9. Scanning a System

9.1. Performing a Scan

Generally speaking the GSM can use two different approaches to scan a target:

  • Remote scan
  • Authenticated scan using local security checks

9.1.1. Running a Simple Scan

This first section describes the first steps of the configuration of the first scan.

Basically two options are available:

  • Using the task wizard that creates all required configurations for a first scan with only very little input
  • Configuring the scan manually

gb_video The steps are also explained in a video based on GOS 3.1 at https://docs.greenbone.net/Videos/gos-3.1/en/GSM-FirstScan-GOS-3.1-en-20150716.mp4.

9.1.1.1. Using the Task Wizard for a First Scan

When logging into the web interface of the GSM appliance for the first time after initial set up an empty dashboard will be displayed (see figure The dashboard is displayed empty by default).

_images/emptydashboard.png

The dashboard is displayed empty by default

A new task with the task wizard can be configured as follows:

  1. Select Scans > Tasks in the menu bar.

    → If less then four scans are created yet, an overlay promoting the wizard is displayed (see figure Overlay promoting the task wizard).

    _images/wizard-promotion.png

    Overlay promoting the task wizard

  2. Start the wizard by clicking wizard and selecting Task Wizard.

  3. Enter the IP address or DNS name of the target system in the input box (see figure Configuring the task wizard).

    Note

    When using a DNS name however, the GSM has to be able to resolve the name.

    _images/task-wizard.png

    Configuring the task wizard

  4. Click Start Scan.

    → The task wizard performs the following steps automatically:

    1. Creating a new scan target on the GSM.
    2. Creating a new scan task on the GSM.
    3. Starting the scan task immediately.
    4. Displaying the page Tasks and reloading it every 30 seconds in order to monitor the progress of the task.

After the task is started, the progress can be monitored (see figure Page Tasks displaying the progress of the task).

_images/task-fortschritt.png

Page Tasks displaying the progress of the task

The bar in the column Status shows information about the status of a scan. The following colours and states are possible:

  • status-new The task has not been run since it was created.
  • status-run The task is currently running and 42% completed. The information is based on the number of NVTs executed on the selected hosts. For this reason the information does not necessarily correlate with the time spent.
  • status-requested The task was just started. The GSM is preparing the scan.
  • status-delete The task was deleted. The actual deletion process can take some time as reports need to be deleted as well.
  • status-stopr The task was stopped recently. However, the scan engine has not reacted respectively yet.
  • status-stop The last scan was stopped by the user at 15%. The latest report is possibly not yet complete. Other reasons for this status could be the reboot of the GSM or a power outage. After restarting the scanner, the task will be resumed automatically.
  • status-error An error has occurred. The latest report is possibly not yet complete or is missing completely.
  • status-done The task has been completed successfully.
  • status-container The task is a container task.

For all tasks the following actions are available:

  • start Start the task. Only currently not running tasks can be started.
  • stop Stop the currently running task. All discovered results will be written to the database.
  • resume Resume the stopped task.
  • trashcan Delete the task.
  • edit Edit the task.
  • clone Clone the task.
  • download Download the task as an XML object.

The report of a task can be displayed as soon as the task has been started by clicking the bar in the column Status.

Note

For reading, managing and downloading reports see Chapter Reports and Vulnerability Management.

9.1.1.2. Using the Advanced Task Wizard

Next to the simple wizard the GSM also provides an advanced wizard that allows for more configuration options.

A new task with the advanced task wizard can be configured as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Start the wizard by clicking wizard and selecting Advanced Task Wizard.

  3. Define the task (see figure Configuring the advanced task wizard).

    Tip

    For the information to enter in the input boxes see Chapters Creating a Target and Creating a Task.

    When an e-mail address is entered in the input box Email report to an alert is created sending an e-mail as soon as the task is completed (see Chapter alerts).

    _images/advwizard.png

    Configuring the advanced task wizard

  4. Click Create.

    → The advanced task wizard performs the following steps automatically:

    1. Starting the scan task immediately.
    2. Displaying the page Tasks and reloading it every 30 seconds in order to monitor the progress of the task.

After the task is started, the progress can be monitored (see Chapter Using the Task Wizard for a First Scan).

9.1.1.3. Using the Wizard to Modify a Task

An additional wizard can modify the e-mail address to which the report should be sent:

  1. Select Scans > Tasks in the menu bar.

  2. Start the wizard by clicking wizard and selecting Modify Task Wizard.

  3. Select the task which should be modified in the drop-down-menu Task (see figure Modifying a task using the wizard).

  4. Enter the e-mail address in the input box Email report to.

  5. Click Save.

    _images/modwizard.png

    Modifying a task using the wizard

9.1.1.4. Configuring a Scan Manually

9.1.1.4.1. Creating a Target

The first step is to define a scan target as follows:

  1. Select Configuration > Targets in the menu bar.

  2. Create a new target by clicking new.

  3. Define the target (see figure Creating a new target).

  4. Enter the systems that should be scanned in the input box Hosts/Manual.

    Note

    The IP address or the DNS name is required. In both cases it is necessary that the GSM can connect to the system. When using the DNS name, the GSM must also be able to resolve the name.

    _images/newtarget2.png

    Creating a new target

  5. Click Create.

The following information can be entered:

Name
The name can be chosen freely. A descriptive name should be chosen if possible. Possibilities are Mailserver, ClientNetwork, Webserverfarm, DMZ or the like, describing the entered systems in more detail.
Comment
The optional comment allows specifying background information. It simplifies understanding the configured targets later.
Hosts

Manual entry of the hosts, separated by commas, or importing a list of hosts. When entering manually the following options are available:

  • Single IP address, e.g. 192.168.15.5
  • Host name, e.g. mail.example.com
  • IPv4 address range in long format, e.g. 192.168.15.5-192.168.15.27
  • IPv4 address range in short format, e.g. 192.168.55.5-27
  • IPv4 address range in CIDR notation, e.g. 192.168.15.0/24 [1] (at most 4096 IP addresses)
  • Single IPv6 address, e.g. fe80::222:64ff:fe76:4cea
  • IPv6 address range in long format, e.g. ::12:fe5:fb50-::12:fe6:100
  • IPv6 address range in short format, e.g. ::13:fe5:fb50-fb80
  • IPv6 address range in CIDR notation, e.g. fe80::222:64ff:fe76:4cea/120 (at most 4096 IP addresses)

Multiple options can be mixed. When importing from a file, the same syntax can be used. Entries can be separated with commas or by line breaks. When many systems have to be scanned, using a file with the hosts is simpler than entering all hosts manually. The file should use UTF-8 text encoding.

Alternatively the systems can be imported from the host asset database.

Note

Importing a host from the asset database is only possible if a target is created from the page Hosts.

Exclude Hosts
Systems that should be excluded from the lists mentioned above.
Reverse Lookup Only
Only scan IP addresses that can be resolved into a DNS name.
Reverse Lookup Unify
If multiple IP addresses resolve to the same DNS name the DNS name will only get scanned once.
Port list

The TCP and UDP protocols support 65535 ports respectively. Scanning all ports in many cases takes too long. Many ports are usually not used. A manufacturer developing a new application often reserves the respective port with the IANA. For most scans it is often enough to scan the ports registered with the IANA. But keep in mind that the registered ports differentiate from the privileged ports. Privileged ports are ports smaller than 1024 [2]. The ports 1433/tcp (MS-SQL) and 3306/tcp (MySQL) are also registered and included in the appropriate lists. Nmap by default uses a different list and does not check all ports either. OpenVAS uses a different default as well.

The scan of TCP ports is usually performed simply and fast. Operating system without firewall features always reply to a TCP request and as such advertise a port as being open (TCP-ACK) or closed (TCP-RST). With UDP this is not the case. The operating system only responds reliably when the port is closed (ICMP-Port-Unreachable). An open port is deducted by the scanner by a missing response. Therefore, the scanner has to wait for an internal timeout. This behaviour is only true for systems not protected by a firewall. When a firewall exists the discovery of open or closed ports is much more difficult.

If applications run on unusual ports and they should be monitored and tested with the GSM, the default port lists should be verified and adapted by selecting Configuration > Port Lists in the menu bar. If necessary, create a list that includes the desired port.

Additionally, a port list can be created on the fly by clicking new next to the drop-down-list.

The default port lists cannot be modified.

Alive Test

This options specifies the method to check if a target is reachable. Options are:

  • ICMP Ping
  • TCP Service Ping
  • ARP Ping
  • ICMP & TCP Service Ping
  • ICMP & ARP Ping
  • TCP Service & ARP Ping
  • ICMP, TCP Service & ARP Ping

Sometimes there are problems with this test from time to time. In some environments routers and firewall systems respond to a TCP service ping with a TCP-RST even though the host is actually not alive (see Chapter Obstacles While Scanning).

Network components exist that support Proxy-ARP and respond to an ARP ping. Therefore this test often requires local customization to the environment.

SSH Credential
Selection of a user that can log into the target system of a scan if it is a Linux or UNIX system. This allows for an Authenticated Scan using local security checks (see Chapters Using Credentials and Running an Authenticated Scan Using Local Security Checks).
SMB Credential
Selection of a user that can log into the target system of a scan if it is a Microsoft Windows system. This allows for an Authenticated Scan using local security checks (see Chapters Using Credentials and Running an Authenticated Scan Using Local Security Checks).
ESXi Credential
Selection of a user that can log into the target system of a scan if it is a VMWare ESXi system. This allows for an Authenticated Scan using local security checks (see Chapters Using Credentials and Running an Authenticated Scan Using Local Security Checks).
SNMP Credential
Selection of a user that can log into the target system of a scan if it is an SNMP aware system. This allows for an Authenticated Scan using local security checks (see Chapters Using Credentials and Running an Authenticated Scan Using Local Security Checks).

All credentials can be created on the fly by clicking new next to the credential.

All created targets can be displayed by selecting Configuration > Targets in the menu bar.

Footnotes

[1]The maximum netmask is /20. This equals 4096 addresses.
[2]In UNIX access to these privileged ports is only allowed for privileged users (i.e. root). Ports starting at 1024 are also available to unprivileged users.
9.1.1.4.2. Creating a Task

The GSM controls the execution of a scan using tasks. These tasks can be repeated regularly or run at specific times (see Chapter Performing a Scheduled Scan).

A task can be created as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Create a new task by clicking new and selecting New Task.

  3. Define the task (see figure Creating a new task).

    _images/task.png

    Creating a new task

  4. Click Create.

The following information can be entered:

Name
The name can be chosen freely. A descriptive name should be used if possible. Possibilities to describe the entered task are Scan Mailserver, Test ClientNetwork, Check DMZ for new ports and systems or the like.
Comment
The optional comment allows for the entry of background information. It simplifies understanding the configured task later.
Scan Targets

Select a previously configured target from the drop-down-list.

Additionally, the target can be created on the fly by clicking new next to the drop-down-list.

Alerts

Select a previously configured alert. Status changes of a task can be communicated to the world via e-mail, Syslog, HTTP or a connector.

Additionally, an alert can be created on the fly by clicking new next to the input box.

Schedule

Select a previously configured schedule. The task can be run once or repeatedly at a predetermined time, e.g. every Monday morning at 6:00 am.

Additionally, a schedule can be created on the fly by clicking new next to the drop-down-list.

Add results to Asset Management

Selecting this option will make the systems available to the asset management of the GSM automatically (see Chapter Asset Management). This selection can be changed at a later point as well.

  • Apply Overrides
    Overrides can be directly applied when adding the results to the asset database.
  • Min QoD
    Here the minimum quality of detection can be specified for the addition of the results to the asset database.
Alterable Task
Allow for modification of the task even though reports were already created. The consistency between reports can no longer be guaranteed if tasks are altered.
Auto Delete Reports
This option may automatically delete old reports. The maximum number of reports to store can be configured. If the maximum is exceeded, the oldest report is automatically deleted. The factory setting is Do not automatically delete reports.
Scanner

By default, only the built-in OpenVAS and CVE scanners are supported. Sensors can be used as additional scanning engines but need to be configured first (see Chapter Master-Sensor Setup).

  • OpenVAS Scanner

    Note

    The following options are only relevant for the OpenVAS scanner. The CVE scanner does not support any options.

  • Scan Config

    The GSM comes by default with seven pre-configured scan configurations for the OpenVAS scanner.

    • Discovery
      Only NVTs are used that provide the most possible information of the target system. No vulnerabilities are being detected.
    • Host Discovery
      Only NVTs are used that discover target systems. This scan only reports the list of systems discovered.
    • System Discovery
      Only NVTs are used that discover target systems including installed operating systems and hardware in use.
    • Full and Fast
      This is the default and for many environments the best option to start with. This configuration is based on the information gathered in the prior port scan and uses almost all NVTs. Only NVTs are used that will not damage the target system. Plug-ins are optimized in the best possible way to keep the potential false negative rate especially low. The other configurations only provide more value only in rare cases but with much more required effort.
    • Full and fast ultimate
      This configuration expands the first configuration with NVTs that could disrupt services or systems or even cause shutdowns.
    • Full and very deep
      This configuration differs from the Full and Fast configuration in the results of the port scan and application or service detection not having an impact on the selection of the NVTs. Therefore, NVTs will be used that will have to wait for a timeout or which are testing for vulnerabilities of an application or service which was not detected previously. This scan is very slow.
    • Full and very deep ultimate
      This configuration adds the dangerous NVTs that could cause possible service or system disruptions to the Full and very deep configuration.
  • Network Source Interface

    Here the source interface of the GSM for the scan can be chosen.

  • Order for target hosts

    Select how the specified network area should be searched. Options available are:

    • Sequential
    • Random
    • Reverse

    This is interesting if for example a network, e.g. 192.168.0.0/24, is scanned that has lots of systems at the beginning or end of the IP address range. With the selection of the Random mode the progress view is more meaningful.

  • Maximum concurrently executed NVTs per host/Maximum concurrently scanned hosts
    Select the speed of the scan on one host. The default values are chosen sensibly. If more NVTs run simultaneously on a system or more systems are scanned at the same time, the scan may have a negative impact on either the performance of the scanned systems, the network or the GSM appliance itself. These values maxhosts and maxchecks may be tweaked.

All created task can be displayed by selecting Scans > Tasks in the menu bar (see figure Page Tasks displaying all tasks).

_images/task-list.png

Page Tasks displaying all tasks

In the column Name the following icons may be displayed:

  • alterable_task The task is marked as alterable. Some properties that would otherwise be locked once reports exists can be edited.
  • sensor The task is configured to run on a remote scanner (see Chapter Master-Sensor Setup)
  • provide_view The task is visible to one or more other user(s).
  • view_other The task is owned by another user.

Click on the name of a task to display the details of the task.

9.1.1.4.3. Granting Permissions for a Task

On the details page of a task permissions for the task can be managed as follows:

Note

By default, normal users can not create permissions for other users as they do not have read permission to the user database. To do this a user must specifically have the get_users permission. It makes most sense to create an additional role (see Chapter Granting Read Access to Other Users).

  1. Open the details page of the task.
  2. In the section Permissions click new.
  3. Select the permission type in the drop-down-list Grant.
  4. Select User, Group or Role and enter the respective name (see figure Creating a new permission).
_images/create-observer-task.png

Creating a new permission

  1. Click Create.

    → The permission is displayed on the details page of the task (see figure Permission displayed on the details page of a task).

    _images/create-observer-task2.png

    Permission displayed on the details page of a task

After logging in the user can see the tasks and can access the respective reports.

9.1.1.4.4. Starting a Task

All created task can be displayed by selecting Scans > Tasks in the menu bar.

The bar in the column Status shows information about the status of a scan. The following colours and states are possible:

  • status-new The task has not been run since it was created.
  • status-run The task is currently running and 42% completed. The information is based on the number of NVTs executed on the selected hosts. For this reason the information does not necessarily correlate with the time spent.
  • status-requested The task was just started. The GSM is preparing the scan.
  • status-delete The task was deleted. The actual deletion process can take some time as reports need to be deleted as well.
  • status-stopr The task was stopped recently. However, the scan engine has not reacted respectively yet.
  • status-stop The last scan was stopped by the user at 15%. The latest report is possibly not yet complete. Other reasons for this status could be the reboot of the GSM or a power outage. After restarting the scanner, the task will be resumed automatically.
  • status-error An error has occurred. The latest report is possibly not yet complete or is missing completely.
  • status-done The task has been completed successfully.
  • status-container The task is a container task.

For all tasks the following actions are available:

  • start Start the task. Only currently not running tasks can be started.
  • stop Stop the currently running task. All discovered results will be written to the database.
  • resume Resume the stopped task.
  • trashcan Delete the task.
  • edit Edit the task.
  • clone Clone the task.
  • download Download the task as an XML object.

9.1.2. Running an Authenticated Scan Using Local Security Checks

An authenticated scan can provide more vulnerability details on the scanned system. During an authenticated scan the target is both scanned from the outside using the network and from the inside using a valid user login.

During an authenticated scan the GSM logs into the target system in order to run local security checks (LSC). The scan requires the prior setup of user credentials. These credentials are used to authenticate to different services on the target system. In some circumstances the results could be limited by the permissions of the users used.

The NVTs in the corresponding NVT families (local security checks) will only be executed if the GSM was able to log into the target system. The local security check NVTs in the resulting scan are minimally invasive.

The GSM only determines the risk level but does not introduce any changes on the target system. However, the login by the GSM is probably logged in the protocols of the target system.

The GSM can use different credentials based on the nature of the target. The most important ones are:

  • SMB
    On Microsoft Windows systems the GSM can check the patch level and locally installed software such as Adobe Acrobat Reader or the Java suite.
  • SSH
    This access is used to check the patch level on UNIX and Linux systems.
  • ESXi
    This access is used for testing of VMWare ESXi servers locally.
  • SNMP
    Network components like routers and switches can be tested via SNMP.

9.1.2.1. Advantages and Disadvantages of Authenticated Scans

The extent and success of the testing routines for authenticated scans depend heavily on the permissions of the used account.

On Linux systems an unprivileged user is sufficient and can access most interesting information while especially on Microsoft Windows systems unprivileged users are very restricted and administrative users provide more results. An unprivileged user does not have access to the Microsoft Windows registry, the Microsoft Windows system folder \windows, which contains the information on updates and patch levels etc.

Local security checks are the most gentle method to scan for vulnerability details. While remote security checks try to be least invasive as well, they might have some impact.

Simply stated an authenticated scan is similar to a Whitebox approach. The GSM has access to prior information and can access the target from within. Especially the registry, software versions and patch levels are accessible.

A remote scan is similar to a Blackbox approach. Here the GSM uses the same techniques and protocols as a potential attacker to access the target from the outside. The only information available was collected by the GSM itself. During the test the GSM may provoke malfunctions to extract any available information on the used software, e.g. the scanner may send a malformed request to a service to trigger a response containing further information on the deployed product.

During a remote scan using the scan configuration Full and Fast all remote checks are safe. The used NVTs may have some invasive components but none of the used NVTs try to trigger a defect of malfunction in the target (see example below). This is ensured by the scan preference safe_checks=yes in the scan configuration (see Chapter Managing Scan Configurations). All NVTs with very invasive components or which may trigger a denial of service (DoS) are automatically excluded from the test.

9.1.2.1.1. Example of an Invasive NVT

An example for an invasive but safe NVT is the Heartbleed NVT. This is executed even with safe_checks enabled because the NVT does not have any negative impact on the target. The NVT is still invasive because it does test the memory leakage of the target. If the target is vulnerable, actual memory of the target is leaked. The GSM does not evaluate the leaked information. The information is immediately discarded.

9.1.2.2. Using Credentials

Credentials for local security checks are required to allow NVTs to log into target systems, e.g. for the purpose of locally checking the presence of all vendor security patches.

9.1.2.2.1. Creating New Credentials

A new credential can be created as follows:

  1. Select Configuration > Credentials in the menu bar.

  2. Create a new credential by clicking new.

  3. Define the credential (see figure Creating a new credential).

  4. Click Create.

    _images/credentials.png

    Creating a new credential

The following details of the credential can be defined:

Note

If the details contain German umlauts, the login does not work. The umlauts have to be replaced as follows:

  • “ß” → “ss”
  • “ä” → “a”
  • “ö” → “o”
  • “ü” → “u”
Name
Definition of the name. The name can be chosen freely.
Comment
An optional comment can contain additional information.
Type

Definition of the credential type. The following types can be chosen:

  • Username + Password
  • Username + SSH Key
  • Client Certificate
  • SNMP
  • Password only
Allow insecure use
Select whether the GSM can use the credential for unencrypted or otherwise insecure authentication methods.
Autogenerate Credentials

Select whether the GSM creates a random password.

Note

If the radiobutton Yes is selected, it is not possible to define a password in the input box Password.

Username
Definition of the login name used by the GSM to authenticate on the scanned target system.
Password
Definition of the password used by the GSM to authenticate on the scanned target system.

Depending on the type further options might be shown:

SSH
  • Passphrase
    Definition of the passphrase of the private SSH key.
  • Private Key
    Upload of the private SSH key.
Client Certificate
  • Certificate
    Upload of the certificate file.
  • Private Key
    Upload of the corresponding private key.
SNMP
  • SNMP Community
    Definition of the community for SNMPv1 or SNMPv2c.
  • Username
    Definition of the user name for SNMPv3.
  • Password
    Definition of the password for SNMPv3.
  • Privacy password
    Definition of the password for the encryption for SNMPv3.
  • Auth algorithm
    Selection of the authentication algorithm (MD5 or SHA1).
  • Privacy algorithm
    Selection of the encryption algorithm (AES128, DES or none).

Note

The credential has to be linked to at least one target. This allows the scan engine to apply the credential.

All existing credentials can be displayed by selecting Configuration > Credentials in the menu bar.

For all credentials the following actions are available:

  • trashcan Delete the credential. Only credentials which are currently not used can be deleted.
  • edit Edit the credential.
  • clone Clone the credential.
  • download Download the credential as an XML file.

Depending on the chosen credential type (see above) more actions may be available:

  • exe Download an EXE package for Microsoft Windows. This action is available if Username + Password was chosen.
  • rpm Download an RPM package for Red Hat Enterprise Linux and its derivates. This action is available if Username + SSH Key was chosen.
  • deb Download a Debian package for Debian GNU/Linux and its derivates. This action is available if Username + SSH Key was chosen.
  • key Download a public key. This action is available if Username + SSH Key or Client Certificate was chosen.

These installation packages simplify the installation and creation of accounts for authenticated scans. They create the user and the most important permissions for the authenticated scan and reset them during uninstalling.

Note

If the auto-generation of passwords is enabled (see above), the packages have to be used, otherwise the usage is optional.

9.1.2.3. Requirements on Target Systems with Microsoft Windows

9.1.2.3.1. General Notes on the Configuration
  • The remote registry service must be started in order to access the registry.

    This is achieved by configuring the service to automatically start up. If an automatic start is not preferred, a manual startup can be configured. In that case the service is started while the system is scanned by the GSM and afterwards it is disabled again. To ensure this behaviour the following item about LocalAccountTokenFilterPolicy must be considered.

  • It is necessary that for all scanned systems the file and printer sharing is activated. When using Microsoft Windows XP, take care to disable the setting “Use Simple File Sharing”.

  • For individual systems not attached to a domain the following registry key must be set:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
    DWORD: LocalAccountTokenFilterPolicy = 1
    
  • On systems with domain controller the user account in use must be a member of the group Domain Administrators to achieve the best possible results. Due to the permission concept it is not possible to discover all vulnerabilities using the Local Administrator or the administrators assigned by the domain. Alternatively follow the instructions below under Configuring a Domain Account for Authenticated Scans.

  • Should a Local Administrator be selected – which it explicitly not recommended – it is mandatory to set the following registry key as well:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
    DWORD: LocalAccountTokenFilterPolicy = 1
    
  • Generated install package for credentials: The installer sets the Remote Registry service to auto start. If the installer is executed on a Domain Controller, the user account will be assigned to the Group BUILTIN/Administrators (SID S-1-5-32-544).

  • An exception rule for the GSM on the Microsoft Windows firewall must be created. Additionally, on XP systems the File and Printer Sharing must be set to enabled.

  • Generated install package for credentials: During the installation the installer offers a dialog to enter the IP address of the GSM. If the entry is confirmed, the firewall rule is configured. The File and Printer Sharing service will be enabled in the firewall rules.

9.1.2.3.2. Configuring a Domain Account for Authenticated Scans

In order to use a domain account for host based remote audits on a Microsoft Windows target this must be performed under Windows XP Professional, Windows Vista, Windows 2003, Windows 2008, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows 8.1 or Windows 10 and also be part of a domain.

Taking security into consideration a scan can be created as described in the following.

Creating a Security Group

  1. Log into a domain controller and open Active Directory Users and Computers.
  2. Select Action > New > Group in the menu bar.
  3. Enter Greenbone Local Scan in the input box Name.
  4. Select Global for Group Scope and Security for Group Type.
  5. Add the account that is used for the local authenticated scans under Microsoft Windows by the Greenbone Appliance to the group.
  6. Click OK.

Creating a Group Policy

  1. In the left panel open the Group Policy Management console.

  2. Right click Group Policy Objects and select New.

  3. Enter Greenbone Local SecRights in the input box Name (see figure Creating a new Windows group policy object for Greenbone scans).

    _images/win_group_policy.png

    Creating a new Windows group policy object for Greenbone scans

  4. Click OK.

Configuring the Policy

  1. Click the policy Greenbone Local SecRights and select Edit.

  2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings.

  3. Click Restricted Groups and select Add Group.

  4. Click Browse... and enter Greenbone Local Scan in the input box (see figure Checking Windows group names).

  5. Click Check Names.

    _images/win_group_policy_check.png

    Checking Windows group names

  6. Click OK twice to close the open windows.

  7. At This group is member of click Add.

  8. Enter Administrators in the input box Group (see figure Adding a group membership) and click OK twice to close the open windows.

    Note

    Additionally, on non-English systems enter the respective name of the local administrator group.

    _images/win_group_policy_member2.png

    Adding a group membership

Configuring the Policy to Deny the Group “Greenbone Local Scan” Logging into the System Locally

  1. Click the policy Greenbone Local SecRights and select Edit.

  2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. In the right panel double click Deny log on locally.

  4. Activate the checkbox Define these policy settings and click Add User or Group.

  5. Click Browse... and enter Greenbone Local Scan in the input box (see figure Editing the policy).

  6. Click Check Names.

    _images/win_group_policy_deny.png

    Editing the policy

  7. Click OK three times to close the open windows.

Configuring the Policy to Deny the Group “Greenbone Local Scan” Logging into the System Remotely

  1. Click the policy Greenbone Local SecRights and select Edit.

  2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. In the right panel double click Deny log on through Desktop Services.

  4. Activate the checkbox Define these policy settings and click Add User or Group.

  5. Click Browse... and enter Greenbone Local Scan in the input box (see figure Editing the policy).

  6. Click Check Names.

    _images/win_group_policy_deny2.png

    Editing the policy

  7. Click OK three times to close the open windows.

Configuring the Policy to Give Read Permissions Only to the Local Drive for the Group “Greenbone Local Scan”

Important

This setting still exists after the GPO has been removed (“tattooing GPO”).

This changes fundamental privileges which may not be simply reversed by removing the GPO.

Research whether the settings are compatible with the environment.

Note

The following steps are optional.

  1. Click on the policy Greenbone Local SecRights and select Edit.

  2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings.

  3. In the right panel click File System and select Add File....

  4. Enter %SystemDrive% in the input box Folder and click OK (see figure Specifying the %SystemDrive% folder).

    _images/win_group_policy_read.png

    Specifying the %SystemDrive% folder

  5. At Group or user names click Add and enter Greenbone Local Scan in the input box and click OK (see figure Selecting the Greenbone local scan group).

    _images/win_group_policy_read2.png

    Selecting the Greenbone local scan group

  6. In the section Group or user names select Greenbone Local Scan.

  7. Deactivate all checkboxes for Allow and activate the checkbox Write for Deny (see figure Denying write access to the group).

    _images/win_group_policy_read3.png

    Denying write access to the group

  8. Click OK and confirm the warning message by clicking Yes.

  9. Select the radiobuttons Configure this file or folder then and Propagate inheritable permissions to all subfolders and files and click OK (see figure Making the permissions recursive).

    _images/win_group_policy_read4.png

    Making the permissions recursive

Configuring the Policy to Give Read Permissions Only to the Registry for the Group “Greenbone Local Scan”

Important

This setting still exists after the GPO has been removed (“tattooing GPO”).

This changes fundamental privileges which may not be simply reversed by removing the GPO.

Research whether the settings are compatible with the environment.

Note

The following steps are optional.

  1. In the left panel right click Registry and select Add Key.

  2. Select USERS and click OK (see figure Selecting the registry key).

    _images/win_group_policy_reg.png

    Selecting the registry key

  3. Click Advanced and Add.

  4. Enter Greenbone Local Scan in the input box and click OK (see figure Selecting the Greenbone Local Scan group).

    _images/win_group_policy_reg2.png

    Selecting the Greenbone Local Scan group

  5. Select This object and child objects in the drop-down-list Apply to.

  6. Deactivate all checkboxes for Allow and activate the checkbox Set Value, Create Subkey, Create Link, Delete, Change Permissions and Take Ownership for Deny (see figure Disallowing edition of the registry).

    _images/win_group_policy_reg3.png

    Disallowing edition of the registry

  7. Click OK twice and confirm the warning message by clicking Yes.

  8. Click OK.

  9. Select the radiobuttons Configure this key then and Propagate inheritable permissions to all subkeys and click OK (see figure Making the permissions recursive).

    _images/win_group_policy_reg4.png

    Making the permissions recursive

  10. Repeat the steps 2 to 9 for MACHINE and CLASSES_ROOT.

Allowing WMI access on Microsoft Windows Vista, 7, 8, 10, 2008, 2008R2, 2012 and 2016 Windows Firewall

Note

The following steps are optional.

  1. Click on the policy Greenbone Local SecRights and select Edit.

  2. In the left panel open Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules.

  3. Right click in the working area and select New Rule...?.

  4. Select the radiobutton Predefined and select Windows Management Instrumentation (WMI) in the drop-down-list (see figure Configuring the firewall via GPO).

    _images/win_group_policy_fw.png

    Configuring the firewall via GPO

  5. Click Next.

  6. Activate the checkboxes Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (WMI-In) and Windows Management Instrumentation (DCOM-In) (see figure Configuring the firewall via GPO).

    _images/win_group_policy_fw1.png

    Configuring the firewall via GPO

  7. Click Next and click Finish.

Linking the Group Policy Object

  1. In the right panel right click Link an Existing GPO and select Link an Existing GPO....

  2. Select Greenbone Local SecRights in the sections Group Policy objects and click OK (see figure Linking the policy).

    _images/win_group_policy_link.png

    Linking the policy

9.1.2.3.2.1. Restrictions

Based on the fact that write permissions to the registry and system drive have been removed, the following two tests will no longer work:

  • Leave information on scanned Windows hosts OID 1.3.6.1.4.1.25623.1.0.96171

    This test, if desired, creates information about the start and end of a scan under HKLMSoftwareVulScanInfo. Due to denying write access to HKLM this is no longer possible. If the test should be possible, the GPO must be adjusted respectively.

  • Windows file Checksums OID 1.3.6.1.4.1.25623.1.0.96180

    This test, if desired, saves the tool ReHash under C:\Windows\system32 (for 32-bit systems) or c:\Windows\SysWOW64 (for 64-bit systems). Due to denying write access this is no longer possible. If the test should be possible, the tool must be saved separately or the GPO must be adjusted respectively.

    More information can be found in Chapter Checking File Checksums.

9.1.2.3.3. Scanning Without Domain Administrator and Local Administrator Permissions

It is possible to build a GPO in which the user also does not have any local administrator permissions. But the effort to add respective read permissions to each registry branch and folder is huge. Unfortunately, inheriting of permissions is deactivated for many folders and branches. Additionally, these changes can be set by GPO but cannot be removed again (tattooing GPO). Specific permissions could be overwritten so that additional problems could occur as well.

Building a GPO in which the user does not have any local administrator permissions does not make sense from a technical and administrative point of view.

9.1.2.4. Requirements on Target Systems with Linux/UNIX

  • For authenticated scans on Linux or UNIX systems regular user access is usually enough. The login is performed via SSH. The authentication is done either with passwords or an SSH key stored on the GSM.
  • Generated installation package for credentials: The install package for Linux Debian or Linux RedHat is a DEB or a RPM file creating a new user without any specific permissions. An SSH Key that is created on the GSM is stored in the user’s home folder. For users of other Linux distributions or UNIX derivatives the key is offered for download. Creating a user and saving the key with the proper file permissions is the responsibility of the user.
  • In both cases it needs to be made sure that public key authentication is not prohibited by the SSH daemon. The line PubkeyAuthentication no must not be present.
  • Existing SSH keys may also be used. SSH keys can be generated with OpenSSH by using the command ssh-keygen on Linux or puttygen.exe when using Putty on Microsoft Windows. The formats Ed25519 or RSA are recommended. All SSH keys must correspond to RFC 4716.
  • For scans that include policy testing, root permission or the membership in specific groups (often wheel) may be necessary. For security reasons many configuration files are only readable by super users or members of specific groups.

9.1.2.5. Requirements on Target Systems with ESXi

By default, local ESXi users are limited to read-only roles. Either an administrative account or a read-only role with permission to global settings has to be used. This can be set up as follows:

  1. Start the Vsphere client.

  2. Select Administration > Roles in the menu bar (see figure Vsphere client offering access to the roles).

    _images/vsphere1.png

    Vsphere client offering access to the roles

    → The roles are displayed.

  3. Right click ReadOnly and select Clone (see figure Displaying the roles).

    _images/vsphere2.png

    Displaying the roles

    → The cloned role is displayed as well.

  4. Right click the cloned role and select Rename.

  5. Enter the new name of the cloned role in the input box and click OK.

  6. Right click the cloned role and select Edit Role....

  7. Unfold Global and activate the checkbox Settings (see figure Editing the role).

    _images/vsphere6.png

    Editing the role

  8. Click OK.

  9. Select Inventory > Inventory in the menu bar.

  10. Open the tab Permissions.

  11. Right click in the empty space and select Add Permission... (see figure Adding a permission to the scan user).

    _images/vsphere8.png

    Adding a permission to the scan user

  12. Select the scan user account used by the GSM in the left section (see figure Assigning the role to the scan user).

  13. Select the created role in the drop-down-list in the right section (see figure Assigning the role to the scan user).

  14. Click OK.

    _images/vsphere9.png

    Assigning the role to the scan user

9.1.2.6. Requirements on Target Systems with Cisco OS

The GSM can check network components like routers and switches for vulnerabilities as well. While the usual network services are discovered and checked via the network some vulnerabilities can only be discovered by an authenticated scan. For the authenticated scan the GSM can use either SNMP or SSH.

9.1.2.6.1. SNMP

The GSM can use the SNMP protocol to access the Cisco network component. The GSM supports SNMPv1, v2c and v3. SNMP uses the port 161/udp. The default port list does not include any UDP port. Therefore, this port is ignored during the vulnerability test using Full and Fast and no SNMP check is enabled. To scan network components the port list should be modified to include at least the following ports:

  • 22/tcp SSH
  • 80/tcp 8080/tcp HTTP
  • 443/tcp 8443/tcp HTTPS
  • 2000/tcp SCCP
  • 2443/tcp SCCPS
  • 5060/tcp 5060/udp SIP
  • 5061/tcp 5061/udp SIPS
  • 67/udp DHCP Server
  • 69/udp TFTP
  • 123/udp NTP
  • 161/udp SNMP
  • 162/udp SNMP Traps
  • 500/udp IKE
  • 514/udp Syslog
  • 546/udp DHCPv6
  • 6161/udp 6162/udp Unified CM

The administrator can set up special port lists used only for such network components.

The GSM needs to access only very few objects from the SNMP tree. For a less privileged access an SNMP view should be used to constrain the visibility of the SNMP tree for the GSM. The following two examples explain how to set up the view using either a community string or an SNMPv3 user.

To use an SNMP community string the following commands are required on the target:

# configure terminal

Using an access list the usage of the community can be restricted. The IP address of the GSM is 192.168.222.74 in this example:

(config) # access-list 99 permit 192.168.222.74

The view gsm should only allow accessing the system description:

(config) # snmp-server view gsm system included
(config) # snmp-server view gsm system.9 excluded

The last command links the community gsm-community with the view gsm and the access-list 99:

(config) # snmp-server community gsm-community view gsm RO 99

When using an SNMPv3 user including encryption the following configuration lines are required on the target:

# configure terminal
(config) # access-list 99 permit 192.168.222.74
(config) # snmp-server view gsm system included
(config) # snmp-server view gsm system.9 excluded

SNMPv3 requires the setup of a group first. Here the group gsmgroup is linked to the view gsm and the access-list 99:

(config) # snmp-server group gsmgroup v3 priv read gsm access 99

Now the user can be created supplying the password gsm-password and the encryption key gsm-encrypt. The authentication is done using MD5 while the encryption is handled by AES128:

(config) # snmp-server user gsm-user gsm-group v3 auth md5 gsm-password priv
aes 128 gsm-encrypt

To configure either the community or the SNMPv3 user in the GSM the administrator selects Configuration > Credentials in the menu bar (see Chapter Using Credentials).

9.1.2.6.2. SSH

The authenticated scan can be performed via SSH as well. When using SSH, the usage of a special unprivileged user is recommended. The GSM currently requires only the command show version to retrieve the current version of the firmware of the device.

To set up a less privileged user which is only able to run this command, several approaches are possible. The following example uses the role based access control feature.

Tip

Before using the following example, make sure all side effects of the configuration are understood. If used without verification the system may restrict further logins via SSH or console.

To use role based access control AAA and views have to be enabled:

> enable
# configure terminal
(config)# aaa new-model
(config)# exit
> enable view
# configure terminal

The following commands create a restricted view including just the command show version. The supplied password view-pw is not critical:

(config)# parser view gsm-view
(config-view)# secret 0 view-pw
(config-view)# commands exec include show version
(config-view)# exit

Now the user gsm-user with the password gsm-pw is created and linked to the view gsm-view:

(config)# username gsm-user view gsm-view password 0 gsm-pw
(config)# aaa authorization console
(config)# aaa authorization exec default local

If SSH is not enabled yet the following commands take care of that. Use the appropriate host name and domain:

(config)# hostname switch
(config)# ip domain-name greenbone.net
(config)# crypto key generate rsa general-keys modulus 2048

Finally, enable SSH logins using the following commands:

(config)# line vty 0 4
(config-line)# transport input ssh
(config-line)# Crtl-Z

The credentials of the user need to be entered on the GSM. Select Configuration > Credentials in the menu bar and create the appropriate user (see Chapter Using Credentials).

Link the credentials to the target to be used as SSH credentials.

9.1.3. Running a Prognosis Scan

Not every vulnerability justifies a new scan of the network or of individual systems. If the GSM has already obtained information about vulnerabilities by former scans, it can make a prognosis of which security risks could exist.

Using the CVE scanner allows forecasting possible security risks based on current information about known security risks from the SecInfo management (see Chapter SecInfo Management) without the need of a new scan. This is especially interesting for environments in which most vulnerabilities have been removed or remediated by using the GSM.

If security risks become known, an actual scan can be run to verify the prognosis.

Note

The asset database requires current data for the CVE scanner. A full scan, e.g. with the scan configuration “Full and fast”, has to be performed and the results have to be added to the assets.

A full scan of the systems should occur regularly in weekly or monthly intervals.

A prognosis scan can be run as follows:

  1. Run a full scan (see Chapter Configuring a Scan Manually).

    Note

    A full scan configuration has to be chosen, e.g. Full and fast.

    Additionally, the radiobutton Yes has to be selected for Add results to Assets.

  2. Select Scans > Tasks in the menu bar.

  3. Create a new task by clicking new and selecting New Task.

  4. Define the task (see Chapter Creating a Task).

  5. Select CVE in the drop-down-list Scanner.

  6. Click Create.

  7. Start the scan by clicking start of the respective task.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if an auto-refresh is set (see Chapter Setting the Auto-Refresh).

  8. When the scan is completed select Scans > Reports in the menu bar.

  9. Click on the date of the report to show the results.

    → The report shows each found CVE as a vulnerability (see figure Results of a prognosis scan).

    _images/prognosis_scan.png

    Results of a prognosis scan

  10. Click on a CVE in the column Vulnerability.

    → Details of the CVE and the product to which the CVE is assigned are shown (see figure Details of a detected CVE).

    _images/prognosis_scan_2.png

    Details of a detected CVE

Note

The CVE scanner might show false positives as it does not check whether the vulnerability actually exists.

9.2. Creating a Container Task

A container task can be used to import and provide reports created on other GSMs.

A container task can be created as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Create a new container task by clicking new and selecting New Container Task.

  3. Define the container task (see figure Creating a container task).

    _images/container-task.png

    Creating a container task

  4. Click Create.

All existing container tasks can be displayed by selecting Scans > Tasks in the menu bar.

For all container tasks the following actions are available:

  • upload Import reports to the container task.
  • trashcan Delete the container task.
  • edit Edit the container task.
  • clone Clone the container task.
  • download Download the container task as an XML object.

Reports can be added to the container task as follows:

  1. Select Scans > Tasks in the menu bar.

  2. In the row of the container task click upload.

  3. Click Browse... and select the XML file of a report.

  4. Select the container task to which the report should be added in the drop-down-list Container Task.

    Tip

    A new container task can be created by clicking new next to the drop-down-list.

    _images/container-task_2.png

    Adding a report to a Container Task

  5. Select whether the report should be added to the assets (see Chapter Asset Management).

  6. Click Create.

9.3. Managing Scan Configurations

The GSM appliance comes with various predefined scan configurations. They can be customized and new scan configurations can be created.

The following configurations are already available:

Empty
This is an empty template.
Discovery
Only NVTs that provide information of the target system are used. No vulnerabilities are being detected.
Host Discovery
Only NVTs that discover target systems are used. This scan only reports the list of systems discovered.
System Discovery
Only NVTs that discover target systems including installed operating systems and hardware in use are used.
Full and fast

For many environments this is the best option to start with.

This scan configuration is based on the information gathered in the previous port scan and uses almost all plug-ins. Only plug-ins that will not damage the target system are used. Plug-ins are optimized in the best possible way to keep the potential false negative rate especially low. The other configurations only provide more value in rare cases but with much higher effort.

Full and fast ultimate
This scan configuration expands the scan configuration “Full and fast” with plug-ins that could disrupt services or systems or even cause shutdowns.
Full and very deep
This scan configuration is based on the scan configuration “Full and fast” but the results of the port scan or the application/service detection do not have an impact on the selection of the plug-ins. Therefore, plug-ins that wait for a timeout or test for vulnerabilities of an application/service which were not detected previously are used. A scan with this scan configuration is very slow.
Full and very deep ultimate
This scan configuration expands the scan configuration “Full and very deep” with dangerous plug-ins that could cause possible service or system disruptions. A scan with this scan configuration is very slow.

9.3.1. List Page of all Scan Configurations

The available scan configurations can be displayed by selecting Configuration > Scan Configs in the menu bar.

Note

By default, only the first 10 configurations are displayed.

_images/scan-configs.png

Page Scan Configs displaying all available scan configurations

The columns Families/Total and NVTs/Total show how many NVT families and NVTs are activated for a scan configuration (see figure Page Scan Configs displaying all available scan configurations).

Note

Greenbone Networks publishes new plug-ins (NVTs) regularly. New NVT families can be introduced through the Greenbone Security Feed as well.

Additionally, the trend of a scan configuration is displayed (see figure Page Scan Configs displaying all available scan configurations). The trend shows if a scan configuration was configured dynamically or statically.

  • trend_more dynamic

    This scan configuration is configured dynamically. It includes and activates new NVT families and new NVTs of the activated NVT families automatically after an NVT feed update. This ensures that new NVTs are available immediately and without any interaction by the administrator.

  • trend_nochange static

    This scan configuration is configured statically. It does not change after an NVT feed update.

The icon view_other in the column Name indicates that the scan configuration is available to other users and can be used by them.

For all scan configurations the following actions are available:

  • clone Clone the scan configuration.
  • download Download the scan configuration as an XML file.

Additionally, for self-created scan configurations the following actions are available:

  • trashcan Delete the scan configuration. Only scan configurations which are currently not used can be deleted.
  • edit Edit the scan configuration. Only scan configurations which are currently not used can be edited.

9.3.2. Details Page of a Scan Configuration

By clicking on the name of a scan configuration the details page of the scan configuration is opened.

In the section Network Vulnerability Test Families all NVT families with the number of activated NVTs and the trend are displayed. By clicking on the name of a NVT family the list page of the NVT family is opened.

In the section Scanner Preferences all scanner preferences with current and default values are displayed.

In the section Network Vulnerability Test Preferences all NVT preferences are displayed.

Additionally, the tasks using the scan configuration, tags and permissions are displayed.

For all scan configurations the following actions are available:

  • clone Clone the scan configuration.
  • download Download the scan configuration as an XML file.

Additionally, for self-created scan configurations the following actions are available:

  • trashcan Delete the scan configuration. Only scan configurations which are currently not used can be deleted.
  • edit Edit the scan configuration. Only scan configurations which are currently not used can be edited.

By clicking list the page Scan Configs is opened.

9.3.3. Creating a New Scan Configuration

Tip

Greenbone Networks offers different scan configurations on their website (see chapter Compliance and Special Scans).

A new scan configuration can be created as follows:

  1. Select Configuration > Scan Configs in the menu bar.

  2. Create a new scan configuration by clicking new.

    Note

    Alternatively, a scan configuration can be imported (see Chapter Importing a Scan Configuration).

  3. Define the name of the scan configuration (see figure Creating a new scan configuration).

  4. Select the radiobutton of the base that should be used (see figure Creating a new scan configuration).

    It can be chosen between Empty, static and fast and Full and fast.

    _images/new-scan-config.png

    Creating a new scan configuration

  5. Click Create.

    → The scan configuration can be edited (see figure Editing the new scan configuration).

    _images/edit-config.png

    Editing the new scan configuration

  6. Select the according radiobutton when newly introduced NVT families should be included and activated automatically (see figure Selecting the trend of a family of NVTs).

    _images/family-trend.png

    Selecting the trend of a family of NVTs

  7. Select the according radiobutton when all newly introduced NVTs of a family should be included and activated automatically (see figure Selecting the trend of an NVT).

    _images/nvt-trend.png

    Selecting the trend of an NVT

  8. Activate the checkboxes in the column Select all NVTs if all NVTs of a family should be activated.

  9. Click edit for an NVT family to edit it (see figure Editing a family of NVTs).

    _images/scan-family.png

    Editing a family of NVTs

  10. Activate the checkboxes of the NVTs that should be activated.

  11. Click edit for an NVT to edit it (see figure Editing an NVT).

    Note

    If editing the NVT includes uploading a text file, the file should use UTF-8 text encoding.

    _images/nvt-pref.png

    Editing an NVT

  12. Click Save to save the NVT.

  13. Click Save to save the family of NVTs.

  14. In the section Edit Scanner Preferences click unfold to edit the scanner preferences (see Chapter Editing the Scanner Preferences).

  15. In the section Network Vulnerability Test Preferences click unfold to display the preferences of each NVT.

  16. Click Save to save the scan configuration.

9.3.4. Importing a Scan Configuration

A scan configuration can be imported as follows:

  1. Select Configuration > Scan Configs in the menu bar.

  2. Click upload.

  3. Click Browse... and select the XML file of the scan configuration.

  4. Click Create.

    Note

    If the name of the imported scan configuration already exists, a numeric suffix is added to the name.

    → The imported scan configuration is displayed on the page Scan Configs.

  5. Click edit for the scan configuration.

  6. Execute steps 6 to 16 of Creating a New Scan Configuration to edit the scan configuration.

9.3.5. Editing the Scanner Preferences

The GSM uses Nmap and Ping as port scanners. Nmap is being used via the NASL wrapper. This allows for the greatest flexibility.

Note

Documenting all scanner and NVT preferences is out of scope of this document.

Only the most important general settings and specific settings of the scanners are covered.

Scanner preferences can be edited as follows:

  1. Select Configuration > Scan Configs in the menu bar.
  2. Click edit for the scan configuration.
  3. In the section Edit Scanner Preferences click unfold to edit the scanner preferences.
  4. After editing the scanner preferences click Save to save the scan configuration.

9.3.5.1. General Preferences

_images/scanner-prefs2.png

Editing the scanner preferences

  • auto_enable_dependencies: This defines whether NVTs that are required by other NVTs are activated automatically.
  • cgi_path: Path used by the NVTs to access CGI scripts.
  • checks_read_timeout: Timeout for the network sockets during a scan.
  • drop_privileges: With this parameter the OpenVAS scanner gives up root privileges before the start of the NVTs. This increases the security but results in fewer findings with some NVTs.
  • max_sysload: Maximum load on the GSM. Once this load is reached, no further NVTs are started until the load drops below this value again.
  • min_free_mem: Minimum available memory (in MB) which should be kept free on the GSM. Once this limit is reached, no further NVTs are started until sufficient memory is available again.
  • network_scan: This is an experimental option which scans the entire network all at once instead of starting Nmap for each individual host. This can save time in specific environments.
  • non_simult_ports: These ports are not being tested simultaneously by NVTs.
  • optimize_test: NVTs will only be started if specific prerequisites are met (e.g. open port or detected application).
  • plugins_timeout: Maximum run time of an NVT.
  • report_host_details: Detailed information of the host are being saved to the report.
  • safe_checks: Some NVTs can cause damage on the host system. This setting disables those respective NVTs.
  • scanner_plugins_timeout: Maximum lifetime (in seconds) for all NVTs from the port scanners family. If an NVT runs longer, the plug-in is terminated.
  • time_between_request: Wait time (in milliseconds) between two actions such as opening a TCP socket, sending a request through the open tcp socket and closing the TCP socket.
  • timeout_retry: Number of retries when a socket connection attempt times out.
  • unscanned_closed: This defines whether TCP ports that were not scanned should be treated like closed ports.
  • unscanned_closed_udp: This defines whether UDP ports that were not scanned should be treated as closed ports.
  • use_mac_addr: Systems will be identified by MAC address and not by IP address. This could be beneficial in a DHCP environment.
  • vhosts: If the GSM should scan a web server with name based virtual hosts, the settings vhosts and vhosts_ip can be used. In the setting vhosts the names of the virtual hosts can be entered separated by commas.
  • vhosts_ip: If the GSM should scan a web server with name based virtual hosts, the settings vhosts and vhosts_ip can be used. In the setting vhosts_ip the IP address of the web server can be entered. In the report it cannot be referenced in which virtual instance an NVT discovered a vulnerability.

9.3.5.2. Ping Preferences

The ping NVT from the port scanners family contains the following configuration parameters.

Note

The Alive Test settings of a target can overwrite some settings of the ping scanner.

  • Do a TCP ping: This defines whether the reachability of a host should be tested using TCP. In this case the following ports will be tested: 21,22,23,25,53,80,135,137,139,143,443,445.
  • Do an ICMP ping: This defines whether the reachability of hosts should be tested using ICMP.
  • Mark unreachable Hosts as dead: This defines whether a host that is not discovered by this NVT should be tested by other NVTs later.
  • Report about reachable Hosts: This defines whether a host discovered by this NVT should be listed.
  • Report about unreachable Hosts: This defines whether a host not discovered by this NVT should be listed.
  • TCP ping tries also TCP-SYN ping: The TCP ping uses a TCP-ACK packet by default. A TCP-SYN packet can be used additionally.
  • Use ARP: This defines whether hosts should be searched for in the local network using the ARP protocol.
  • Use Nmap: This defines whether the ping NVT should use Nmap.
  • nmap: try also with only –sP: If Nmap is used the ping scan is performed using the –sP option.
  • nmap additional ports for –PA: Additional ports for the TCP ping test. This is only the case if Do a TCP ping is selected.

9.3.5.3. Nmap NASL Preferences

The following options of the Nmap (NASL Wrapper) NVT will be directly translated into options for the execution of the nmap command. Additional information can be found in the documentation for nmap.

  • Do not randomize the order in which ports are scanned: Nmap will scan the ports in ascending order.
  • Do not scan targets not in the file: See File containing grepable results.
  • Fragment IP packets: Nmap fragments the packets for the attack. This allows bypassing simple packet filters.
  • Identify the remote OS: Nmap tries to identify the operating system.
  • RPC port scan: Nmap tests the system for Sun RPC ports.
  • Run dangerous ports even if safe checks are set: UDP and RPC scans can cause problems and usually are disabled with the setting safe_checks.
  • Service scan: Nmap tries to identify services.
  • Use hidden option to identify the remote OS: Nmap tries to identify more aggressively.
  • Data length: Nmap adds random data of specified length to the packet.
  • Host Timeout: Host timeout.
  • Initial RTT timeout: Initial round trip timeout. Nmap can adjust this timeout dependent on the results.
  • Max RTT timeout: Maximum RTT.
  • Min RTT timeout: Minimum RTT.
  • Max Retries: Maximum number of retries.
  • Maximum wait between probes: This regulates the speed of the scan.
  • Min RTT Timeout: This regulates the speed of the scan.
  • Minimum wait between probes: This regulates the speed of the scan.
  • Ports scanned in parallel (max): This defines how many ports should at most be scanned simultaneously.
  • Ports scanned in parallel (min): This defines how many ports should at least be scanned simultaneously.
  • Source port: Source port. This is of interest when scanning through a firewall if connections are in general allowed from a specific port.
  • File containing grepable results: Allows for the specification of a file containing line entries in the form of Host: IP address can be found. If the option Do not scan targets not in the file is set at the same time only systems contained in the file will be scanned.
  • TCP scanning technique: Actual scan technique.
  • Timing policy: Instead of changing the timing values individually the timing policy can be modified.

The timing policy uses the following values:

initial_rtt_timeout min_rtt_timeout max_rtt_timeout max_parallelism scan_delay max_scan_delay
Paranoid 5 min 100 ms 10 sec Serial 5 min 1 sec
Sneaky 15 sec 100 ms 10 sec Serial 15 sec 1 sec
Polite 1 sec 100 ms 10 sec Serial 400 ms 1 sec
Normal 1 sec 100 ms 10 sec Parallel 0 sec 1 sec
Aggressive 500 ms 100 ms 1250 ms Parallel 0 sec 10 ms
Insane 250 ms 50 ms 300 ms Parallel 0 sec 5 ms

9.4. Obstacles While Scanning

There are several typical problems which might occur during a scan using the default values of the GSM. While the default values of the GSM are valid for most environments and customers, depending on the actual environment and the configuration of the scanned hosts they might require some tweaking.

9.4.1. Hosts not Found

During a typical scan (either “Discovery” or “Full and Fast”) the GSM will by default first use the ping command to check the availability of the configured targets. If the target does not reply to the ping request it is presumed to be dead and will not be scanned by the port scanner or any NVT.

In most LAN environments this does not pose any problems because all devices will respond to a ping request. But sometimes (local) firewalls or other configuration might suppress the ping response. If this happens the target will not be scanned and will not be included in the results and the scan report.

To remediate this problem, both the target configuration and the scan configuration support the setting of the Alive Test (see Alive Test).

If the target does not respond to a ping request, a TCP Ping may be tested. If the target is located within the same broadcast domain, a ARP Ping may be tried as well.

9.4.2. Long Scan Periods

Once the target is discovered to be alive using the ping command the GSM uses a port scanner to scan the target. By default, a TCP port list containing around 5000 ports is used. If the target is protected by a (local) firewall dropping most of these packets the port scan will need to wait for the timeout of each individual port. If the hosts are protected by (local) firewalls the port lists or the firewalls may be tuned. If the firewall does not drop the request but rejects the request the port scanner does not have to wait for the timeout. This is especially true if UDP ports are included in the scan.

9.4.3. NVT not Used

This happens especially very often if UDP based NVTs like NVTs using the SNMP protocol are used. If the default configuration Full and Fast is used, the SNMP NVTs are included. But if the target is configured using the default port list, the NVTs are not executed. This happens because the default port list does not include any UDP ports. Therefore, the port 161/udp (snmp) is not discovered and excluded from further scans. Both the discovery scans and the recommended Full and Fast scan configuration optimize the scan based on the discovered services. If the UDP port is not discovered, no SNMP NVTs are executed.

Do not enable all ports per default in the port lists. This will prolong the scans considerably. Best practice is the tuning of the port lists to the ports which are used in the environment and are supported by the firewalls.

9.5. Performing a Scheduled Scan

For continuous vulnerability management the manual execution of task is tedious. The GSM supports the scheduling of tasks for their automation and refers to schedules as automatic scans at a specific time. They can be run once or repeatedly.

The GSM does not provide any schedules by default.

A new schedule can be created as follows:

  1. Select Configuration > Schedules in the menu bar.

  2. Create a new schedule by clicking new.

  3. Define the schedule (see figure Creating a new schedule).

  4. Click Create.

    _images/new-schedule.png

    Creating a new schedule

The following details of the schedule can be defined:

  • Name
    Definition of the name. The name can be chosen freely.
  • Comment
    An optional comment can contain additional information.
  • First Time
    Definition of the time of the first run.
  • Timezone
    Definition of the timezone the time refers to. UTC is default.

Note

Since the GSM runs in the UTC timezone internally, the chosen time zone is very important. For Eastern Standard Time (EST) America/New York has to be selected.

  • Period
    Definition of the interval between two runs. It can be selected between hourly, daily, weekly and monthly. If left blank, the interval is a single instance.
  • Duration
    Definition of the maximum duration a task can take for its execution. After the assigned time is expired, the task is aborted and will be suspended until the next scheduled time slot becomes available. This way it can be ensured that the scan will always run with a specific (maintenance) time window.

9.6. Managing the Scanners

The GSM appliance comes with two predefined scanners. They can be managed and new scanners can be created.

The following scanners are already available:

  • OpenVAS Default
  • CVE: The CVE scanner allows forecasting possible security risks based on current information about known vulnerabilities from the SecInfo management (see Chapter SecInfo Management) without the need of a new scan (see Chapter Running a Prognosis Scan).

Note

The desired scanner for a task is selected when creating the task (see Chapter Creating a Task).

9.6.1. List Page of all Scanners

The available scanners can be displayed by selecting Configuration > Scanners in the menu bar.

_images/scanners_list_page.png

Page Scanners displaying all available scanners

The list shows the hosts, ports, types and credentials of the scanners (see figure Page Scanners displaying all available scanners).

The icon view_other in the column Name indicates that the scanner is available to other users and can be used by them.

For all scanners the following actions are available:

  • verify Verify that the scanner is online and that the manager can connect to it using the provided certificates.
  • download Download the scanner as an XML file.

Additionally, for self-created scanners the following actions are available:

  • trashcan Delete the scanner. Only scanners which are currently not used can be deleted.
  • edit Edit the scanner. Only scanners which are currently not used can be edited.
  • clone Clone the scanner.
  • key Download the CA Certificate/Certificate.

9.6.2. Details Page of a Scanner

By clicking on the name of a scanner the details page of the scanner is opened.

The tasks using the scanner, tags and permissions are displayed.

For all scanners the following actions are available:

  • verify Verify that the scanner is online and that the manager can connect to it using the provided certificates.
  • download Download the scanner as an XML file.

Additionally, for self-created scanners the following actions are available:

  • clone Clone the scanner.
  • trashcan Delete the scanner. Only scanners which are currently not used can be deleted.
  • edit Edit the scanner. Only scanners which are currently not used can be edited.
  • key Download the CA Certificate/Certificate.

By clicking list the page Scanners is opened.

9.6.3. Creating a New Scanner

Note

The creation of a new scanner is only used in the following cases:

9.7. Using Alerts

Alerts are anchored within the system. When a configured event (e.g. a task is finished) happens, a specified condition is checked (e.g. vulnerability with a high severity category detected). If the conditions is met, an action is performed, e.g. an e-mail is sent to a defined address.

9.7.1. Creating a New Alert

A new alert can be created as follows:

  1. Select Configuration > Alerts.

  2. Create a new alert by clicking new.

  3. Define the alert (see figure Creating a new alert).

  4. Click Create.

    _images/new-alert.png

    Creating a new alert

The following details of the alert can be defined:

Name
Definition of the name. The name can be chosen freely.
Comment
An optional comment can contain additional information.
Event
Definition of the event for which the alert message is sent. Alarms can be sent when the status of a task changes or when SecInfos (NVTs, CVEs, CPEs, CERT-Bund Advisories, DFN-CERT Advisories, OVAL Definition) are added or updated.
Condition

Definition of the additional conditions that have to be met.

Note

The options differ for task and for SecInfo related alerts.

The alert message can occur:

  • Always
  • When a specific severity level is reached.
  • If the severity level changes, increases or decreases.
  • If a powerfilter matches at least the specified number of results.
  • If a powerfilter matches at least the specified number of results more than in the previous scan.
Report Result Filter (only for task related alerts)
The results can be limited with an additional filter. The filter must be created previously (see section Filtering the Page Content).
Details URL (only for SecInfo related alerts)
Definition of the URL from which the SecInfos are obtained.
Delta Report
Optionally, a delta report can be created, either in comparison to a previous report or to a report with a certain ID.
Method

Selection of the method for the alert. Only one method per alert can be chosen. If different alerts for the same event should be triggered, multiple alerts must be created and linked to the same task.

Note

Some methods cannot be used for SecInfo related alerts.

The following methods are possible:

Email

An e-mail is sent to the given address. To use this method the mailserver to be used must be configured using the GSM console (see section Configuring Automatic E-Mails). For the subject the following place holders can be used:

  • $d date of last SecInfo check (blank for task alerts)
  • $e event description
  • $n task name (blank for SecInfo alerts)
  • $N alert name
  • $q type of SecInfo event (New, Updated or blank for task alerts)
  • $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
  • $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
  • $T total number of resources in the list for SecInfo alerts (0 for task alerts)
  • $u owner of the alert or currently logged in user if the alert was triggered manually
  • $U UUID of the alert
  • $$ the $ symbol

The content of the e-mail can be a simple notice, an included or an attached report.

  • Include Report
    The report can be included directly in the e-mail. A report format that uses the content type text/* can be chosen as an e-mail does not support binary content directly.
  • Attach Report
    The report can be attached to the e-mail. Any report format can be chosen. The report will be attached to the generated e-mail in its correct MIME type.

The content of the e-mail message can be edited for both, the included and the attached report. For the message the following place holders can be used:

  • $c condition description
  • $d date of last SecInfo check (blank for task alerts)
  • $e event description
  • $F name of filter
  • $f filter term
  • $H host summary
  • $i report text or list of SecInfo resources (only when including the report/list)
  • $n task name (blank for SecInfo alerts)
  • $N alert name
  • $q type of SecInfo event (New, Updated or blank for task alerts)
  • $r report format name
  • $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
  • $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
  • $t note if the report was truncated
  • $T total number of resources in the list for SecInfo alerts (0 for task alerts)
  • $u owner of the alert or currently logged in user if the alert was triggered manually
  • $U UUID of the alert
  • $z timezone
  • $$ the $ symbol
HTTP Get

The URL is issued as HTTP Get. For example, an SMS text message can be sent via HTTP Get gateway or a bug report can be created in an issue tracker. The following variables can be used when specifying the URL:

  • $n name of the task
  • $e description of the event (Start, Stop, Done)
  • $c description of the condition that occurred
  • $$ the $ symbol
SCP

The report is copied to the given destination using SCP with the given login credentials.

Note

The host name must exactly match the input box Host.

Known hosts can be listed. Each line specifies a single host in the format “host protocol public_key”, e.g. localhost ssh-rsa AAAAB3NzaC1y...P3pCquVb.

Note

If the host is an IP address the known hosts have to be IP addresses as well.

The following variables can be used when specifying the path:

  • $$: $
  • $n: task name
Send to host
The report is sent to an arbitrary host-port-combination via TCP. The format of the report can be chosen from the installed report formats.
SMB

The report is copied to a given destination using the SMB protocol with the given login credentials.

The share path and the file path must be specified. The share path contains the part of the UNC path containing the host and the share name, e.g. “hostshare”.

Note

If the file path contains subdirectories which do not exist, the necessary subdirectories are created.

For the file path the following placeholders can be used:

  • %C creation date in the format YYYYMMDD (changed to current date if creation date is not available)
  • %c creation time in the format HHMMSS (changed to current time if creation time is not available)
  • %D current date in the format YYYYMMDD
  • %F name of the format plug-in used (XML for lists and types other than reports)
  • %M modification date in the format YYYYMMDD (changed to creation date or to current date if modification date is not available)
  • %m modification time in the format HHMMSS (changed to creation time or to current time if modification time is not available)
  • %N name for the resource or the associated task for reports (lists and types without a name will use the type (see %T))
  • %T resource type (task, port_list, ...), pluralized for list pages
  • %t current time in the format HHMMSS
  • %U UUID of the resource or (list for lists of multiple resources)
  • %u name of the currently logged in user
  • %% the % symbol

Note

The file extension is appended corresponding to the format selected in the drop-down-list Report Format.

The default report export file name (see Chapter Changing the User Settings) is appended to the file path if the file path ends with \.

Note

If a task uses the tag smb-alert:file_path with a value, then the value is used as the file path instead of the one that has been configured with the alert (see Chapter Tags).

Example: smb-alert:file_path=alert_1 assigns the file path alert_1

SNMP

An SNMP trap is sent to the given agent. The provided community is used to authenticate the SNMP trap and the agent is the targeted SNMP trap receiver. For the message the following place holders can be used:

  • $$ the $ symbol
  • $d date of last SecInfo check (blank for task alerts)
  • $e event description
  • $n task name (blank for SecInfo alerts)
  • $q type of SecInfo event (New, Updated or blank for task alerts)
  • $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
  • $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
  • $T total number of resources in the list for SecInfo alerts (0 for task alerts)
Sourcefire Connector
The data can be sent to a Cisco Firepower Management Center (formerly known as Sourcefire Defense Center) automatically. For more information see section Firepower Management Center.
Start Task
The alert can start an additional task. The task is selected in the drop-down-list.
System Logger
The alert is sent to a Syslog daemon. The Syslog server is defined using the console (see section Configuring the Collection of Logs).
verinice.PRO Connector
The data can be sent to a verinice.PRO installation automatically. For more information see Chapter Verinice.
Alemba vFire
A new ticket in the service management application vFire is created. The report can be attached in one or more formats. For more information see section Alemba vFire.

9.7.2. Assigning an Existing Alert to a Task

If an alert should be used afterwards, the alert has to be defined for a specific task as follows:

Note

Already defined and used tasks can be edited as well as it does not have any effect on already created reports.

  1. Select Scans > Tasks in the menu bar.

  2. In the row of the task click edit.

  3. Click the input box Alerts.

    → A drop-down-list with the available alerts is opened (see figure Configuring a task with an alert).

    _images/alert-task.png

    Configuring a task with an alert

  4. Select the desired alert.

    Note

    A new alert can be created by clicking new.

  5. Click Save.

    → Afterwards the task using the alert appears on the details page of the alert (see figure Tasks using a specific alert).

    _images/alert-task2.png

    Tasks using a specific alert