openvasrc you use should have following lines > > SSH Authorization[entry]:SSH login name: = something > SSH Authorization[password]:SSH password (unsafe!): = something > > Replace with the real values for login name and password. > Note that this is quite "old style" (OpenVAS <= 2.0) and the Gtk-client and > upcoming clients allow different (and better) ways to specify credentials > to use for Local Security Checks. > > -- felix > > On Tuesday 26 January 2010 10:09:57 Mattias Hemmingsson wrote: > > Hello > > > > Im working on setting upp an openvas server to scan my network > > Im using openvas to scan my network and im looking in to use the openvas > > to loggin to the server using ssh to scan. Im only using the terminal > > clinet and i cant find any dokument hos to get this set upp properly. > > > > Has anyone done this before ? > > > > > > // Matte > > _______________________________________________ > > Openvas-discuss mailing list > > Openvas-discuss at wald.intevation.org > > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss -- Felix Wolfsteller | ++49 541 335083-783 | http://www.intevation.de/ PGP Key: 39DE0100 Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck | AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From jonas at andradas.es Tue Jan 26 11:37:21 2010 From: jonas at andradas.es (Jonas Andradas) Date: Tue, 26 Jan 2010 11:37:21 +0100 Subject: [Openvas-discuss] *Openvas and ssh In-Reply-To: <201001261111.42986.felix.wolfsteller@intevation.de> References: <86872919.631264499970622.JavaMail.root@fo-dev-mail> <201001261111.42986.felix.wolfsteller@intevation.de> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, On Tue, Jan 26, 2010 at 11:11 AM, Felix Wolfsteller < felix.wolfsteller at intevation.de> wrote: [forwarding reply to openvas-discuss] On Tuesday 26 January 2010 10:59:30 you wrote: > hi > Thanks for teh fast replay > Have read this also but where is this file wher you put this lines ? > > I dont have any x on the server so the terminal is the only way > to do this. Even if you don't have X on the scanning server, if you have other host(s) from which you connect to this server, you could run the graphical client on them, and connect to the remote server/scanner. Scans would be performed by and from this server, but the configuration would be done using the GUI, and results could be seen there too. Should be in ~/.openvasrc , but you can also specify the file to use. - -- felix Best Regards, Jon?s. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.10) iQIcBAEBCAAGBQJLXsXOAAoJEE2HmZbgxpNypqEQAMKGdquHjwcXDIQpvf98Ajak 1Cwjm9rAXq4GJcf8yMiM0yVFv4jkg6it6FWcwxe6Jyxjm+ZO7S1CadcVyag8sswP QM5m5Tga7W6WaQ7vlBiZ686ySXzxT5w3MTP5wp5Nul/P8+3COabBEBFKJKh6HgWz 8Tub41spaBtAnSXejfqsXypYNE6AnyVSLEe8gT617CFAR7UhC4uIvB25JU4FKyc4 Lmqpr71fQTBo37c3VFw+cYIwBTvnn5nZWh4blLARYJBNV2hIXOx2sd1j7MFs/jUF +VLiywotFUm3picq7mERANrfNpawrsxmFBSZSh9Q/w+ryQ3IpvgkGivOB8T6HC5H 7P2xmSKmwyrjgTwmv7YQm4DjLP3OJaDkwr9QdJaZmSApVq87qPar3fS8TvGw/cxJ IicF2/UUVGBOadr5cwtS1BQQpi0F+i7oS8A1qrVC+2Zx22O6NtwgMDwUGQFkYm6b VAlU/OtPqtY9m50bVgkUnsS11VfUOPAsOqCY0ZBSDy4OFhukCSrKy/N6CRhsp1sG qwCeGdOVIHqCZbtMF5556WnT/2FM61HG3Bt48BSqC4738lgFEZuoc4t+WoI/wd/i vKO7O3U2JlAi5f8GQkGAVRe23lWmPBHxSyAWn/AAUPHSOF6ds9z4FYpDqZsAtToi JvgXLDzQBohmjslp55/Y =KKxO -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100126/e712cd8d/attachment.html From yungwei at resolvity.com Tue Jan 26 17:37:16 2010 From: yungwei at resolvity.com (Yungwei Chen) Date: Tue, 26 Jan 2010 11:37:16 -0500 Subject: [Openvas-discuss] nmap doesn't want to scan ports Message-ID: <33095823FD21DF429B481B5163264B793FCBC6B74F@VMBX102.ihostexchange.net> Hi, I am having trouble using openvas along with nmap. Openvas client and server are installed on the same box. I made one change to nmap.nasl (replaced "-P0" with "-PN"), and was able to scan a remote web server behind a firewall in our LAN. But after I had run "openvas-update" last night, nmap.nasl was overwritten and now nmap doesn't want to scan the specified ports any more. In openvas-client, the scope settings associated with the remote web server remain the same. The following command works as expected: nmap -v -p T:1-2000,8000-9999 -PN -sS 10.66.112.25 Here are packages installed on the openvas box. These packages came from the atomic repository. openvas-libnasl-2.0.2-1.el5.art openvas-server-2.0.3-1.el5.art openvas-plugins-1.0.7-1.el5.art openvas-client-2.0.5-1.el5.art openvas-libraries-2.0.4-1.el5.art Any idea is appreciated. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100126/f89569d3/attachment.html From michael.meyer at intevation.de Tue Jan 26 19:59:20 2010 From: michael.meyer at intevation.de (Michael Meyer) Date: Tue, 26 Jan 2010 19:59:20 +0100 Subject: [Openvas-discuss] nmap doesn't want to scan ports In-Reply-To: <33095823FD21DF429B481B5163264B793FCBC6B74F@VMBX102.ihostexchange.net> References: <33095823FD21DF429B481B5163264B793FCBC6B74F@VMBX102.ihostexchange.net> Message-ID: <20100126185920.GA7364@komma-nix.de> Hello, *** Yungwei Chen wrote: > I am having trouble using openvas along with nmap. Openvas client > and server are installed on the same box. I made one change to > nmap.nasl (replaced "-P0" with "-PN"), and was able to scan a remote > web server behind a firewall in our LAN. But after I had run > "openvas-update" last night, nmap.nasl was overwritten and now nmap > doesn't want to scan the specified ports any more. Hmm..."-P0" and "-PN" are identical[1]. Therefore, I guess that this is not your problem. What exactly do you mean when you say "nmap doesn't want to scan the specified ports any more"? What happened? What have you entered as "Port Range" in Client? What is you nmap version? > The following command works as expected: > nmap -v -p T:1-2000,8000-9999 -PN -sS 10.66.112.25 Have you ever tried to use "-P0" there? > Here are packages installed on the openvas box. These packages came > from the atomic repository > openvas-libnasl-2.0.2-1.el5.art > openvas-server-2.0.3-1.el5.art > openvas-plugins-1.0.7-1.el5.art > openvas-client-2.0.5-1.el5.art > openvas-libraries-2.0.4-1.el5.art There are newer versions in "atomic-testing" . [1] ,---[ http://nmap.org/svn/nmap.cc ] | case 'P': | [...] | else if (*optarg == 'n' || *optarg == '0' || *optarg == 'N' || *optarg == 'D') | o.pingtype = PINGTYPE_NONE; `---| Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From yungwei at resolvity.com Tue Jan 26 20:32:22 2010 From: yungwei at resolvity.com (Yungwei Chen) Date: Tue, 26 Jan 2010 14:32:22 -0500 Subject: [Openvas-discuss] nmap doesn't want to scan ports In-Reply-To: <20100126185920.GA7364@komma-nix.de> References: <33095823FD21DF429B481B5163264B793FCBC6B74F@VMBX102.ihostexchange.net> <20100126185920.GA7364@komma-nix.de> Message-ID: <33095823FD21DF429B481B5163264B793FCBC6B82A@VMBX102.ihostexchange.net> * By "nmap doesn't want to scan the specified ports any more", I mean in openvas-client GUI, when you start a scan, it's supposed to start with port scan first, and then other plugins. But in my case, it looks like port scan is skipped for some reason, and only other plugins are done. * The port range is 1-2000,8000-9999 * My nmap version is nmap-4.85-1.el5.art * Both -P0 and -PN work with the nmap command mentioned earlier. But with -PN, nmap found a few more ports open on the same remote web server. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael Meyer Sent: Tuesday, January 26, 2010 12:59 PM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] nmap doesn't want to scan ports Hello, *** Yungwei Chen wrote: > I am having trouble using openvas along with nmap. Openvas client > and server are installed on the same box. I made one change to > nmap.nasl (replaced "-P0" with "-PN"), and was able to scan a remote > web server behind a firewall in our LAN. But after I had run > "openvas-update" last night, nmap.nasl was overwritten and now nmap > doesn't want to scan the specified ports any more. Hmm..."-P0" and "-PN" are identical[1]. Therefore, I guess that this is not your problem. What exactly do you mean when you say "nmap doesn't want to scan the specified ports any more"? What happened? What have you entered as "Port Range" in Client? What is you nmap version? > The following command works as expected: > nmap -v -p T:1-2000,8000-9999 -PN -sS 10.66.112.25 Have you ever tried to use "-P0" there? > Here are packages installed on the openvas box. These packages came > from the atomic repository > openvas-libnasl-2.0.2-1.el5.art > openvas-server-2.0.3-1.el5.art > openvas-plugins-1.0.7-1.el5.art > openvas-client-2.0.5-1.el5.art > openvas-libraries-2.0.4-1.el5.art There are newer versions in "atomic-testing" . [1] ,---[ http://nmap.org/svn/nmap.cc ] | case 'P': | [...] | else if (*optarg == 'n' || *optarg == '0' || *optarg == 'N' || *optarg == 'D') | o.pingtype = PINGTYPE_NONE; `---| Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From michael.meyer at intevation.de Wed Jan 27 11:22:50 2010 From: michael.meyer at intevation.de (Michael Meyer) Date: Wed, 27 Jan 2010 11:22:50 +0100 Subject: [Openvas-discuss] nmap doesn't want to scan ports In-Reply-To: <33095823FD21DF429B481B5163264B793FCBC6B82A@VMBX102.ihostexchange.net> References: <33095823FD21DF429B481B5163264B793FCBC6B74F@VMBX102.ihostexchange.net> <20100126185920.GA7364@komma-nix.de> <33095823FD21DF429B481B5163264B793FCBC6B82A@VMBX102.ihostexchange.net> Message-ID: <20100127102250.GA3200@komma-nix.de> Hello, *** Yungwei Chen wrote: > * By "nmap doesn't want to scan the specified ports any more", I > mean in openvas-client GUI, when you start a scan, it's supposed to > start with port scan first, and then other plugins. But in my case, > it looks like port scan is skipped for some reason, and only other > plugins are done. in nmap.nasl at line 318 you find # display(argv, "\n", res, "\n\n"); Please remove the "#", save it and rescan. Watch the /var/log/openvas/openvas.dump. Do you see something like that? http://pastebin.com/m7aa4d205. The path to the openvas.dump depends on your installation. See the "dumpfile" option in openvas.conf. Maybe set also "log_whole_attack" to "yes" and "grep" for "nmap" in openvas.messages. Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner From yungwei at resolvity.com Wed Jan 27 15:58:38 2010 From: yungwei at resolvity.com (Yungwei Chen) Date: Wed, 27 Jan 2010 09:58:38 -0500 Subject: [Openvas-discuss] nmap doesn't want to scan ports In-Reply-To: <20100127102250.GA3200@komma-nix.de> References: <33095823FD21DF429B481B5163264B793FCBC6B74F@VMBX102.ihostexchange.net> <20100126185920.GA7364@komma-nix.de> <33095823FD21DF429B481B5163264B793FCBC6B82A@VMBX102.ihostexchange.net> <20100127102250.GA3200@komma-nix.de> Message-ID: <33095823FD21DF429B481B5163264B793FCBC6B9E6@VMBX102.ihostexchange.net> I think my openvas is in a weired state. Yesterday I managed to have it scan a remote web server successfully, and I got the following. One issue here is that I didn't specify max_rtt_timeout, nor did I check Custom option in Nmap preferences section, but max_rtt_timeout was one of the arguments for some reason. [ 0: 'nmap', 1: '-PN', 2: '-oG', 3: '/var/lib/openvas/tmp/nmap-10.66.112.25-1624724235', 4: '-sS', 5: '-p', 6: '1-2000,8000-9999', 7: '--max_rtt_timeout', 8: 6, 9: '10.66.112.25' ] # Nmap 4.85BETA5 scan initiated Tue Jan 26 16:07:07 2010 as: nmap -PN -oG /var/lib/openvas/tmp/nmap-10.66.112.25-1624724235 -sS -p 1-2000,8000-9999 --max_rtt_timeout 6 10.66.112.25 Host: 10.66.112.25 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///, 8109/open/tcp/////, 8309/open/tcp/////, 8380/open/tcp/////, 8409/open/tcp//unknown///, 8480/open/tcp///// Ignored State: filtered (3993) # Nmap done at Tue Jan 26 16:07:12 2010 -- 1 IP address (1 host up) scanned in 5.25 seconds However, it doesn't always run port-scan successfully. Sometimes it appears that it just skips port-scan and starts with checks. In that case, openvasd.dump doesn't show anything related to nmap. I think I'll try to re-install openvas and see how it goes. -----Original Message----- From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss-bounces at wald.intevation.org] On Behalf Of Michael Meyer Sent: Wednesday, January 27, 2010 4:23 AM To: openvas-discuss at wald.intevation.org Subject: Re: [Openvas-discuss] nmap doesn't want to scan ports Hello, *** Yungwei Chen wrote: > * By "nmap doesn't want to scan the specified ports any more", I > mean in openvas-client GUI, when you start a scan, it's supposed to > start with port scan first, and then other plugins. But in my case, > it looks like port scan is skipped for some reason, and only other > plugins are done. in nmap.nasl at line 318 you find # display(argv, "\n", res, "\n\n"); Please remove the "#", save it and rescan. Watch the /var/log/openvas/openvas.dump. Do you see something like that? http://pastebin.com/m7aa4d205. The path to the openvas.dump depends on your installation. See the "dumpfile" option in openvas.conf. Maybe set also "log_whole_attack" to "yes" and "grep" for "nmap" in openvas.messages. Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner _______________________________________________ Openvas-discuss mailing list Openvas-discuss at wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From Jan-Oliver.Wagner at greenbone.net Thu Jan 28 10:22:56 2010 From: Jan-Oliver.Wagner at greenbone.net (Jan-Oliver Wagner) Date: Thu, 28 Jan 2010 10:22:56 +0100 Subject: [Openvas-discuss] OpenVAS Live-CD / VM Message-ID: <201001281022.56866.Jan-Oliver.Wagner@greenbone.net> Hello, I have been asked a lot about a Live-CD or VM image where OpenVAS is readily installed. The intention is mostly on demo/testing, not so much on having a production system. From the OpenVAS project perspective this could be a marketing tool, of course. I'd like to ask for opinions on how this need can be handled. Conceptionally and technically. Who would be willing to work on such a system? I know that backtrack and possibly others carry OpenVAS already. However, a OpenVAS-centric solution would be under better control with regard to updates, fine-tuning etc. I could imagine that we add a little web browser on port 80 with General informaiton about OpenVAS and the OpenVAS project and have GSA available at 443. Some of the questions that need an answer: What could be the underlying system or Live-Project? Can we combine Live-CD and VM easily? Any feedback very much appreciated! Best Jan -- Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck AG Osnabr?ck, HR B 202460 | Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan-Oliver Wagner From geoff at galitz.org Thu Jan 28 10:48:39 2010 From: geoff at galitz.org (Geoff Galitz) Date: Thu, 28 Jan 2010 10:48:39 +0100 Subject: [Openvas-discuss] OpenVAS Live-CD / VM In-Reply-To: <201001281022.56866.Jan-Oliver.Wagner@greenbone.net> References: <201001281022.56866.Jan-Oliver.Wagner@greenbone.net> Message-ID: <03B980401B9F4DB891C7FD70059CEB96@geoffPC> I happen to be working on exactly this related to some current projects. I am looking at these long term options: - Centos based OpenVAS VM - SuSE based OpenVAS VM - rPath based I do already have a SuSE (SLE 11) production ready OpenVAS VM deployed to customers. It needs some cleaning up before it can be made generally available, though. Going the centos route with the new 3.x series from ART is a good option. I am currently exploring using the rPath rBuilder tools which enable us to create: - VMware compatible images - XenServer XVA compatible images - LiveCD / ISO images I was using susestudio, but it is too limited for the kind deployments I need to deploy. In terms of a Centos based VM, I volunteered to help out over IRC, but never managed to connect... mostly due to me just being too busy. I can most certainly make some time after FOSDEM (anyone else going?) and possible before that. I'd be happy to make this VM generally available and maintain it (as time allows, as always). Of course any help would be appreciated. Are there 3.x binary packages already available for other platforms? Debian for example? For full compatibility with existing VM platforms we should stick to this list of distributions: - Centos - SuSE - Debian Other distributions are not supported across all VM platforms and present a barrier to entry. XenServer does not support Ubuntu, for example. That make administration more difficult, though not impossible. If we have currently available 3.x binary packages for the above platforms I'll go ahead and implement a VM for them in the next few days. --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ > -----Original Message----- > From: openvas-discuss-bounces at wald.intevation.org [mailto:openvas-discuss- > bounces at wald.intevation.org] On Behalf Of Jan-Oliver Wagner > Sent: Donnerstag, 28. Januar 2010 10:23 > To: openvas-discuss at wald.intevation.org > Subject: [Openvas-discuss] OpenVAS Live-CD / VM > > Hello, > > I have been asked a lot about a Live-CD or VM image > where OpenVAS is readily installed. > The intention is mostly on demo/testing, not so much > on having a production system. > > From the OpenVAS project perspective this could > be a marketing tool, of course. > > I'd like to ask for opinions on how this need can > be handled. Conceptionally and technically. > > Who would be willing to work on such a system? > > I know that backtrack and possibly others carry > OpenVAS already. However, a OpenVAS-centric > solution would be under better control with regard to updates, > fine-tuning etc. > I could imagine that we add a little web browser on port 80 > with General informaiton about OpenVAS and the OpenVAS project > and have GSA available at 443. > > Some of the questions that need an answer: > What could be the underlying system or Live-Project? > Can we combine Live-CD and VM easily? > > Any feedback very much appreciated! > > Best > > Jan > > -- > Dr. Jan-Oliver Wagner | ++49-541-335084-0 | http://www.greenbone.net/ > Greenbone Networks GmbH, Neuer Graben 17, 49074 Osnabr?ck > AG Osnabr?ck, HR B 202460 | Gesch?ftsf?hrer: Lukas Grunwald, Dr. Jan- > Oliver Wagner > _______________________________________________ > Openvas-discuss mailing list > Openvas-discuss at wald.intevation.org > http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss From bitdealer at gmail.com Thu Jan 28 16:50:18 2010 From: bitdealer at gmail.com (Stephan Kleine) Date: Thu, 28 Jan 2010 16:50:18 +0100 Subject: [Openvas-discuss] OpenVAS Live-CD / VM Message-ID: <201001281650.18283.bitdealer@gmail.com> > Going the centos route with the new 3.x series from ART is a good option. I > am currently exploring using the rPath rBuilder tools which enable us to > create: > > - VMware compatible images > - XenServer XVA compatible images > - LiveCD / ISO images > > I was using susestudio, but it is too limited for the kind deployments I > need to deploy. KIWI [1] (which is also used as backend for susestudio) can do all this and some more (e.g. it's also the stuff that is used to create the openSUSE & SLE distros). Also you can use the full flexibility with studio too when you upload manually edited config files. > Are there 3.x binary packages already available for other platforms? Debian > for example? For full compatibility with existing VM platforms we should > stick to this list of distributions: > > - Centos > - SuSE > - Debian You can find 3.x packages for Debian, Fedora, Mandriva, openSUSE, SLE and Ubuntu on OBS [2] (CentOS / RHEL is too old / is missing to many deps). I yesterday finished adding config files like default config & logrotate and init scripts to them all and once a -libraries version is released that makes GSA >beta1 build I'll update that one too. However, I run only SUSE so all others are untested which means that it would be great anyways if people would give them a test as in feedback is totally welcome. If I receive no complaints I consider them working and will move the stuff into STABLE in the near future. hth Stephan [1] http://en.opensuse.org/Build_Service/KIWI [2] http://download.opensuse.org/repositories/security:/openvas:/UNSTABLE/ From geoff at galitz.org Thu Jan 28 17:08:25 2010 From: geoff at galitz.org (Geoff Galitz) Date: Thu, 28 Jan 2010 17:08:25 +0100 Subject: [Openvas-discuss] OpenVAS Live-CD / VM In-Reply-To: <201001281650.18283.bitdealer@gmail.com> References: <201001281650.18283.bitdealer@gmail.com> Message-ID: <58063C6C5CA8422BB0C01D05CD293FDA@geoffPC> KIWI can create standard Xen VMs, but not XenServer XVAs (XenServer Virtual Appliances). I even asked the SuSE team about it but they were not in a position to comment on it. To my knowledge the rBuilder build system is the only open system that can do so. Please correct me if I am wrong... I don't really care what tool to use so long as it works and is widely compatible. I do need XVA support for my own projects. -geoff --------------------------------- Geoff Galitz Blankenheim NRW, Germany http://www.galitz.org/ http://german-way.com/blog/ From yungwei at resolvity.com Thu Jan 28 17:41:19 2010 From: yungwei at resolvity.com (Yungwei Chen) Date: Thu, 28 Jan 2010 11:41:19 -0500 Subject: [Openvas-discuss] port scans and checks Message-ID: <33095823FD21DF429B481B5163264B793FCBC6BD39@VMBX102.ihostexchange.net> Hi, I found that although OpenVAS TCP Scanner properly finds all open ports on a remote host, subsequent checks fail to find any security vulnerabilities of a Apache server on the remote host. So I'm wondering if my understanding of how OpenVAS works is correct: Port scanners are used to find open ports on a remote host, and each check is then applied to each open port. Any insight is appreciated. Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.wald.intevation.org/pipermail/openvas-discuss/attachments/20100128/36c8e412/attachment.htm From michael.meyer at intevation.de Thu Jan 28 20:35:27 2010 From: michael.meyer at intevation.de (Michael Meyer) Date: Thu, 28 Jan 2010 20:35:27 +0100 Subject: [Openvas-discuss] port scans and checks In-Reply-To: <33095823FD21DF429B481B5163264B793FCBC6BD39@VMBX102.ihostexchange.net> References: <33095823FD21DF429B481B5163264B793FCBC6BD39@VMBX102.ihostexchange.net> Message-ID: <20100128193527.GA30165@komma-nix.de> Hello, *** Yungwei Chen wrote: > I found that although OpenVAS TCP Scanner properly finds all open > ports on a remote host, subsequent checks fail to find any security > vulnerabilities of a Apache server on the remote host. Could you please show me the banner of this Apache. | mime at kira:~ % telnet 192.168.2.22 80 | Trying 192.168.2.22... | Connected to 192.168.2.22. | Escape character is '^]'. | GET / HTTP/1.0 | | HTTP/1.1 200 OK | Date: Thu, 28 Jan 2010 19:33:02 GMT | Server: Apache/2.2.13 (FreeBSD) DAV/2 mod_ssl/2.2.13 OpenSSL/0.9.8k Most plugins just check the version from the banner. If no version is displayed, they will fail to detect vulnerabilities. In this case you should try local security checks. Micha -- Michael Meyer OpenPGP Key: 76E050B9 http://www.intevation.de Intevation GmbH, Neuer Graben 17, 49074 Osnabr?ck; AG Osnabr?ck, HR B 18998 Gesch?ftsf?hrer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner