Penetration Testing for Small Businesses Part #1: Getting Started

Without doubt, there are many small business owners who realize the benefits of a penetration test and want to secure their infrastructure; however, many more will be of the opinion that they need not concern themselves with the security of their network as they have no information a hacker would ever find useful. This mindset, that of ‘security through anonymity’, is inherently flawed as in reality, every business network, regardless of size, likely contains something useful for a hacker. It can be credit card details, personal information usable in identity theft or easily compromised machines that can be used as platforms to attack other targets.

Want to know more? Get in touch with one of our experts today

For any small business owner, however, the cost of a professional penetration test is likely to prevent even those who are well aware of its importance from paying for one, which is unfortunate, given the current state of cyber crime.

With this in mind, we thought it would be helpful to many if we published what is basically a ‘do it yourself’ penetration test guide, in which I will describe, step by step, how to conduct a general vulnerability scan of your internal network, using OpenVAS, an open source vulnerability scanner.

Naturally, the results of this scan won’t be nearly as comprehensive as an actual penetration test or provide the bespoke remediation advice a security consultant can give; however, it should suffice in helping to find the ‘low hanging fruit’ in your network, i.e. the more obvious weaknesses, which is what the majority of attackers will be looking for.

The article will be broken up into three posts describing how to:

1. Set up OpenVAS.
2. Configure and perform the scan
3. Interpret and act on the scan results

At the end of each post there will be a short troubleshooting section where I will describe how to fix problems you many encounter whilst following that part of the guide. If you can’t find the answer there, it’s worth using Google to see if anyone else has experienced a similar issue.

To simulate the infrastructure of a small business network, I have set-up a small network in our lab consisting of the following devices:

• Two servers, running Windows Small Business Server 2011. To highlight the importance of regular updates, one server will have been recently updated and one will be a fresh install.
• A desktop, running Windows 7 (updated).
• A desktop, running Windows XP (updated).
• A standard ADSL router.

Of course, your network will have differences, but once you have a grasp of how to operate the vulnerability scanner it should be a simple matter of adding any extra devices and editing the scan configuration appropriately.

Setting Up OpenVAS

Unfortunately, OpenVAS is not available for Windows, it’s a Linux only tool. This does make life slightly harder, however, the OpenVAS authors have created a stripped down (i.e. containing only essential features)Linux distribution (based on SuSE) with the tool pre-installed and pre-configured, meaning we can simply run the tool as a virtual machine (VM). VMs employ a concept known as virtualization, which allows multiple virtual systems (for example, a Windows 2008 server, a Windows XP desktop, etc.) to be run on one physical system but operate as if they were independent, physically separate entities.

In an enterprise environment, the advantages of virtualization are numerous; less physical systems means reduced hardware and operating costs and once a virtual machine has been created, backing it up is as simple as copying the resulting files to a safe destination.

For us though, being able to run the tool as a VM means we won’t have to physically install Linux in order to use it or have to deal with the inconveniences of running the tool as a live CD. We do, however, have to install some virtualization software in order to run the virtual machine, but it’s free and doesn’t require too much space on disk (around 350MB when installed). There are a couple of different software brands out there, with the most commonly used being VirtualBox or VMware Player. We will be using the latter, simply because that’s what I’m familiar with.

You can download VMware Player here (you will have to register first) and be sure to choose the top version as it’s for Windows. Run the installer and you can keep the default settings, though you may wish to deselect sending anonymous usage statistics. Once installed, restart your computer and accept the licensing prompt that comes up. If you are then asked if you wish to download VMware Workstation, ignore it.

Now we need to download the OpenVAS VM, which can be done here. Either file type will do, but I chose the OVF file as it’s designed for use in VMs. The OVF file does come compressed as a gzipped tar file, so you will need some decompression software; I’d highly recommend installing the free 7-Zip. On the 7-Zip homepage, choose the appropriate installer depending on whether you have a 64bit or 32bit version of Windows and, once installed, be sure to associate 7-Zip with at least gz and tar in 7-Zip File Manager > Tools > Options.

Once you have 7-Zip installed and the VM has finished downloading, right click the file and select 7-Zip > Extract Here, which will produce a .tar file, then to extract its contents right click it and 7-Zip > Extract Here again. Once extracted, you can then delete the .tar.gz file and the .tar file and move the OpenVAS VM folder to somewhere of your choosing. I just put it in a folder called Virtual Machines in My Documents.

Now we can open up our OVF file in VMware Player. So hit Open a Virtual Machine, then browse to the folder and be sure to change the Files of Type  to All image files. You’ll then be able to select the OpenVAS OVF file.

Next click Open and then Import and VMware player will import our new OpenVAS VM. When finished, we need to edit the virtual network adaptor settings to ensure the VM operates in bridged mode. By default, VMware Player will use NAT mode (Network Address Translation) to provide your VM with network connectivity. At a basic level, this means that your VM will share an IP address with your  host operating system (OS). Your host will then use the concept of NAT to ensure that responses to traffic emanating from your VM are directed to it accordingly.

When in bridged mode, your VM will have its own IP address on the network. From a vulnerability scanning perspective, this is vital as the scanner may fail to work properly in a NATed environment. This is because using NAT adds extra processing overhead to any data transmitted to and from the VM, which, when combined with the already large amount processing required for a vulnerability scan, ensures that some data is lost in transit. The scanner then interprets the missing data as a false negative, invalidating that particular scan result.

At this point, I would likely to highly recommend that, when following this guide and performing a scan, you use a wired connection, i.e. you physically connect to your network (likely via a router or a switch) using something like a Cat-5 cable. Scans conducted wirelessly will be affected by the increased data loss that occurs over wireless connections, potentially invalidating your results. If you have no choice but to scan wirelessely, you will need to perform some further configuration to the virtual network adapter settings. I have written a separate article explaining how to do this, which you can read here.

To use bridged mode, simply click Edit virtual machine settings or the network adapter icon in the bottom right. Then select the Network Adapter setting and ensure the Bridged option is selected.

Once configured, hit Play virtual machine and we can get started!

After the initial loading screen, you should be presented with the Boot Options menu. Just hit enter on the first choice to boot into the standard OpenVAS VM. If you recieve a prompt from VMware player asking to install VMware tools, click Never Remind Me as we won’t need any of the functionality it provides. If, at any point, you wish to access your host operating system, press Ctrl and Alt together and you’ll be able to navigate to it as if VMware player was just another program window. Leaving the VM has no effect on what’s taking place inside it, i.e. it will keep on booting or running any commands. To then access the VM again, either click in the window or press Ctrl G. Similarly, if you wish to shut the VM down, you can go to Virtual Machine > Power > Suspend and this will turn the VM off, but save its current state. Thus when you resume the VM, it will be exactly how you left it.

We have to perform some minor configuration of the VM, so first you’ll be presented with a language selection screen. Choose which one you’d like using the arrow keys and then press F10 to continue. Note, you’ll be unable to use your mouse at any point whilst using the VM as the linux distribution OpenVAS is installed on is so stripped down that it lacks a graphical user interface. This may seem daunting at first, but fear not as you will quickly become accustomed to it and there is barely any configuration required.

Next you will encounter the keyboard configuration selection screen. Again, just use the arrow keys to navigate to what suits you best and hit F10.

Last of all, you will have to set the clock and time zone. Use the arrow keys to select your region, then press Alt Z to move across to select your timezone. Once set, hit F10 again and that’s all the configuration completed!

The VM will then continue the booting process and you will see Reading OpenVAS plugins. . . as OpenVAS loads the plugins it uses to perform a vulnerability scan. After about 15-20 minutes you will be presented with this screen:

Of the two sets of login details given, the client credentials are the ones we need. The OS (operating system) login details allow us to login to the actual Linux system, which we won’t actually need to use; however, for security purposes, we’re going to login once and change the default root password.

To do this, login with the OS details provided; in my case, root and xialiwainhor. Once authenticated, type “passwd” to bring up the password change prompt. You’ll then be asked for a new password, so enter an appropriately complex password and confirm it. When finished, we have no need to be logged in to the VM so to practice good security it’s best we logout by entering “exit”.

We can now log in to the Greenbone Security Assistant (GSA); take the URL provided, in my case http:////192.168.0.55:9392, and put it in your normal browser’s address bar. You will receive a warning about an invalid certificate, but just accept it. You will then be greeted by the GSA login page, in which you can enter the client login details given in the OpenVAS VM; for me, username: openvas, password: forbepehattn. All of our scanning will be conducted through the GSA, as it will act as a client to our OpenVAS VM, which acts as a server.

Once logged in, the first thing we must do is change our password, otherwise anyone who accesses the VM will be able to view the password, login into GSA and scan any target they choose. To do this, go to Users under Administration and click the spanner icon to edit. In the next menu you can then change the password. It’s worth noting you can also add an extra user here and give them a reduced privilege role of User. This will mean that they will be able to perform scans but not add more users or edit existing ones. You can also limit the user as to what hosts it is allowed to scan. This is useful if, for example, you have a colleague you would like to allow to perform vulnerability scanning of your network but only of certain, non-vital machines. You can then enter the IP addresses or hostnames of those machines into the text box and check the Allow box. When that user is then logged in, they will only be permitted to scan the hosts you have provided. On the other hand, if you check the Deny box, you can let that user scan the entire network, except for the machines you have listed. For me, though, I will be the only one using OpenVAS so to keep it simple I will just edit the password of the existing openvas account.

If you did decide to change the password of the existing openvas account, you will need to hit Logout in the top right hand side corner and then login again with the new password, otherwise GSA will produce an error.

Lastly, what we want to do now is update our plugins so that when we perform our scan we ensure we are scanning for the latest vulnerabilities. It’s very simple to do, just click NVT Feed under Administration and then hit Synchronize with Feed now. It will take about 10-15 minutes when you update for the first time.

That’s our OpenVAS installation fully set up and configured and part #1 of securing your network completed – congratulations! In my next post I will demonstrate how to launch a scan with settings appropiate to your network, so check back soon!

Want to check how good your organisation’s security is? Click here.

Troubleshooting

The OpenVAS VM screen has turned black and I can’t see any text.

This is effectively the OpenVAS screensaver. To access the VM and view any text again, simply click in the VM and hit enter.

The OpenVAS VM is running but I receive a No Data Received/Cannot Display Webpage/The Connection Was Reset error when I try and browse to the GSA

If you are receiving these errors it’s likely that you typed in http://yourIPaddress:9392 as oppose to http:////yourIPaddress:9392. Double check and add the ‘ s‘ if necessary.

The OpenVAS VM is running but I receive a Webpage Not Available/Cannot Display Webpage/Connection Has Timed Out error when I try and browse to the GSA.

In this case, it’s likely that a new IP address has been assigned to your VM. This could happen as a result of your router being reset, your internet connection dropping or you have left the VM open long enough that its IP address lease has expired. For each of these situations, you will be assigned a new IP address, so you will need to use a different URL to access the GSA. Unfortunately, the URL provided in the OpenVAS login screen will not update, thus you will have to log into the VM to check the new IP address.

To do this, login with root and the password you set earlier and then type ifconfig eth0, which will display, amongst other information, the VM’s current IP address (eth0 is the name Linux gives to your network adapter). The address after inet addr is the OpenVAS VM’s IP, which you can take and put into your browser, as described above. So, based on the image below, I would enter http:////192.168.0.56:9392 to access the GSA. Be sure to then logout of the VM by entering exit.

You’ve tried the above and still can’t access the GSA.

If the output from ifconfig eth0 does not list an IP address it could be that you have yet to be assigned a new lease. To do so, make sure you are in bridged mode (I describe how to do this above) and then login to the VM as root. Once in, you’ll want to kill the existing instance of dhcpcd, which is the SuSE DHCP client, using killall dhcpcd. After that, you’ll want to start it up again using dhcpcd eth0. Finally, use ifconfig eth0 to check the new IP you have been given and then use it to access the GSA.

None of the above have helped and you’re still experiencing issues.

Try a reboot! You’ll have to wait the 15-20 minutes while the VM loads all the plugins, though you won’t have to perform any of the keyboard/language configuration again. Login into the VM as root and then enter reboot. If this doesn’t fix the problem, have a Google to see if anyone else has experienced a similar issue. If you still can’t find the answer you may wish to delete the VM and try the setup process again.