10. Scanning a System

10.1. Using the Task Wizard for a First Scan

The task wizard can configure and start a basic scan with minimal user input.

10.1.1. Using the Task Wizard

When logging into the web interface of the GSM appliance for the first time after initial set up an empty dashboard will be displayed (see Fig. 10.1).

_images/dashboard_empty.png

Fig. 10.1 Empty default dashboard

A new task with the task wizard can be configured as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Start the wizard by moving the mouse over wizard and clicking Task Wizard.

  3. Enter the IP address or DNS name of the target system in the input box (see Fig. 10.2).

    Note

    When using a DNS name however, the GSM has to be able to resolve the name.

    _images/task_wizard.png

    Fig. 10.2 Configuring the task wizard

  4. Click Start Scan.

    → The task wizard performs the following steps automatically:

    1. Creating a new scan target on the GSM.
    2. Creating a new scan task on the GSM.
    3. Starting the scan task immediately.
    4. Displaying the page Tasks.

After the task is started, the progress can be monitored (see Fig. 10.3).

_images/task_wizard_run.png

Fig. 10.3 Page Tasks displaying the progress of the task

For the status of a task see Chapter 10.7.

Tip

The report of a task can be displayed as soon as the task has been started by clicking the bar in the column Status. For reading, managing and downloading reports see Chapter 11.

As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed (see Chapter 11.2.1).

Note

It can take a while for the scan to complete. The page is refreshing automatically if new data is available.

10.1.2. Using the Advanced Task Wizard

Next to the simple wizard the GSM also provides an advanced wizard that allows for more configuration options.

A new task with the advanced task wizard can be configured as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Start the wizard by moving the mouse over wizard and clicking Advanced Task Wizard.

  3. Define the task (see Fig. 10.4).

    Tip

    For the information to enter in the input boxes see Chapters 10.2.1 and 10.2.2.

    When an e-mail address is entered in the input box Email report to an alert is created sending an e-mail as soon as the task is completed (see Chapter 10.11).

    _images/adv_task_wizard.png

    Fig. 10.4 Configuring the advanced task wizard

  4. Click Create.

    → The advanced task wizard performs the following steps automatically:

    1. Starting the scan task immediately.
    2. Displaying the page Tasks.

For the status of a task see Chapter 10.7.

Tip

The report of a task can be displayed as soon as the task has been started by clicking the bar in the column Status. For reading, managing and downloading reports see Chapter 11.

As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed (see Chapter 11.2.1).

Note

It can take a while for the scan to complete. The page is refreshing automatically if new data is available.

10.1.3. Using the Wizard to Modify a Task

An additional wizard can modify an existing task:

  1. Select Scans > Tasks in the menu bar.

  2. Start the wizard by moving the mouse over wizard and clicking Modify Task Wizard.

  3. Select the task which should be modified in the drop-down-list Task (see Fig. 10.5).

  4. Create a schedule for the task by selecting the radiobutton Create Schedule (see Chapter 10.9).

    The date of the first scan can be selected by clicking calendar and the time can be set using the input boxes. Email report to.

  5. Enter the e-mail address to which the report should be sent in the input box Email report to.

  6. Click Modify Task.

    _images/modify_task_wizard.png

    Fig. 10.5 Modifying a task using the wizard

10.2. Configuring a Simple Scan Manually

Generally speaking the GSM can use two different approaches to scan a target:

  • Simple scan
  • Authenticated scan using local security checks

gb_video The steps of a simple scan are explained in a video based on GOS 3.1 at https://docs.greenbone.net/Videos/gos-3.1/en/GSM-FirstScan-GOS-3.1-en-20150716.mp4.

The following steps have to be executed to configure a simple scan:

  • Creating a target
  • Creating a task
  • Running the task

10.2.1. Creating a Target

The first step is to define a scan target as follows:

  1. Select Configuration > Targets in the menu bar.

  2. Create a new target by clicking new.

  3. Define the target (see Fig. 10.6).

    _images/target_new.png

    Fig. 10.6 Creating a new target

  4. Click Save.

The following information can be entered:

Name
The name can be chosen freely. A descriptive name should be chosen if possible. Possibilities are Mailserver, ClientNetwork, Webserverfarm, DMZ or the like, describing the entered systems in more detail.
Comment
The optional comment allows specifying background information. It simplifies understanding the configured targets later.
Hosts

Manual entry of the hosts that should be scanned, separated by commas, or importing a list of hosts.

Note

The IP address or the DNS name is required. In both cases it is necessary that the GSM can connect to the system. When using the DNS name, the GSM must also be able to resolve the name.

When entering manually the following options are available:

  • Single IP address, e.g. 192.168.15.5
  • Host name, e.g. mail.example.com
  • IPv4 address range in long format, e.g. 192.168.15.5-192.168.15.27
  • IPv4 address range in short format, e.g. 192.168.55.5-27
  • IPv4 address range in CIDR notation, e.g. 192.168.15.0/24 1 (at most 4096 IP addresses)
  • Single IPv6 address, e.g. fe80::222:64ff:fe76:4cea
  • IPv6 address range in long format, e.g. ::12:fe5:fb50-::12:fe6:100
  • IPv6 address range in short format, e.g. ::13:fe5:fb50-fb80
  • IPv6 address range in CIDR notation, e.g. fe80::222:64ff:fe76:4cea/120 (at most 4096 IP addresses)

Multiple options can be mixed. When importing from a file, the same syntax can be used. Entries can be separated with commas or by line breaks. When many systems have to be scanned, using a file with the hosts is simpler than entering all hosts manually.

Alternatively the systems can be imported from the host asset database.

Note

Importing a host from the asset database is only possible if a target is created from the page Hosts.

Exclude Hosts

Manual entry of the hosts that should be excluded from the list mentioned above, separated by commas, or importing a list of hosts.

The same specifications as for Hosts apply.

Port list

Port list used for the scan.

Note

A port list can be created on the fly by clicking new next to the drop-down-list.

Alive Test

This options specifies the method to check if a target is reachable. Options are:

  • ICMP Ping
  • TCP Service Ping
  • ARP Ping
  • ICMP & TCP Service Ping
  • ICMP & ARP Ping
  • TCP Service & ARP Ping
  • ICMP, TCP Service & ARP Ping

Sometimes there are problems with this test from time to time. In some environments routers and firewall systems respond to a TCP service ping with a TCP-RST even though the host is actually not alive (see Chapter 10.12).

Network components exist that support Proxy-ARP and respond to an ARP ping. Therefore this test often requires local customization to the environment.

SSH Credential
Selection of a user that can log into the target system of a scan if it is a Linux or UNIX system. This allows for an Authenticated Scan using local security checks (see Chapters 10.3.2 and 10.3).
SMB Credential
Selection of a user that can log into the target system of a scan if it is a Microsoft Windows system. This allows for an Authenticated Scan using local security checks (see Chapters 10.3.2 and 10.3).
ESXi Credential
Selection of a user that can log into the target system of a scan if it is a VMWare ESXi system. This allows for an Authenticated Scan using local security checks (see Chapters 10.3.2 and 10.3).
SNMP Credential

Selection of a user that can log into the target system of a scan if it is an SNMP aware system. This allows for an Authenticated Scan using local security checks (see Chapters 10.3.2 and 10.3).

Note

All credentials can be created on the fly by clicking new next to the credential.

Reverse Lookup Only
Only scan IP addresses that can be resolved into a DNS name.
Reverse Lookup Unify
If multiple IP addresses resolve to the same DNS name the DNS name will only get scanned once.

10.2.2. Creating a Task

The second step is to create a task.

The GSM controls the execution of a scan using tasks. These tasks can be repeated regularly or run at specific times (see Chapter 10.9).

A task can be created as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Create a new task by moving the mouse over new and clicking New Task.

  3. Define the task (see Fig. 10.7).

    _images/task_new.png

    Fig. 10.7 Creating a new task

  4. Click Save.

    → The task is created and displayed on the page Tasks.

The following information can be entered:

Name
The name can be chosen freely. A descriptive name should be used if possible. Possibilities to describe the entered task are Scan Mailserver, Test ClientNetwork, Check DMZ for new ports and systems or the like.
Comment
The optional comment allows for the entry of background information. It simplifies understanding the configured task later.
Scan Targets

Select a previously configured target from the drop-down-list.

Additionally, the target can be created on the fly by clicking new next to the drop-down-list.

Alerts

Select a previously configured alert. Status changes of a task can be communicated to the world via e-mail, Syslog, HTTP or a connector.

Additionally, an alert can be created on the fly by clicking new next to the input box.

Schedule

Select a previously configured schedule (see Chapter 10.9). The task can be run once or repeatedly at a predetermined time, e.g. every Monday morning at 6:00 am.

Additionally, a schedule can be created on the fly by clicking new next to the drop-down-list.

Add results to Asset Management
Selecting this option will make the systems available to the asset management of the GSM automatically (see Chapter 12). This selection can be changed at a later point as well.
Apply Overrides
Overrides can be directly applied when adding the results to the asset database.
Min QoD
Here the minimum quality of detection can be specified for the addition of the results to the asset database.
Alterable Task
Allow for modification of the task even though reports were already created. The consistency between reports can no longer be guaranteed if tasks are altered.
Auto Delete Reports
This option may automatically delete old reports. The maximum number of reports to store can be configured. If the maximum is exceeded, the oldest report is automatically deleted. The factory setting is Do not automatically delete reports.
Scanner
By default, only the built-in OpenVAS and CVE scanners are supported. Sensors can be used as additional scanning engines but need to be configured first (see Chapter 16).

Note

The following options are only relevant for the OpenVAS scanner. The CVE scanner does not support any options.

Scan Config
The GSM comes by default with seven pre-configured scan configurations for the OpenVAS scanner (see Chapter 10.8).
Network Source Interface
Here the source interface of the GSM for the scan can be chosen.
Order for target hosts

Select how the specified network area should be searched. Options available are:

  • Sequential
  • Random
  • Reverse

This is interesting if for example a network, e.g. 192.168.0.0/24, is scanned that has lots of systems at the beginning or end of the IP address range. With the selection of the Random mode the progress view is more meaningful.

Maximum concurrently executed NVTs per host/Maximum concurrently scanned hosts
Select the speed of the scan on one host. The default values are chosen sensibly. If more NVTs run simultaneously on a system or more systems are scanned at the same time, the scan may have a negative impact on either the performance of the scanned systems, the network or the GSM appliance itself. These values “maxhosts” and “maxchecks” may be tweaked.

10.2.3. Starting the Task

In the row of the newly created task click start.

Note

For scheduled task schedule is displayed. The task is starting at the time that was defined in the schedule (see Chapter 10.9)

→ The scan is running. For the status of a task see Chapter 10.7.

Tip

The report of a task can be displayed as soon as the task has been started by clicking the bar in the column Status. For reading, managing and downloading reports see Chapter 11.

As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed (see Chapter 11.2.1).

Note

It can take a while for the scan to complete. The page is refreshing automatically if new data is available.

10.3. Configuring an Authenticated Scan Using Local Security Checks

An authenticated scan can provide more vulnerability details on the scanned system. During an authenticated scan the target is both scanned from the outside using the network and from the inside using a valid user login.

During an authenticated scan the GSM logs into the target system in order to run local security checks (LSC). The scan requires the prior setup of user credentials. These credentials are used to authenticate to different services on the target system. In some circumstances the results could be limited by the permissions of the users used.

The NVTs in the corresponding NVT families (local security checks) will only be executed if the GSM was able to log into the target system. The local security check NVTs in the resulting scan are minimally invasive.

The GSM only determines the risk level but does not introduce any changes on the target system. However, the login by the GSM is probably logged in the protocols of the target system.

The GSM can use different credentials based on the nature of the target. The most important ones are:

  • SMB
    On Microsoft Windows systems the GSM can check the patch level and locally installed software such as Adobe Acrobat Reader or the Java suite.
  • SSH
    This access is used to check the patch level on UNIX and Linux systems.
  • ESXi
    This access is used for testing of VMWare ESXi servers locally.
  • SNMP
    Network components like routers and switches can be tested via SNMP.

10.3.1. Advantages and Disadvantages of Authenticated Scans

The extent and success of the testing routines for authenticated scans depend heavily on the permissions of the used account.

On Linux systems an unprivileged user is sufficient and can access most interesting information while especially on Microsoft Windows systems unprivileged users are very restricted and administrative users provide more results. An unprivileged user does not have access to the Microsoft Windows registry, the Microsoft Windows system folder \windows, which contains the information on updates and patch levels.

Local security checks are the most gentle method to scan for vulnerability details. While remote security checks try to be least invasive as well, they may have some impact.

Simply stated an authenticated scan is similar to a Whitebox approach. The GSM has access to prior information and can access the target from within. Especially the registry, software versions and patch levels are accessible.

A remote scan is similar to a Blackbox approach. The GSM uses the same techniques and protocols as a potential attacker to access the target from the outside. The only information available was collected by the GSM itself. During the test the GSM may provoke malfunctions to extract any available information on the used software, e.g. the scanner may send a malformed request to a service to trigger a response containing further information on the deployed product.

During a remote scan using the scan configuration Full and Fast all remote checks are safe. The used NVTs may have some invasive components but none of the used NVTs try to trigger a defect of malfunction in the target (see example below). This is ensured by the scan preference safe_checks=yes in the scan configuration (see Chapter 10.8). All NVTs with very invasive components or which may trigger a denial of service (DoS) are automatically excluded from the test.

Example for an Invasive NVT

An example for an invasive but safe NVT is the Heartbleed NVT. It is executed even with safe_checks enabled because the NVT does not have any negative impact on the target.

The NVT is still invasive because it tests the memory leakage of the target. If the target is vulnerable, actual memory of the target is leaked. The GSM does not evaluate the leaked information. The information is immediately discarded.

10.3.2. Using Credentials

Credentials for local security checks are required to allow NVTs to log into target systems, e.g. for the purpose of locally checking the presence of all vendor security patches.

10.3.2.1. Creating a Credential

A new credential can be created as follows:

  1. Select Configuration > Credentials in the menu bar.

  2. Create a new credential by clicking new.

  3. Define the credential (see Fig. 10.8).

  4. Click Save.

    _images/credential_new.png

    Fig. 10.8 Creating a new credential

The following details of the credential can be defined:

Note

If the details contain German umlauts, the login does not work. The umlauts have to be replaced as follows:

  • “ß” → “ss”
  • “ä” → “a”
  • “ö” → “o”
  • “ü” → “u”
Name
Definition of the name. The name can be chosen freely.
Comment
An optional comment can contain additional information.
Type

Definition of the credential type. The following types are possible:

  • Username + Password
  • Username + SSH Key
  • Client Certificate
  • SNMP
  • S/MIME Certificate
  • PGP Encryption Key
  • Password only
Allow insecure use
Select whether the GSM can use the credential for unencrypted or otherwise insecure authentication methods.

Depending on the selected type further options are shown:

Username + Password
  • Auto-generate

    Select whether the GSM creates a random password.

    Note

    If the radiobutton Yes is selected, it is not possible to define a password in the input box Password.

  • Username

    Definition of the login name used by the GSM to authenticate on the scanned target system.

  • Password

    Definition of the password used by the GSM to authenticate on the scanned target system.

Username + SSH Key
  • Auto-generate

    Select whether the GSM creates a random password.

    Note

    If the radiobutton Yes is selected, it is not possible to define a password in the input box Password.

  • Username

    Definition of the login name used by the GSM to authenticate on the scanned target system.

  • Passphrase

    Definition of the passphrase of the private SSH key.

  • Private Key

    Upload of the private SSH key.

Client Certificate
  • Certificate
    Upload of the certificate file.
  • Private Key
    Upload of the corresponding private key.
SNMP
  • SNMP Community
    Definition of the community for SNMPv1 or SNMPv2c.
  • Username
    Definition of the user name for SNMPv3.
  • Password
    Definition of the password for SNMPv3.
  • Privacy Password
    Definition of the password for the encryption for SNMPv3.
  • Auth Algorithm
    Selection of the authentication algorithm (MD5 or SHA1).
  • Privacy Algorithm
    Selection of the encryption algorithm (AES, DES or none).
S/MIME Certificate
  • S/MIME Certificate
    Upload of the certificate file.
PGP Encryption Key
  • PGP Public Key
    Upload of the key file.
Password only
  • Password
    Definition of the password used by the GSM to authenticate on the scanned target system.

Note

The credential has to be linked to at least one target. This allows the scan engine to apply the credential.

10.3.2.2. Managing Credentials

List Page

All existing credentials can be displayed by selecting Configuration > Credentials in the menu bar.

For all credentials the following information is displayed:

Name
Name of the credential
Type
Chosen credential type.
Allow insecure use
Indication whether the GSM can use the credential for unencrypted or otherwise insecure authentication methods.
Login
User name for the credential if a credential type that requires a user name is chosen.

For all credentials the following actions are available:

  • trashcan Delete the credential. Only credentials which are currently not used can be deleted.
  • edit Edit the credential.
  • clone Clone the credential.
  • download Download the credential as an XML file.

Depending on the chosen credential type (see Chapter 10.3.2.1) more actions may be available:

  • download_exe Download an EXE package for Microsoft Windows. This action is available if Username + Password was chosen.
  • download_rpm Download an RPM package for Red Hat Enterprise Linux and its derivates. This action is available if Username + SSH Key was chosen.
  • download_deb Download a Debian package for Debian GNU/Linux and its derivates. This action is available if Username + SSH Key was chosen.
  • download_key Download a public key. This action is available if Username + SSH Key or Client Certificate was chosen.

These installation packages simplify the installation and creation of accounts for authenticated scans. They create the user and the most important permissions for the authenticated scan and reset them during uninstalling.

Note

If the auto-generation of passwords is enabled (see Chapter 10.3.2.1), the packages have to be used, otherwise the usage is optional.

Note

By clicking trashcan or export below the list of credentials more than one credential can be deleted or exported at a time. The drop-down-list is used to select which credentials are deleted or exported.

Details Page

Click on the name of a credential to display the details of the credential. Click details to open the details page of the credential.

The following registers are available:

Information
General information about the credential.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all credentials.
  • new Create a new credential.
  • clone Clone the credential.
  • edit Edit the credential.
  • trashcan Delete the credential.
  • export Export the credential as an XML object.

Depending on the chosen credential type (see Chapter 10.3.2.1) more actions may be available:

  • download_exe Download an EXE package for Microsoft Windows. This action is available if Username + Password was chosen.
  • download_rpm Download an RPM package for Red Hat Enterprise Linux and its derivates. This action is available if Username + SSH Key was chosen.
  • download_deb Download a Debian package for Debian GNU/Linux and its derivates. This action is available if Username + SSH Key was chosen.
  • download_key Download a public key. This action is available if Username + SSH Key or Client Certificate was chosen.

10.3.3. Requirements on Target Systems with Microsoft Windows

10.3.3.1. General Notes on the Configuration

  • The remote registry service must be started in order to access the registry.

    This is achieved by configuring the service to automatically start up. If an automatic start is not preferred, a manual startup can be configured. In that case the service is started while the system is scanned by the GSM and afterwards it is disabled again. To ensure this behaviour the following item about LocalAccountTokenFilterPolicy must be considered.

  • It is necessary that for all scanned systems the file and printer sharing is activated. When using Microsoft Windows XP, take care to disable the setting “Use Simple File Sharing”.

  • For individual systems not attached to a domain the following registry key must be set:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
    DWORD: LocalAccountTokenFilterPolicy = 1
    
  • On systems with domain controller the user account in use must be a member of the group Domain Administrators to achieve the best possible results. Due to the permission concept it is not possible to discover all vulnerabilities using the Local Administrator or the administrators assigned by the domain. Alternatively follow the instructions in Chapter 10.3.3.2.

  • Should a Local Administrator be selected – which it explicitly not recommended – it is mandatory to set the following registry key as well:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\
    DWORD: LocalAccountTokenFilterPolicy = 1
    
  • Generated install package for credentials: The installer sets the Remote Registry service to auto start. If the installer is executed on a Domain Controller, the user account will be assigned to the Group BUILTIN/Administrators (SID S-1-5-32-544).

  • An exception rule for the GSM on the Microsoft Windows firewall must be created. Additionally, on XP systems the File and Printer Sharing must be set to enabled.

  • Generated install package for credentials: During the installation the installer offers a dialog to enter the IP address of the GSM. If the entry is confirmed, the firewall rule is configured. The File and Printer Sharing service will be enabled in the firewall rules.

10.3.3.2. Configuring a Domain Account for Authenticated Scans

In order to use a domain account for host based remote audits on a Microsoft Windows target this must be performed under Windows XP Professional, Windows Vista, Windows 2003, Windows 2008, Windows 2012, Windows 2016, Windows 7, Windows 8, Windows 8.1 or Windows 10 and also be part of a domain.

Taking security into consideration a scan can be created as described in the following.

Creating a Security Group

  1. Log into a domain controller and open Active Directory Users and Computers.
  2. Select Action > New > Group in the menu bar.
  3. Enter Greenbone Local Scan in the input box Name.
  4. Select Global for Group Scope and Security for Group Type.
  5. Add the account used for the local authenticated scans by the GSM under Microsoft Windows to the group.
  6. Click OK.

Creating a Group Policy

  1. In the left panel open the console Group Policy Management.

  2. Right click Group Policy Objects and select New.

  3. Enter Greenbone Local SecRights in the input box Name (see Fig. 10.9).

    _images/win_group_policy.png

    Fig. 10.9 Creating a new Microsoft Windows group policy object for Greenbone Networks scans

  4. Click OK.

Configuring the Policy

  1. Click the policy Greenbone Local SecRights and select Edit.

  2. Select Computer Configuration > Policies > Windows Settings > Security Settings in the left panel.

  3. Click Restricted Groups and select Add Group.

  4. Click Browse... and enter Greenbone Local Scan in the input box (see Fig. 10.10).

  5. Click Check Names.

    _images/win_group_policy_check.png

    Fig. 10.10 Checking Microsoft Windows group names

  6. Click OK twice to close the open windows.

  7. At This group is member of click Add.

  8. Enter Administrators in the input box Group (see Fig. 10.11) and click OK twice to close the open windows.

    Note

    Additionally, on non-English systems enter the respective name of the local administrator group.

    _images/win_group_policy_member2.png

    Fig. 10.11 Adding a group membership

Configuring the Policy to Deny the Group ``Greenbone Local Scan`` Logging into the System Locally

  1. Click the policy Greenbone Local SecRights and select Edit.

  2. Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment in the left panel.

  3. In the right panel double click Deny log on locally.

  4. Activate the checkbox Define these policy settings and click Add User or Group.

  5. Click Browse... and enter Greenbone Local Scan in the input box (see Fig. 10.12).

  6. Click Check Names.

    _images/win_group_policy_deny.png

    Fig. 10.12 Editing the policy

  7. Click OK three times to close the open windows.

Configuring the Policy to Deny the Group ``Greenbone Local Scan`` Logging into the System Remotely

  1. Click the policy Greenbone Local SecRights and select Edit.

  2. Select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment in the left panel.

  3. In the right panel double click Deny log on through Desktop Services.

  4. Activate the checkbox Define these policy settings and click Add User or Group.

  5. Click Browse... and enter Greenbone Local Scan in the input box (see Fig. 10.13).

  6. Click Check Names.

    _images/win_group_policy_deny2.png

    Fig. 10.13 Editing the policy

  7. Click OK three times to close the open windows.

Configuring the Policy to Give Read Permissions Only to the Local Drive for the Group ``Greenbone Local Scan``

Important

This setting still exists after the GPO has been removed (“tattooing GPO”).

This changes fundamental privileges which may not be simply reversed by removing the GPO.

Research whether the settings are compatible with the environment.

Note

The following steps are optional.

  1. Click on the policy Greenbone Local SecRights and select Edit.

  2. Select Computer Configuration > Policies > Windows Settings > Security Settings in the left panel.

  3. In the right panel click File System and select Add File....

  4. Enter %SystemDrive% in the input box Folder and click OK (see Fig. 10.14).

    _images/win_group_policy_read.png

    Fig. 10.14 Specifying the folder %SystemDrive%

  5. At Group or user names click Add.

  6. Enter Greenbone Local Scan in the input box and click OK (see Fig. 10.15).

    _images/win_group_policy_read2.png

    Fig. 10.15 Selecting the group Greenbone Local Scan

  7. In the section Group or user names select Greenbone Local Scan.

  8. Deactivate all checkboxes for Allow and activate the checkbox Write for Deny (see Fig. 10.16).

    _images/win_group_policy_read3.png

    Fig. 10.16 Denying write access to the group

  9. Click OK and confirm the warning message by clicking Yes.

  10. Select the radiobuttons Configure this file or folder then and Propagate inheritable permissions to all subfolders and files and click OK (see Fig. 10.17).

    _images/win_group_policy_read4.png

    Fig. 10.17 Making the permissions recursive

Configuring the Policy to Give Read Permissions Only to the Registry for the Group “Greenbone Local Scan”

Important

This setting still exists after the GPO has been removed (“tattooing GPO”).

This changes fundamental privileges which may not be simply reversed by removing the GPO.

Research whether the settings are compatible with the environment.

Note

The following steps are optional.

  1. In the left panel right click Registry and select Add Key.

  2. Select USERS and click OK (see Fig. 10.18).

    _images/win_group_policy_reg.png

    Fig. 10.18 Selecting the registry key

  3. Click Advanced and Add.

  4. Enter Greenbone Local Scan in the input box and click OK (see Fig. 10.19).

    _images/win_group_policy_reg2.png

    Fig. 10.19 Selecting the group Greenbone Local Scan

  5. Select This object and child objects in the drop-down-list Apply to.

  6. Deactivate all checkboxes for Allow and activate the checkbox Set Value, Create Subkey, Create Link, Delete, Change Permissions and Take Ownership for Deny (see Fig. 10.20).

    _images/win_group_policy_reg3.png

    Fig. 10.20 Disallowing edition of the registry

  7. Click OK twice and confirm the warning message by clicking Yes.

  8. Click OK.

  9. Select the radiobuttons Configure this key then and Propagate inheritable permissions to all subkeys and click OK (see Fig. 10.21).

    _images/win_group_policy_reg4.png

    Fig. 10.21 Making the permissions recursive

  10. Repeat the steps 2 to 9 for MACHINE and CLASSES_ROOT.

Allowing WMI access on Microsoft Windows Vista, 7, 8, 10, 2008, 2008R2, 2012 and 2016 Windows Firewall

Note

The following steps are optional.

  1. Click on the policy Greenbone Local SecRights and select Edit.

  2. Select Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall with Advanced Security > Inbound Rules in the left panel.

  3. Right click in the working area and select New Rule...?.

  4. Select the radiobutton Predefined and select Windows Management Instrumentation (WMI) in the drop-down-list (see Fig. 10.22).

    _images/win_group_policy_fw.png

    Fig. 10.22 Configuring the firewall via GPO

  5. Click Next.

  6. Activate the checkboxes Windows Management Instrumentation (ASync-In), Windows Management Instrumentation (WMI-In) and Windows Management Instrumentation (DCOM-In) (see Fig. 10.23).

    _images/win_group_policy_fw1.png

    Fig. 10.23 Configuring the firewall via GPO

  7. Click Next and click Finish.

Linking the Group Policy Object

  1. In the right panel right click Link an Existing GPO and select Link an Existing GPO....

  2. Select Greenbone Local SecRights in the sections Group Policy objects and click OK (see Fig. 10.24).

    _images/win_group_policy_link.png

    Fig. 10.24 Linking the policy

10.3.3.3. Restrictions

Based on the fact that write permissions to the registry and system drive have been removed, the following two tests will no longer work:

  • Leave information on scanned Windows hosts OID 1.3.6.1.4.1.25623.1.0.96171

    This test, if desired, creates information about the start and end of a scan under HKLMSoftwareVulScanInfo. Due to denying write access to HKLM this is no longer possible. If the test should be possible, the GPO must be adjusted respectively.

  • Windows file Checksums OID 1.3.6.1.4.1.25623.1.0.96180

    This test, if desired, saves the tool ReHash under C:\Windows\system32 (for 32-bit systems) or c:\Windows\SysWOW64 (for 64-bit systems). Due to denying write access this is no longer possible. If the test should be possible, the tool must be saved separately or the GPO must be adjusted respectively.

    More information can be found in Chapter 14.1.3.

10.3.3.4. Scanning Without Domain Administrator and Local Administrator Permissions

It is possible to build a GPO in which the user also does not have any local administrator permissions. But the effort to add respective read permissions to each registry branch and folder is huge. Unfortunately, inheriting of permissions is deactivated for many folders and branches. Additionally, these changes can be set by GPO but cannot be removed again (tattooing GPO). Specific permissions could be overwritten so that additional problems could occur as well.

Building a GPO in which the user does not have any local administrator permissions does not make sense from a technical and administrative point of view.

10.3.4. Requirements on Target Systems with Linux/UNIX

  • For authenticated scans on Linux or UNIX systems regular user access is usually enough. The login is performed via SSH. The authentication is done either with passwords or an SSH key stored on the GSM.
  • Generated installation package for credentials: The install package for Linux Debian or Linux RedHat is a DEB or a RPM file creating a new user without any specific permissions. An SSH Key that is created on the GSM is stored in the user’s home folder. For users of other Linux distributions or UNIX derivatives the key is offered for download. Creating a user and saving the key with the proper file permissions is the responsibility of the user.
  • In both cases it needs to be made sure that public key authentication is not prohibited by the SSH daemon. The line PubkeyAuthentication no must not be present.
  • Existing SSH keys may also be used. SSH keys can be generated with OpenSSH by using the command ssh-keygen on Linux or puttygen.exe when using PuTTY on Microsoft Windows. The formats Ed25519 or RSA are recommended. All SSH keys must correspond to RFC 4716.
  • For scans that include policy testing, root permission or the membership in specific groups (often wheel) may be necessary. For security reasons many configuration files are only readable by super users or members of specific groups.

10.3.5. Requirements on Target Systems with ESXi

By default, local ESXi users are limited to read-only roles. Either an administrative account or a read-only role with permission to global settings has to be used. This can be set up as follows:

  1. Start the Vsphere client.

  2. Select Administration > Roles in the menu bar (see Fig. 10.25).

    _images/vsphere1.png

    Fig. 10.25 Vsphere client offering access to the roles

    → The roles are displayed.

  3. Right click ReadOnly and select Clone (see Fig. 10.26).

    _images/vsphere2.png

    Fig. 10.26 Displaying the roles

    → The cloned role is displayed as well.

  4. Right click the cloned role and select Rename.

  5. Enter the new name of the cloned role in the input box and click OK.

  6. Right click the cloned role and select Edit Role....

  7. Unfold Global and activate the checkbox Settings (see Fig. 10.27).

    _images/vsphere6.png

    Fig. 10.27 Editing the role

  8. Click OK.

  9. Select Inventory > Inventory in the menu bar.

  10. Open the tab Permissions.

  11. Right click in the empty space and select Add Permission... (see Fig. 10.28).

    _images/vsphere8.png

    Fig. 10.28 Adding a permission to the scan user

  12. Select the scan user account used by the GSM in the left section (see Fig. 10.29).

  13. Select the created role in the drop-down-list in the right section (see Fig. 10.29).

  14. Click OK.

    _images/vsphere9.png

    Fig. 10.29 Assigning the role to the scan user

10.3.6. Requirements on Target Systems with Cisco OS

The GSM can check network components like routers and switches for vulnerabilities as well. While the usual network services are discovered and checked via the network some vulnerabilities can only be discovered by an authenticated scan. For the authenticated scan the GSM can use either SNMP or SSH.

10.3.6.1. SNMP

The GSM can use the SNMP protocol to access the Cisco network component. The GSM supports SNMPv1, v2c and v3. SNMP uses the port 161/udp. The default port list does not include any UDP port. Therefore, this port is ignored during the vulnerability test using Full and Fast and no SNMP check is enabled. To scan network components the port list should be modified to include at least the following ports:

  • 22/tcp SSH
  • 80/tcp 8080/tcp HTTP
  • 443/tcp 8443/tcp HTTPS
  • 2000/tcp SCCP
  • 2443/tcp SCCPS
  • 5060/tcp 5060/udp SIP
  • 5061/tcp 5061/udp SIPS
  • 67/udp DHCP Server
  • 69/udp TFTP
  • 123/udp NTP
  • 161/udp SNMP
  • 162/udp SNMP Traps
  • 500/udp IKE
  • 514/udp Syslog
  • 546/udp DHCPv6
  • 6161/udp 6162/udp Unified CM

The administrator can set up special port lists used only for such network components.

The GSM needs to access only very few objects from the SNMP tree. For a less privileged access an SNMP view should be used to constrain the visibility of the SNMP tree for the GSM. The following two examples explain how to set up the view using either a community string or an SNMPv3 user.

To use an SNMP community string the following commands are required on the target:

# configure terminal

Using an access list the usage of the community can be restricted. The IP address of the GSM is 192.168.222.74 in this example:

(config) # access-list 99 permit 192.168.222.74

The view gsm should only allow accessing the system description:

(config) # snmp-server view gsm system included
(config) # snmp-server view gsm system.9 excluded

The last command links the community gsm-community with the view gsm and the access-list 99:

(config) # snmp-server community gsm-community view gsm RO 99

When using an SNMPv3 user including encryption the following configuration lines are required on the target:

# configure terminal
(config) # access-list 99 permit 192.168.222.74
(config) # snmp-server view gsm system included
(config) # snmp-server view gsm system.9 excluded

SNMPv3 requires the setup of a group first. Here the group gsmgroup is linked to the view gsm and the access-list 99:

(config) # snmp-server group gsmgroup v3 priv read gsm access 99

Now the user can be created supplying the password gsm-password and the encryption key gsm-encrypt. The authentication is done using MD5 while the encryption is handled by AES128:

(config) # snmp-server user gsm-user gsm-group v3 auth md5 gsm-password priv
aes 128 gsm-encrypt

To configure either the community or the SNMPv3 user in the GSM the administrator selects Configuration > Credentials in the menu bar (see Chapter 10.3.2).

10.3.6.2. SSH

The authenticated scan can be performed via SSH as well. When using SSH, the usage of a special unprivileged user is recommended. The GSM currently requires only the command show version to retrieve the current version of the firmware of the device.

To set up a less privileged user which is only able to run this command, several approaches are possible. The following example uses the role based access control feature.

Tip

Before using the following example, make sure all side effects of the configuration are understood. If used without verification the system may restrict further logins via SSH or console.

To use role based access control AAA and views have to be enabled:

> enable
# configure terminal
(config)# aaa new-model
(config)# exit
> enable view
# configure terminal

The following commands create a restricted view including just the command show version. The supplied password view-pw is not critical:

(config)# parser view gsm-view
(config-view)# secret 0 view-pw
(config-view)# commands exec include show version
(config-view)# exit

Now the user gsm-user with the password gsm-pw is created and linked to the view gsm-view:

(config)# username gsm-user view gsm-view password 0 gsm-pw
(config)# aaa authorization console
(config)# aaa authorization exec default local

If SSH is not enabled yet the following commands take care of that. Use the appropriate host name and domain:

(config)# hostname switch
(config)# ip domain-name greenbone.net
(config)# crypto key generate rsa general-keys modulus 2048

Finally, enable SSH logins using the following commands:

(config)# line vty 0 4
(config-line)# transport input ssh
(config-line)# Crtl-Z

The credentials of the user need to be entered on the GSM. Select Configuration > Credentials in the menu bar and create the appropriate user (see Chapter 10.3.2).

Link the credentials to the target to be used as SSH credentials.

10.4. Configuring a Prognosis Scan

Not every vulnerability justifies a new scan of the network or of individual systems. If the GSM has already obtained information about vulnerabilities by former scans, it can make a prognosis of which security risks could exist.

Using the CVE scanner allows forecasting possible security risks based on current information about known security risks from the SecInfo management (see Chapter 13) without the need of a new scan. This is especially interesting for environments in which most vulnerabilities have been removed or remediated by using the GSM.

If security risks become known, an actual scan can be run to verify the prognosis.

Note

The asset database requires current data for the CVE scanner. A full scan, e.g. with the scan configuration “Full and fast”, has to be performed and the results have to be added to the assets.

A full scan of the systems should occur regularly in weekly or monthly intervals.

A prognosis scan can be run as follows:

  1. Run a full scan (see Chapter 10.2).

    Note

    A full scan configuration has to be chosen, e.g. Full and fast.

    Additionally, the radiobutton Yes has to be selected for Add results to Assets.

  2. Select Scans > Tasks in the menu bar.

  3. Create a new task by moving the mouse over new and clicking New Task.

  4. Define the task (see Chapter 10.2.2).

  5. Select CVE in the drop-down-list Scanner.

  6. Click Save.

  7. In the row of the task click start.

    → The scan is running. As soon as the status changes to Done the complete report is available. At any the time the intermediate results can be reviewed.

    Note

    It can take a while for the scan to complete. The page is refreshing automatically if new data is available.

  8. When the scan is completed select Scans > Reports in the menu bar.

  9. Click on the date of the report to show the results.

    → The report shows each found CVE as a vulnerability (see Fig. 10.30).

    _images/prognosis_scan_report.png

    Fig. 10.30 Results of a prognosis scan

  10. Click on a vulnerability and click details.

    → The details page of the vulnerability is opened.

    The NVT to which the result is assigned is displayed in the section Detection Method (see Fig. 10.31). By clicking on the NVT the details page of the corresponding NVT is opened.

    Tip

    For available actions on this page see Chapter 11.2.1.

    _images/prognosis_scan_result.png

    Fig. 10.31 Details of a detected CVE

Note

The CVE scanner might show false positives as it does not check whether the vulnerability actually exists.

10.5. Creating a Container Task

A container task can be used to import and provide reports created on other GSMs.

A container task can be created as follows:

  1. Select Scans > Tasks in the menu bar.

  2. Create a new container task by moving the mouse over new and clicking New Container Task.

  3. Enter the name of the container task in the input box Name (see Fig. 10.32).

    _images/container_new.png

    Fig. 10.32 Creating a container task

  4. Click Save.

  5. To add a report to the container task click import in the row of the container task.

  6. Click Browse... and select the XML file of a report (see Fig. 10.33).

    _images/container_import.png

    Fig. 10.33 Adding a report to a container task

  7. Select the radiobutton Yes to add the report to the assets (see Chapter 12).

  8. Click Import.

List Page

All existing container tasks can be displayed by selecting Scans > Tasks in the menu bar.

Note

Container tasks can be identified by status-container in the column Status.

For all container tasks the following actions are available:

  • import Import reports to the container task.
  • trashcan Delete the container task.
  • edit Edit the container task.
  • clone Clone the container task.
  • export Export the container task as an XML object.

Note

By clicking trashcan or export below the list of tasks more than one task can be deleted or exported at a time. The drop-down-list is used to select which tasks are deleted or exported.

Details Page

Click on the name of a container task to display the details of the container task. Click details to open the details page of the container task.

The following registers are available:

Information
General information about the container task.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all container tasks.
  • new Create a new container task.
  • clone Clone the container task.
  • edit Edit the container task.
  • trashcan Delete the container task.
  • export Export the container task as an XML object.
  • import Import reports to the container task.
  • report Show the last report for the container task or show all reports for the container task.
  • results Show the results for the container task.
  • note Show the notes for the container task.
  • override Show the overrides for the container task.

10.6. Managing Targets

List Page

All existing targets can be displayed by selecting Configuration > Targets in the menu bar.

For all targets the following information is displayed:

Name
Name of the target.
Hosts
Hosts that are scanned if the target is used for a scan (see Chapter 10.2.2).
IPs
Number of scanned hosts.
Port List
Port list used if the target is used for a scan (see Chapter 10.2.2).
Credentials
Credentials configured for the target.

For all targets the following actions are available:

  • trashcan Delete the target. Only targets which are currently not used can be deleted.
  • edit Edit the target.
  • clone Clone the target.
  • export Export the target as an XML file.

Note

By clicking trashcan or export below the list of targets more than one target can be deleted or exported at a time. The drop-down-list is used to select which targets are deleted or exported.

Details Page

Click on the name of a target to display the details of the target. Click details to open the details page of the target.

The following registers are available:

Information
Generel information about the target.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all targets.
  • new Create a new target.
  • clone Clone the target.
  • edit Edit the target.
  • trashcan Delete the target. Only alerts which are currently not used can be deleted.
  • export Export the target as an XML file.

10.7. Managing Tasks

List Page

All existing tasks can be displayed by selecting Scans > Tasks in the menu bar.

_images/task_overview.png

Fig. 10.34 Page Tasks displaying all tasks

For all tasks the following information is displayed:

Name

Name of the task. The following icons may be displayed:

alterable_task The task is marked as alterable. Some properties that would otherwise be locked once reports exist can be edited.

sensor The task is configured to run on a remote scanner (see Chapter 16).

provide_view The task is visible to one or more other user(s).

view_other The task is owned by another user.

Status

Current status of the task. The following status bars are possible:

status-new The task has not been run since it was created.

status-requested The task was just started. The GSM is preparing the scan.

status-run The task is currently running. The information is based on the number of NVTs executed on the selected hosts. For this reason the information does not necessarily correlate with the time spent.

status-delete The task was deleted. The actual deletion process can take some time as reports need to be deleted as well.

status-stopr The task was requested to stop recently. However, the scan engine has not yet reacted to this request yet.

status-stop The task was stopped. The latest report is possibly not yet complete. Other reasons for this status could be the reboot of the GSM or a power outage. After restarting the scanner, the task will be resumed automatically.

status-resumereq The task was just resumed. The GSM is preparing the scan.

status-error An error has occurred and the task was interrupted. The latest report is possibly not complete yet or is missing completely.

status-done The task has been completed successfully.

status-container The task is a container task.

status-upload The report is currently being uploaded into the container task.

Reports
Number of reports for the task. By clicking on the number of reports the page Reports is opened. A filter is applied to show only the reports for the selected task.
Last Report
Date and time of the latest report. By clicking it the details page of the latest report is opened.
Severity
Highest severity found by a scan of the task.
Trend
Change of vulnerabilities between the newest and the second newest report.

For all tasks the following actions are available:

  • start Start the task. Only currently not running tasks can be started.
  • stop Stop the currently running task. All discovered results will be written to the database.
  • schedule Show details of the assigned schedule (only available for scheduled tasks, see Chapter 10.9).
  • resume Resume the stopped task.
  • trashcan Delete the task.
  • edit Edit the task.
  • clone Clone the task.
  • export Export the task as an XML object.

Note

By clicking trashcan or export below the list of tasks more than one task can be deleted or exported at a time. The drop-down-list is used to select which tasks are deleted or exported.

Details Page

Click on the name of a task to display the details of the task. Click details to open the details page of the task.

The following registers are available:

Information
General information about the task.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all tasks.
  • new Create a new task or container task.
  • clone Clone the task.
  • edit Edit the task.
  • trashcan Delete the task.
  • export Export the task as an XML object.
  • start Start the task. Only currently not running tasks can be started.
  • stop Stop the currently running task. All discovered results will be written to the database.
  • resume Resume the stopped task.
  • report Show the last report for the task or show all reports for the task.
  • results Show the results for the task.
  • note Show the notes for the task.
  • override Show the overrides for the task.

10.7.1. Granting Permissions for a Task

On the details page of a task permissions for the task can be managed as follows:

Note

By default, normal users cannot create permissions for other users as they do not have read permission to the user database. To do this a user must specifically have the get_users permission. It makes most sense to create an additional role (see Chapter 9.2.2).

  1. Select Scans > Tasks in the menu bar.
  2. Click on the name of a task to display the details of the task. Click details to open the details page of the task.
  3. Click on the register Permissions.
  4. In the section Permissions click new.
  5. Select the permission type in the drop-down-list Grant.
  6. Select the radiobutton User, Group or Role and select the user/role/group in the respective drop-down-list (see Fig. 10.35).
_images/task_permission.png

Fig. 10.35 Creating a new permission

  1. Click Save.

    → The permission is displayed on the details page of the task (see Fig. 10.36).

    _images/task_permission_detailspage.png

    Fig. 10.36 Permission displayed on the details page of a task

After logging in the user can see the tasks and can access the respective reports.

10.8. Configuring and Managing Scan Configurations

The GSM appliance comes with various predefined scan configurations. They can be customized and new scan configurations can be created.

10.8.1. Default Scan Configurations

The following configurations are already available:

Empty
This is an empty template.
Discovery
Only NVTs that provide information of the target system are used. No vulnerabilities are being detected.
Host Discovery
Only NVTs that discover target systems are used. This scan only reports the list of systems discovered.
System Discovery
Only NVTs that discover target systems including installed operating systems and hardware in use are used.
Full and fast

For many environments this is the best option to start with.

This scan configuration is based on the information gathered in the previous port scan and uses almost all plug-ins. Only plug-ins that will not damage the target system are used. Plug-ins are optimized in the best possible way to keep the potential false negative rate especially low. The other configurations only provide more value in rare cases but with much higher effort.

Full and fast ultimate
This scan configuration expands the scan configuration “Full and fast” with plug-ins that could disrupt services or systems or even cause shutdowns.
Full and very deep
This scan configuration is based on the scan configuration “Full and fast” but the results of the port scan or the application/service detection do not have an impact on the selection of the plug-ins. Therefore, plug-ins that wait for a timeout or test for vulnerabilities of an application/service which were not detected previously are used. A scan with this scan configuration is very slow.
Full and very deep ultimate
This scan configuration expands the scan configuration “Full and very deep” with dangerous plug-ins that could cause possible service or system disruptions. A scan with this scan configuration is very slow.

10.8.2. Managing Scan Configurations

All existing scan configurations can be displayed by selecting Configuration > Scan Configs in the menu bar.

Note

By default, only the first 10 configurations are displayed.

_images/scan_configs_all.png

Fig. 10.37 Page Scan Configs displaying all available scan configurations

For all scan configurations the following information is displayed:

Name
Name of the scan configuration. A global scan configuration is marked with view_other.
Type
Type of the scan configuration.
Family – Total
Number of activated NVT families for the scan configuration.
Family – Trend

Trend of NVT families

trend_more New NVT families are included and activated automatically after an NVT feed update. This ensures that new NVTs are available immediately and without any interaction by the administrator.

trend_nochange New NVT families are not included automatically after an NVT feed update.

NVTs – Total
Number of activated NVTs for the scan configuration.
NVTs – Trend

Trend of NVTs

trend_more New NVTs of the activated NVT families are included and activated automatically after an NVT feed update. This ensures that new NVTs are available immediately and without any interaction by the administrator.

trend_nochange New NVTs are not included automatically after an NVT feed update.

Note

Greenbone Networks publishes new plug-ins (NVTs) regularly. New families of NVTs can be introduced through the Greenbone Security Feed as well.

For all scan configurations the following actions are available:

  • trashcan Delete the scan configuration. Only self-created scan configurations which are currently not used can be deleted.
  • edit Edit the scan configuration. Only self-created scan configurations which are currently not used can be edited.
  • clone Clone the scan configuration.
  • export Export the scan configuration as an XML file.

Note

By clicking trashcan or export below the list of scan configurations more than one scan configuration can be deleted or exported at a time. The drop-down-list is used to select which scan configurations are deleted or exported.

Click on the name of a scan configuration to display the details of the scan configuration. Click details to open the details page of the scan configuration.

The following registers are available:

Scanner Preferences
All scanner preferences for the scan configuration with current and default values.
NVT Families
All NVT families for the scan configuration with the number of activated NVTs and the trend.
NVT Preferences
All NVT preferences for the scan configuration.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all scan configurations.
  • new Create a new scan configuration.
  • clone Clone the scan configuration.
  • edit Edit the scan configuration. Only self-created scan configurations which are currently not used can be edited.
  • trashcan Delete the scan configuration. Only self-created scan configurations which are currently not used can be deleted.
  • export Export the scan configuration as an XML file.
  • upload Import a scan configuration (see Chapter 10.8.4).

10.8.3. Creating a Scan Configuration

Tip

Greenbone Networks offers different scan configurations on their website (see Chapter 14).

A new scan configuration can be created as follows:

  1. Select Configuration > Scan Configs in the menu bar.

  2. Create a new scan configuration by clicking new.

    Note

    Alternatively, a scan configuration can be imported (see Chapter 10.8.4).

  3. Enter the name of the scan configuration in the input box Name (see Fig. 10.38).

  4. Select the radiobutton of the base that should be used.

    It can be chosen between Empty, static and fast and Full and fast.

    _images/scan_config_new.png

    Fig. 10.38 Creating a new scan configuration

  5. Click Save.

    → The scan configuration is displayed on the page Scan Configs.

  6. In the row of the scan configuration click edit.

  7. In the sections Edit Network Vulnerability Test Families select the radiobutton trend_more if newly introduced NVT families should be included and activated automatically (see Fig. 10.39).

    _images/scan_config_edit.png

    Fig. 10.39 Editing the new scan configuration

  8. In the section Edit Network Vulnerability Test Families activate the checkboxes in the column Select all NVTs if all NVTs of a family should be activated.

  9. Click edit for an NVT family to edit it (see Fig. 10.40).

    _images/scan_config_edit_family.png

    Fig. 10.40 Editing a family of NVTs

  10. In the column Selected activate the checkboxes of the NVTs that should be activated.

  11. Click edit for an NVT to edit it (see Fig. 10.41).

    _images/scan_config_edit_nvt.png

    Fig. 10.41 Editing an NVT

  12. Click Save to save the NVT.

  13. Click Save to save the family of NVTs.

  14. In the section Edit Scanner Preferences click fold to edit the scanner preferences (see Chapter 10.8.5).

  15. In the section Network Vulnerability Test Preferences click fold to display the preferences of each NVT.

  16. Click Save to save the scan configuration.

10.8.4. Importing a Scan Configuration

A scan configuration can be imported as follows:

  1. Select Configuration > Scan Configs in the menu bar.

  2. Click upload.

  3. Click Browse... and select the XML file of the scan configuration.

  4. Click Create.

    Note

    If the name of the imported scan configuration already exists, a numeric suffix is added to the name.

    → The imported scan configuration is displayed on the page Scan Configs.

  5. In the row of the scan configuration click edit.

  6. Execute steps 7 to 16 of 10.8.3 to edit the scan configuration.

10.8.5. Editing the Scanner Preferences

The GSM uses Nmap and Ping as port scanners. Nmap is being used via the NASL wrapper allowing large flexibility.

Note

Documenting all scanner and NVT preferences is out of scope of this document.

Only the most important general settings and specific settings of the scanners are covered.

Scanner preferences can be edited as follows:

  1. Select Configuration > Scan Configs in the menu bar.

  2. In the row of the scan configuration click edit.

  3. In the section Edit Scanner Preferences click fold to edit the scanner preferences (see Fig. 10.42).

    _images/scan_config_edit_scannerpref.png

    Fig. 10.42 Editing the scanner preferences

  4. After editing the scanner preferences click Save to save the scan configuration.

10.8.5.1. General Preferences

  • auto_enable_dependencies: This defines whether NVTs that are required by other NVTs are activated automatically.
  • cgi_path: Path used by the NVTs to access CGI scripts.
  • checks_read_timeout: Timeout for the network sockets during a scan.
  • drop_privileges: With this parameter the OpenVAS scanner gives up root privileges before starting the NVTs. This increases the security but results in fewer findings with some NVTs.
  • test_empty_vhost: The scanner also scans the target by using empty vhost values in addition to the target’s associated vhost values.
  • max_sysload: Maximum load on the GSM. Once this load is reached, no further NVTs are started until the load drops below this value again.
  • min_free_mem: Minimum available memory (in MB) which should be kept free on the GSM. Once this limit is reached, no further NVTs are started until sufficient memory is available again.
  • network_scan: This is an experimental option which scans the entire network all at once instead of starting Nmap for each individual host. This can save time in specific environments.
  • non_simult_ports: These ports are not being tested simultaneously by NVTs.
  • optimize_test: NVTs will only be started if specific prerequisites are met (e.g. open port or detected application).
  • plugins_timeout: Maximum run time of an NVT.
  • safe_checks: Some NVTs can cause damage on the host system. This setting disables those respective NVTs.
  • scanner_plugins_timeout: Maximum lifetime (in seconds) for all NVTs from the port scanners family. If an NVT runs longer, the plug-in is terminated.
  • expand_vhosts: The target’s host list of vhosts is expanded with values gathered from sources such as reverse lookup queries and VT checks for SSL/TLS certificates.
  • time_between_request: Wait time (in milliseconds) between two actions such as opening a TCP socket, sending a request through the open tcp socket and closing the TCP socket.
  • timeout_retry: Number of retries when a socket connection attempt times out.
  • unscanned_closed: This defines whether TCP ports that were not scanned should be treated like closed ports.
  • unscanned_closed_udp: This defines whether UDP ports that were not scanned should be treated as closed ports.

10.8.5.2. Ping Preferences

The NVT Ping Host in the NVT family Port scanners contains the following configuration parameters.

Note

The Alive Test settings of a target can overwrite some settings of the ping scanner.

  • !Do a TCP ping: This defines whether the reachability of a host should be tested using TCP. In this case the following ports will be tested: 21,22,23,25,53,80,135,137,139,143,443,445.
  • Do an ICMP ping: This defines whether the reachability of hosts should be tested using ICMP.
  • Mark unreachable Hosts as dead: This defines whether a host that is not discovered by this NVT should be tested by other NVTs later.
  • Report about reachable Hosts: This defines whether a host discovered by this NVT should be listed.
  • Report about unreachable Hosts: This defines whether a host not discovered by this NVT should be listed.
  • TCP ping tries also TCP-SYN ping: The TCP ping uses a TCP-ACK packet by default. A TCP-SYN packet can be used additionally.
  • Use ARP: This defines whether hosts should be searched for in the local network using the ARP protocol.
  • Use Nmap: This defines whether the ping NVT should use Nmap.
  • nmap: try also with only –sP: If Nmap is used the ping scan is performed using the –sP option.
  • nmap additional ports for –PA: Additional ports for the TCP ping test. This is only the case if Do a TCP ping is selected.

10.8.5.3. Nmap NASL Preferences

The following options of the NVT Nmap (NASL Wrapper) in the NVT family Port scanners will be directly translated into options for the execution of the nmap command. Additional information can be found in the documentation for nmap.

  • Do not randomize the order in which ports are scanned: Nmap will scan the ports in ascending order.
  • Do not scan targets not in the file: See File containing grepable results.
  • Fragment IP packets: Nmap fragments the packets for the attack. This allows bypassing simple packet filters.
  • Identify the remote OS: Nmap tries to identify the operating system.
  • RPC port scan: Nmap tests the system for Sun RPC ports.
  • Run dangerous ports even if safe checks are set: UDP and RPC scans can cause problems and usually are disabled with the setting safe_checks.
  • Service scan: Nmap tries to identify services.
  • Use hidden option to identify the remote OS: Nmap tries to identify more aggressively.
  • Data length: Nmap adds random data of specified length to the packet.
  • Host Timeout: Host timeout.
  • Initial RTT timeout: Initial round trip timeout. Nmap can adjust this timeout dependent on the results.
  • Max RTT timeout: Maximum RTT.
  • Min RTT timeout: Minimum RTT.
  • Max Retries: Maximum number of retries.
  • Maximum wait between probes: This regulates the speed of the scan.
  • Min RTT Timeout: This regulates the speed of the scan.
  • Minimum wait between probes: This regulates the speed of the scan.
  • Ports scanned in parallel (max): This defines how many ports should at most be scanned simultaneously.
  • Ports scanned in parallel (min): This defines how many ports should at least be scanned simultaneously.
  • Source port: Source port. This is of interest when scanning through a firewall if connections are in general allowed from a specific port.
  • File containing grepable results: Allows for the specification of a file containing line entries in the form of Host: IP address can be found. If the option Do not scan targets not in the file is set at the same time only systems contained in the file will be scanned.
  • TCP scanning technique: Actual scan technique.
  • Timing policy: Instead of changing the timing values individually the timing policy can be modified.

The timing policy uses the following values:

Paranoid Sneaky Polite Normal Aggressive Insane
initial_rtt_timeout 5 min 15 s 1 s 1 s 500 ms 250 ms
min_rtt_timeout 100 ms 100 ms 100 ms 100 ms 100 ms 50 ms
max_rtt_timeout 10 s 10 s 10 s 10 s 1250 ms 300 ms
max_parallelism serial serial serial parallel parallel parallel
scan_delay 5 min 15 s 400 ms 0 s 0 s 0 s
max_scan_delay 1 s 1 s 1 s 1 s 10 ms 5 ms

10.9. Performing a Scheduled Scan

For continuous vulnerability management the manual execution of task is tedious. The GSM supports the scheduling of tasks for their automation and refers to schedules as automatic scans at a specific time. They can be run once or repeatedly.

The GSM does not provide any schedules by default.

10.9.1. Creating a Schedule

A new schedule can be created as follows:

  1. Select Configuration > Schedules in the menu bar.

  2. Create a new schedule by clicking new.

  3. Define the schedule (see Fig. 10.43).

  4. Click Save.

    → The schedule is created and can be selected when creating a new task (see Chapter 10.2.2).

    _images/schedule_new.png

    Fig. 10.43 Creating a new schedule

The following details of the schedule can be defined:

Name
Definition of the name. The name can be chosen freely.
Comment
An optional comment can contain additional information.
Timezone

Definition of the timezone the time refers to. UTC is default.

Note

Since the GSM runs in the UTC timezone internally, the chosen time zone is very important. For Eastern Standard Time (EST) America/New York has to be selected.

Start
Definition of the start time of the first run.
End
Definition of the end time of the first run. Activate the checkbox Open End to leave the end time open.
Duration
Definition of the maximum duration a task can take for its execution. The duration depends on the given start and end time. If an end time is defined and the assigned time is expired, the task is aborted and will be suspended until the next scheduled time slot becomes available. This way it can be ensured that the scan will always run with a specific (maintenance) time window.
Recurrence
Definition of the repetition rate of the task. It can be selected between Once, Hourly, Daily, Weekly, Monthly, Yearly, Workweeks (Monday till Friday) or Custom. If the option Custom is selected, the repetition rate and the days on which the task should be run can be chosen.

10.9.2. Managing Schedules

List Page

All existing schedules can be displayed by selecting Configuration > Schedules in the menu bar.

For all schedules the following information is displayed:

Name
Name of the schedule.
First Run
Start time of the first run of the task.
Next Run
Next run of the task according to the current date and time.
Recurrence
Repetition rate of the task.
Duration
Maximum duration a task can take for its execution. The duration depends on the given start and end time. If an end time is defined and the assigned time is expired, the task is aborted and will be suspended until the next scheduled time slot becomes available. This way it can be ensured that the scan will always run with a specific (maintenance) time window.

For all schedules the following actions are available:

  • trashcan Delete the schedule. Only schedules which are currently not used can be deleted.
  • edit Edit the schedule.
  • clone Clone the schedule.
  • export Export the schedule as an XML file.

Note

By clicking trashcan or export below the list of schedules more than one schedule can be deleted or exported at a time. The drop-down-list is used to select which schedules are deleted or exported.

Details Page

Click on the name of a schedule to display the details of the schedule. Click details to open the details page of the schedule.

The following registers are available:

Information
General information about the schedule.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all schedules.
  • new Create a new schedule.
  • clone Clone the schedule.
  • edit Edit the schedule.
  • delete Delete the schedule.
  • export Export the schedule as an XML file.

10.10. Creating and Managing Scanners

The GSM appliance comes with two predefined scanners. They can be managed and new scanners can be created.

The following scanners are already available:

  • OpenVAS Default
  • CVE: the CVE scanner allows forecasting possible security risks based on current information about known vulnerabilities from the SecInfo management (see Chapter 13) without the need of a new scan (see Chapter 10.4).

Note

The desired scanner for a task is selected when creating the task (see Chapter 10.2.2).

10.10.1. Creating a Scanner

Note

The creation of a new scanner is only used in the following cases:

  • Creating a new remote scanner (see Chapter 16.3)
  • Creating an OSP scanner (see Chapter 18.1)

10.10.2. Managing Scanners

List Page

All existing scanners can be displayed by selecting Configuration > Scanners in the menu bar (see Fig. 10.44).

_images/scanner_listpage.png

Fig. 10.44 Page Scanners displaying all existing scanners

For all scanners the following actions are available:

  • trashcan Delete the scanner. Only self-created scanners can be deleted.
  • edit Edit the scanner. Only self-created scanners can be edited.
  • clone Clone the scanner. Only self-created scanners can be cloned.
  • export Export the scanner as an XML file.
  • verify Verify that the scanner is online and that the manager can connect to it using the provided certificates.
  • download_key Download the certificate or CA certificate. The certificate or CA certificate can only be downloaded for self-created scanners.

Note

By clicking trashcan or export below the list of scanners more than one scanner can be deleted or exported at a time. The drop-down-list is used to select which scanners are deleted or exported.

Details Page

Click on the name of a scanner to display the details of the scanner. Click details to open the details page of the scanner.

The following registers are available:

Information
General information about the scanner.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all scanners.
  • new Create a new scanner.
  • clone Clone the scanner. Only self-created scanners can be cloned.
  • edit Edit the scanner. Only self-created scanners can be edited.
  • trashcan Delete the scanner. Only self-created scanners can be deleted.
  • export Export the scanner as an XML file.
  • verify Verify that the scanner is online and that the manager can connect to it using the provided certificates.

10.11. Using Alerts

Alerts are anchored within the system. When a configured event (e.g. a task is finished) happens, a specified condition is checked (e.g. vulnerability with a high severity category detected). If the conditions is met, an action is performed, e.g. an e-mail is sent to a defined address.

10.11.1. Creating an Alert

A new alert can be created as follows:

  1. Select Configuration > Alerts.

  2. Create a new alert by clicking new.

  3. Define the alert (see Fig. 10.45).

  4. Click Save.

    _images/alert_new.png

    Fig. 10.45 Creating a new alert

The following details of the alert can be defined:

Name
Definition of the name. The name can be chosen freely.
Comment
An optional comment can contain additional information.
Event
Definition of the event for which the alert message is sent. Alarms can be sent if the status of a task changes, if SecInfo (NVTs, CVEs, CPEs, CERT-Bund Advisories, DFN-CERT Advisories, OVAL Definition) is added or updated or if a ticket is assigned or edited (see Chapter 11.6).
Condition

Definition of the additional conditions that have to be met.

Note

The options differ for task, for SecInfo and for ticket related alerts.

The alert message can occur:

  • Always
  • When a specific severity level is reached.
  • If the severity level changes, increases or decreases.
  • If a Powerfilter matches at least the specified number of results.
  • If a Powerfilter matches at least the specified number of results more than in the previous scan.
Report Content (only for task related alerts)
The report content can be limited with an additional filter. By clicking report the scan report content composer is opened and a Powerfilter can be chosen (see Chapter 11.2.2). The filter must be created previously (see Chapter 8.4).
Details URL (only for SecInfo related alerts)
Definition of the URL from which the SecInfo is obtained.
Delta Report
Optionally, a delta report can be created, either in comparison to a previous report or to a report with a certain ID.
Method

Selection of the method for the alert. Only one method per alert can be chosen. If different alerts for the same event should be triggered, multiple alerts must be created and linked to the same task.

Note

Some methods cannot be used for SecInfo or ticket related alerts.

The following methods are possible:

Email

An e-mail is sent to the given address. To use this method the mailserver to be used must be configured using the GSM console (see Chapter 7.2.10). For the subject the following place holders can be used:

  • $d date of last SecInfo check (blank for task alerts)
  • $e event description
  • $n task name (blank for SecInfo alerts)
  • $N alert name
  • $q type of SecInfo event (New, Updated or blank for task alerts)
  • $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
  • $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
  • $T total number of resources in the list for SecInfo alerts (0 for task alerts)
  • $u owner of the alert or currently logged in user if the alert was triggered manually
  • $U UUID of the alert
  • $$ the $ symbol

The transmission of the e-mail can by encrypted using a configurable S/MIME or GPG key. The key can be selected in the drop-down-list Email Encryption or created by clicking new.

The content of the e-mail can be a simple notice, an included or an attached report.

  • Include Report
    The report can be included directly in the e-mail. A report format that uses the content type text/* can be chosen as an e-mail does not support binary content directly.
  • Attach Report
    The report can be attached to the e-mail. Any report format can be chosen. The report will be attached to the generated e-mail in its correct MIME type.

The content of the e-mail message can be edited for both, the included and the attached report. For the message the following place holders can be used:

  • $c condition description
  • $d date of last SecInfo check (blank for task alerts)
  • $e event description
  • $F name of filter
  • $f filter term
  • $H host summary
  • $i report text or list of SecInfo resources (only when including the report/list)
  • $n task name (blank for SecInfo alerts)
  • $N alert name
  • $q type of SecInfo event (New, Updated or blank for task alerts)
  • $r report format name
  • $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
  • $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
  • $t note if the report was truncated
  • $T total number of resources in the list for SecInfo alerts (0 for task alerts)
  • $u owner of the alert or currently logged in user if the alert was triggered manually
  • $U UUID of the alert
  • $z timezone
  • $$ the $ symbol
HTTP Get

The URL is issued as HTTP Get. For example, an SMS text message can be sent via HTTP Get gateway or a bug report can be created in an issue tracker. The following variables can be used when specifying the URL:

  • $n name of the task
  • $e description of the event (Start, Stop, Done)
  • $c description of the condition that occurred
  • $$ the $ symbol
SCP

The report is copied to the given destination using SCP with the given login credentials.

Note

The host name must exactly match the input box Host.

Known hosts can be listed. Each line specifies a single host in the format “host protocol public_key”, e.g. localhost ssh-rsa AAAAB3NzaC1y...P3pCquVb.

Note

If the host is an IP address the known hosts have to be IP addresses as well.

The following variables can be used when specifying the path:

  • $$: $
  • $n: task name
Send to host
The report is sent to an arbitrary host-port-combination via TCP. The format of the report can be chosen from the installed report formats.
SMB

The report is copied to a given destination using the SMB protocol with the given login credentials.

The share path and the file path must be specified. The share path contains the part of the UNC path containing the host and the share name, e.g. “hostshare”.

Note

If the file path contains subdirectories which do not exist, the necessary subdirectories are created.

For the file path the following placeholders can be used:

  • %C creation date in the format YYYYMMDD (changed to current date if creation date is not available)
  • %c creation time in the format HHMMSS (changed to current time if creation time is not available)
  • %D current date in the format YYYYMMDD
  • %F name of the format plug-in used (XML for lists and types other than reports)
  • %M modification date in the format YYYYMMDD (changed to creation date or to current date if modification date is not available)
  • %m modification time in the format HHMMSS (changed to creation time or to current time if modification time is not available)
  • %N name for the resource or the associated task for reports (lists and types without a name will use the type (see %T))
  • %T resource type (task, port_list, ...), pluralized for list pages
  • %t current time in the format HHMMSS
  • %U UUID of the resource or (list for lists of multiple resources)
  • %u name of the currently logged in user
  • %% the % symbol

Note

The file extension is appended corresponding to the format selected in the drop-down-list Report Format.

The default report export file name (see Chapter 8.7) is appended to the file path if the file path ends with \.

Note

If a task uses the tag smb-alert:file_path with a value, then the value is used as the file path instead of the one that has been configured with the alert (see Chapter 8.5).

Example: smb-alert:file_path=alert_1 assigns the file path alert_1

SNMP

An SNMP trap is sent to the given agent. The provided community is used to authenticate the SNMP trap and the agent is the targeted SNMP trap receiver. For the message the following place holders can be used:

  • $$ the $ symbol
  • $d date of last SecInfo check (blank for task alerts)
  • $e event description
  • $n task name (blank for SecInfo alerts)
  • $q type of SecInfo event (New, Updated or blank for task alerts)
  • $s type of SecInfo (NVT, CERT-Bund Advisory or blank for task alerts)
  • $S see $s, but plural (NVTs, CERT-Bund Advisories, ...)
  • $T total number of resources in the list for SecInfo alerts (0 for task alerts)
Sourcefire Connector
The data can be sent to a Cisco Firepower Management Center (formerly known as Sourcefire Defense Center) automatically. For more information see Chapter 18.4.
Start Task
The alert can start an additional task. The task is selected in the drop-down-list.
System Logger
The alert is sent to a Syslog daemon. The Syslog server is defined using the console (see Chapter 7.2.11).
verinice.PRO Connector
The data can be sent to a verinice.PRO installation automatically. For more information see Chapter 18.2.
Alemba vFire
A new ticket in the service management application vFire is created. The report can be attached in one or more formats. For more information see Chapter 18.5.

10.11.2. Assigning an Existing Alert to a Task

If an alert should be used afterwards, the alert has to be defined for a specific task as follows:

Note

Already defined and used tasks can be edited as well as it does not have any effect on already created reports.

  1. Select Scans > Tasks in the menu bar.

  2. In the row of the task click edit.

  3. Select the alert in the drop-down-list Alerts (see Fig. 10.46).

    Note

    A new alert can be created by clicking new.

    _images/alert_assign_task.png

    Fig. 10.46 Configuring a task with an alert

  4. Click Save.

    → Afterwards the task using the alert appears on the details page of the alert (see Fig. 10.47).

    _images/alert_task_using.png

    Fig. 10.47 Task using a specific alert

10.11.3. Managing Alerts

List Page

All existing alerts can be displayed by selecting Configuration > Alerts in the menu bar.

For all alerts the following information is displayed:

Name
Name of the alert.
Event
Event for that the alert is triggered.
Condition
Condition that has to be fulfilled to trigger the alert.
Method
Chosen alert method with additional information, e.g. to which IP address or e-mail address the alert message is sent.
Filter (only for task related alerts)
Filter that is applied to the report content.
Active
Indication whether the alert is enabled or disabled.

For all alerts the following actions are available:

  • trashcan Delete the alert. Only alerts which are currently not used can be deleted.
  • edit Edit the alert.
  • clone Clone the alert.
  • export Export the alert as an XML file.
  • start Test the alert.

Note

By clicking trashcan or export below the list of alerts more than one alert can be deleted or exported at a time. The drop-down-list is used to select which alerts are deleted or exported.

Details Page

Click on the name of an alert to display the details of the alert. Click details to open the details page of the alert.

The following registers are available:

Information
General information about the alert.
User Tags
Assigned tags (see Chapter 8.5).
Permissions
Assigned permissions (see Chapter 9.4).

The following actions are available in the upper left corner:

  • help Open the corresponding chapter of the user manual.
  • list Show the list page of all alerts.
  • new Create a new alert.
  • clone Clone the alert.
  • edit Edit the alert.
  • trashcan Delete the alert. Only alerts which are currently not used can be deleted.
  • export Export the alert as an XML file.

10.12. Obstacles While Scanning

There are several typical problems which might occur during a scan using the default values of the GSM. While the default values of the GSM are valid for most environments and customers, depending on the actual environment and the configuration of the scanned hosts they might require some tweaking.

10.12.1. Hosts not Found

During a typical scan (either “Discovery” or “Full and Fast”) the GSM will by default first use the ping command to check the availability of the configured targets. If the target does not reply to the ping request it is presumed to be dead and will not be scanned by the port scanner or any NVT.

In most LAN environments this does not pose any problems because all devices will respond to a ping request. But sometimes (local) firewalls or other configuration might suppress the ping response. If this happens the target will not be scanned and will not be included in the results and the scan report.

To remediate this problem, both the target configuration and the scan configuration support the setting of the alive test (see Alive Test).

If the target does not respond to a ping request, a TCP Ping may be tested. If the target is located within the same broadcast domain, a ARP Ping may be tried as well.

10.12.2. Long Scan Periods

Once the target is discovered to be alive using the ping command the GSM uses a port scanner to scan the target. By default, a TCP port list containing around 5000 ports is used. If the target is protected by a (local) firewall dropping most of these packets the port scan will need to wait for the timeout of each individual port. If the hosts are protected by (local) firewalls the port lists or the firewalls may be tuned. If the firewall does not drop the request but rejects the request the port scanner does not have to wait for the timeout. This is especially true if UDP ports are included in the scan.

10.12.3. NVT not Used

This happens especially very often if UDP based NVTs like NVTs using the SNMP protocol are used. If the default configuration Full and Fast is used, the SNMP NVTs are included. But if the target is configured using the default port list, the NVTs are not executed. This happens because the default port list does not include any UDP ports. Therefore, the port 161/udp (snmp) is not discovered and excluded from further scans. Both the discovery scans and the recommended Full and Fast scan configuration optimize the scan based on the discovered services. If the UDP port is not discovered, no SNMP NVTs are executed.

Do not enable all ports per default in the port lists. This will prolong the scans considerably. Best practice is the tuning of the port lists to the ports which are used in the environment and are supported by the firewalls.

10.12.4. Scanning vhosts

The scanner is able to find all relationships of host names and IP addresses without needing additional user input.

In environments with virtual hosts, the scan results will have less results because duplicates are avoided.

Two scanner preferences handle vhost scanning (see Chapter 10.8.5):

test_empty_vhost
If this preference is enabled, the scanner also tests the target by using empty vhost values in addition to the target’s associated vhost values.
expand_vhosts
If this preference is enabled, the target’s host list of vhosts is expanded with values gathered from sources such as reverse lookup queries and VT checks for SSL/TLS certificates.

Footnotes

[1]The maximum netmask is /20. This equals 4096 addresses.