The credential setting is only part of the process, though. You still need to configure a
scan that can use the credentials. The first thing to do is to either identify or create a
scan configuration that includes local vulnerabilities for
the target operating systems
you have. As an example,
Figure 4-3
shows a dialog box displaying a section of the
vulnerability families available in OpenVAS. You can see a handful of operating sys‐
tems listed with local vulnerabilities. This includes CentOS as well Debian and
Fedora. Many other
operating systems are included, and each family may have hun‐
dreds, if not thousands, of vulnerabilities.
Figure 4-3. Selecting vulnerability families in OpenVAS
Once you have your vulnerabilities selected, you need to create
targets and apply your
credentials.
Figure 4-4
shows the dialog box in OpenVAS creating a target. This
requires that you specify an IP address, or an IP address range, or a file that includes
the list of IP addresses that are meant to be the targets. Although this dialog box pro‐
vides
other options, the ones that we are most concerned with are the ones where we
specify credentials. The credentials created here have been selected to be used against
targets that have SSH servers running on port 22. If you have previously identified
other
SSH servers, you can specify other ports. In addition to SSH, you can select
SMB and ESXi as protocols to log in with.
Local Vulnerabilities | 125
Figure 4-4. Selecting a target in OpenVAS
Each operating system is going to be different, and this
is especially true with Linux,
which is why there are different families in OpenVAS for local vulnerabilities. Each
distribution is configured a little differently and has different sets of packages.
Beyond the distribution, users can have a lot of choices for categories of packages.
Once the base is installed, hundreds of additional packages could typically be
installed, and each of those packages can introduce vulnerabilities.
One common approach to hardening
is to limit the number of
packages that are installed. This is especially true when it comes to
server systems in which the bare minimum amount of software
necessary to operate the services should be installed.
Root Kits
While not strictly a vulnerability scanner, it’s worth knowing about Rootkit Hunter.
This program can be run locally on a system to determine whether it has been com‐
promised and has a root kit installed. A
root kit
is a software
package that is meant to
facilitate a piece of malware. It may include replacement operating system utilities to
hide the existence of the running malware. For example, the
ps
program may be
altered to not show the processes associated with the malware.
Additionally,
ls
may
hide the existence of the malware files. Root kits may also implement a backdoor that
will allow attackers remote access.
