PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz1 Pre-Class Activity PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz2 Pre-Class Activity – Setup Sandbox – I 1. Run pa211_setup command on a school computer. 2. Change your working directory to the clone of repository from the previous week https://gitlab.fi.muni.cz/cybersec/pa211/management.git 3. Run git pull. 4. Change directory to openvas. This directory should contain Vagrantfile. 5. Run vagrant up. 6. We will use only one Kali host named student. Use credentials kali:kali. You may need to login twice. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz3 Pre-Class Activity – Setup Sandbox – II ̶ Use port forwarding command to access services from your host: 1. vagrant ssh student -- -L 9392:localhost:9392 ̶ Verify that you can access http://localhost:9392 ̶ Log into Greenbone Security Assistant ̶ credentials are admin:admin PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz4 Pre-Class Activity – Import Test Data ̶ ospd-openvas container's logs ̶ Start Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may take a few minutes, please wait... ̶ End Finished loading VTs. The VT cache has been updated from version X to Y. ̶ gvmd container' logs ̶ After ospd-openvas successfully loaded data, scan can be started ̶ Start OSP service has different VT status (version X) from database (version (Y), Z VTs). Starting update ... ̶ End Updating VTs in database ... done (X VTs). Vulnerability Management – Seminar PA211 Advanced Topics of Cyber Security September 27, 2022 Lukáš Sadlek, Pavel Čeleda, and Jan Vykopal PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz5 PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz6 Goals of this tutorial ̶ Become acquainted with: ̶ Vulnerability scanning ̶ Assessment of vulnerability scan results PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz7 Prerequisites – I 1. Run pa211_setup command on a school computer. 2. Change your working directory to the clone of repository from the previous week https://gitlab.fi.muni.cz/cybersec/pa211/management.git 3. Run git pull. 4. Change directory to openvas. This directory should contain Vagrantfile. 5. Run vagrant up. 6. We will use only one Kali host named student. Use credentials kali:kali. You may need to login twice. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz8 Prerequisites – II ̶ Use port forwarding command to access services from your host: 1. vagrant ssh student -- -L 9392:localhost:9392 ̶ Verify that you can access http://localhost:9392 ̶ Log into Greenbone Security Assistant ̶ credentials are admin:admin PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz9 Troubleshooting – I ̶ Destroy and create a virtual machine: ̶ vagrant destroy -f ̶ Vagrant up ̶ Rerun ansible tasks, if ansible script failed: ̶ vagrant provision ̶ Start all containers: ̶ sudo docker start $(sudo docker ps –aq) ̶ List all (not only running) containers: ̶ sudo docker container ls –a PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz10 Troubleshooting – II ̶ List open ports on device: ̶ sudo netstat -tulpn ̶ Check logs of a specific container for issues: ̶ sudo docker logs ̶ Completed scan is a formality ̶ Target contains much more vulnerabilities than needed ̶ Tasks can be solved, even if the scan was interrupted ̶ Solutions describe how to reveal the results PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz11 Vulnerability scanning PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz12 Greenbone Vulnerability Management ̶ Previous name OpenVAS (Open Vulnerability Assessment Scanner) ̶ Full-featured open-source vulnerability scanner ̶ Greenbone Security Assistant – web-based user interface ̶ NVT – network vulnerability test ̶ Override – rules for disallowing some results (false positives) ̶ Documentation for more details [1] ̶ Main menu – demonstration PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz13 Greenbone Security Assistant – new task ̶ New Task can be created in menu option Scans ̶ Requires to create new schedule and new target ̶ In Configuration part of menu ̶ Directly in New Task window ̶ See the following slides PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz14 New Task window PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz15 New Schedule window PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz16 New Target window ̶ Hosts can be specified using ̶ IP address ̶ IP address CIDR range ̶ Hostname ̶ Other options PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz17 Loading vulnerability test data ̶ ospd-openvas container's logs ̶ Start Loading VTs. Scans will be [requested|queued] until VTs are loaded. This may take a few minutes, please wait... ̶ End Finished loading VTs. The VT cache has been updated from version X to Y. ̶ gvmd container' logs ̶ After ospd-openvas successfully loaded data, scan can be started ̶ Start OSP service has different VT status (version X) from database (version (Y), Z VTs). Starting update ... ̶ End Updating VTs in database ... done (X VTs). PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz18 Task 1 – first scan 1. In section Scans, create New Task (in the left upper corner). Its name should be “PA211 Scan”. 2. Create a scan target called “metasploitable2”. Its hostname is metasploitable2. 3. Create “PA211 Schedule” and schedule its start in three minutes. 4. All other fields should have default or empty values. The scan takes approximately 45 minutes. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz19 Solution 1 – new task PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz20 Possible bug in user interface ̶ Task may obtain interrupted status despite being finished [1] ̶ Check for the status of your scan ̶ Get container id for image greenbone/ospd-openvas:stable sudo docker container ls ̶ Connect to the bash inside of the container sudo docker exec –it bash ̶ Change working directory into var/log/gvm containing file openvas.log ̶ It should contain no errors: Vulnerability scan finished in seconds: 1 alive hosts of 1 ̶ If true, then UI shows the wrong status, but scan was successful PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz21 Vulnerability management lifecycle ̶ Our seminar targets the first stages of the lifecycle ̶ Stages: 1. Discover 2. Prioritize / Asses 3. Report – similar to pentesting report (lectures 7 and 8) 4. Fix – subset of approaches from lectures 9 – 12 about hardening 5. Verify – scan again PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz22 Metasploitable 2 ̶ Intentionally vulnerable version of Ubuntu Linux ̶ Services ̶ FTP, SSH, Telnet, SMTP, ... ̶ Issues ̶ Misconfigured services allow remote access from any hosts ̶ Exported root of the file system ("/") ̶ Some ports are used by application containing backdoors ̶ Weak passwords, e.g., postgres:postgres ̶ Purposely vulnerable web services PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz23 Metasploitable 2 ̶ Warning: do not expose its ports! ̶ Our instances ̶ Docker container from Dockerhub's community content ̶ Most of the services are enabled ̶ Read more about Metasploitable2 [1] PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz24 GVM – docker ̶ Set up using official documentation at [1] ̶ Several containers ̶ redis-server containing Redis server ̶ pg-gvm running PostgreSQL service ̶ gvmd running Greenbone Vulnerability Management Daemon ̶ gsa running gsad – a webserver providing GSA application ̶ ospd-openvas – a container providing the vulnerability scanner ̶ Other containers specified by documentation ̶ Other scanners (e.g., Nessus [2]) also provided as docker containers PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz25 Task 2 – scanning policy Your organization has a scanning policy that conforms to the following rules: 1. Periodical scans are accomplished on the second Friday of each month at 3:00 a.m. UTC. 2. The scope of scanned assets includes hosts 10.1.26.2 (hostname server) and 10.1.26.9 (hostname elk). 3. Only TCP ports and essential UDP ports should be scanned. 4. The scanner must check whether targets are up similarly to using ping command that internally uses ICMP ping. Determine what values will be filled into New Task, New Target, and New Schedule windows but do not execute any tasks. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz26 Solution 2 – New Schedule window PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz27 Solution 2 – New Target window PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz28 Solution 2 – New Task window PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz29 Solution 1 – results – I 1. Open all details for your vulnerability scan from Task 1 2. Results are the third symbol from the right (number 226) PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz30 Solution 1 – layout – II PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz31 Solution 1 – III ̶ Layout contains graphs and a table ̶ Additional filters ̶ rows= will adjust number of rows ̶ min_qod= will filter results with quality of detection above number ̶ Spaces are used between filters PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz32 Assessment of results PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz33 Task 3 – processing results Analyzing properties of results, such as their severity and quality, may provide a general overview of security posture. a) How many vulnerabilities in the dashboard have medium or high severity? b) How many results were detected with a quality of at least 95%? c) Check results with the severity score of 10.0. Does the host operating system have the most recent version? PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz34 Solution 3 a) The value can be obtained directly from a graph in the dashboard. b) Sort table with results according to column severity descending or add filter min_qod=95 (with space between filters) and determine the final count. c) There is a vulnerability named Operating System (OS) End of Life (EOL) Detection. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz35 Task 4 – report An inevitable task of vulnerability management is to report the security posture of an organization. Currently, vulnerability scanners can streamline this process. a) Find Greenbone Security Assistant's functionality for generating reports individually. Generate report containing results in PDF file. What content does it have? b) Years, when vulnerabilities were published, may reveal the efficacy of patching in the organization. Determine the two most recent vulnerabilities. c) What are their CWEs in the NVD? PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz36 Solution 4 a) In menu of GSA, choose Scans –> Reports. Then click on the date in the table. This site will provide Download filtered report option. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz37 Solution 4 b) c) ̶ A possible solution is to use the generated report and standardized CVE identifiers with the form CVE-YYYY-NNNN. Search for string CVE-year. ̶ Answer b) depends on the completeness of the scan, e.g., CVE-2018- 20212, CVE-2020-1938. ̶ Their CWEs can be found in the NVD [1]. In our example, it is CWE-79 = Cross-site scripting, NVD-CWE-Other. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz38 Task 5 – analysis Consider vulnerabilities that did not have the severity of 10.0. Find three vulnerabilities among them that had the highest severity. Which of these vulnerabilities, according to CVSS: a) allows remote exploit from unrelated parts of the Internet, b) requires user interaction, c) impacts availability of the vulnerable product? PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz39 Solution 5 Concrete vulnerabilities depend on the completeness of the scan. There are general rules: a) The access vector from CVSSv2 should be NETWORK, or the attack vector from CVSSv3 should be NETWORK. b) User interaction in CVSSv3 is set to REQUIRED. c) Availability impact in CVSSv2 or CVSSv3 is not NONE. PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz40 How was it today? Please fill in an anonymous exit ticket: https://muni.cz/go/pa211-22-03 PA211 Advanced Topics of Cyber Security – Cybersecurity Laboratory – cybersec.fi.muni.cz41