f***@execulink.com
2016-11-10 19:55:24 UTC
As turns out, it was a firewall issue on the target box. Although I
could SSH to the target from a terminal commandline, after reviewing the
firewall rules I can see why OpenVAS could not. In our default iptables
config we specify a hit count (which is not be a problem for manual
logins), and OpenVAS likely hammered the port causing SSHD on the target
to quit responding.
Thanks again,
Ted...
##########################################################
Thanks
for Christians earlier reply and request for more information.
In
regards to the issue I'm having where OpenVAS does not appear to SSH
into a target machine using the credentials created. I followed previous
advice and added ssh debugging on the target box, log_whole_attack etc,
and gathered more information. A few interesting notes:
1. Upon
openvas-start fhe following is added to openvasmd.log: "lib auth:
INFO:2016-11-10 15h09.37 utc:2383: Authentication configuration not
found"
2. SSH Authentication to the target failed during the scan
3. SSH
debugging as well as /var/log/secure on the target does not even show
that there was an attempt to log in from the OpenVAS Workstation.
Below
is some additional information. Any help with this would be
appreciated...
A P P L I C A T I O N S E R V E R ( T A R G E T
):
Centos 6.8
Allows keys and or password authentication SSH Debugging
enabled
O P E N V A S W O R K S T A T I O N :
Kali Rolling
OpenVAS 8
O P E N V A S C O N F I G
(/etc/openvas/openvassd.conf):
kb_location=/var/lib/redis/redis.sock
max_checks=15
log_whole_attack=yes
T A R G E T D E T A I L S :
Name: TEST2
Comment: My test box..
Hosts:
10.10.1.130
Exclude Hosts:
Reverse Lookup Only: No
Reverse Lookup
Unify: No
Maximum number of hosts: 1
Port List: OpenVAS Default
Alive
Test: Scan Config Default
Credentials for authenticated checks:
SSH:
test2_root on port 22
SMB:
ESXi:
N O T E :
test2_root is a credential
created using a username/password combination that does work when I
use
those credentials from a command line
S C A N D E T A I L S :
Name:
TEST2
Comment:
Target: TEST2
Alerts:
Schedule: (Next due: over)
Add to
Assets: yes
Alterable Task: no
Auto Delete Reports: Do not automatically
delete reports
Scanner: OpenVAS Default (Type: OpenVAS Scanner)
Scan
Config: Full and fast
Slave:
Order for target hosts: Sequential
Network
Source Interface:
Maximum concurrently executed NVTs per host:
15
Maximum concurrently scanned hosts: 10
Status:
New
Reports: 0
(Finished: 0)
Results: 0
Notes: 0
Overrides: 0
openvassd.messages:
[Thu Nov 10 15:11:04 2016][2390] openvassd 5.0.7
started
[Thu Nov 10 15:26:52 2016][2938] Starts a new scan. Target(s) :
10.10.1.130, with max_hosts = 10 and max_checks = 15
[Thu Nov 10
15:26:52 2016][2938] exclude_hosts: Skipped 0 host(s).
[Thu Nov 10
15:26:52 2016][2938] Testing test2 (10.10.1.130) [2957]
[Thu Nov 10
15:29:49 2016][2957] Finished testing 10.10.1.130. Time : 177.62
secs
[Thu Nov 10 15:29:49 2016][2938] Test complete
[Thu Nov 10 15:29:49
2016][2938] Total time to scan all hosts : 184 seconds
openvasmd.log
lib auth: INFO:2016-11-10 15h09.37 utc:2383:
Authentication configuration not found.
event task:MESSAGE:2016-11-10
15h26.42 UTC:2937: Status of task TEST2
(10bb59f1-7506-427f-82c4-0d2c10d5b42f) has changed to Requested
event
task:MESSAGE:2016-11-10 15h26.42 UTC:2937: Task TEST2
(10bb59f1-7506-427f-82c4-0d2c10d5b42f) has been requested to start by
admin
event task:MESSAGE:2016-11-10 15h26.46 UTC:2939: Status of task
TEST2 (10bb59f1-7506-427f-82c4-0d2c10d5b42f) has changed to
Running
event task:MESSAGE:2016-11-10 15h29.54 UTC:2939: Status of task
TEST2 (10bb59f1-7506-427f-82c4-0d2c10d5b42f) has changed to Done
could SSH to the target from a terminal commandline, after reviewing the
firewall rules I can see why OpenVAS could not. In our default iptables
config we specify a hit count (which is not be a problem for manual
logins), and OpenVAS likely hammered the port causing SSHD on the target
to quit responding.
Thanks again,
Ted...
##########################################################
Thanks
for Christians earlier reply and request for more information.
In
regards to the issue I'm having where OpenVAS does not appear to SSH
into a target machine using the credentials created. I followed previous
advice and added ssh debugging on the target box, log_whole_attack etc,
and gathered more information. A few interesting notes:
1. Upon
openvas-start fhe following is added to openvasmd.log: "lib auth:
INFO:2016-11-10 15h09.37 utc:2383: Authentication configuration not
found"
2. SSH Authentication to the target failed during the scan
3. SSH
debugging as well as /var/log/secure on the target does not even show
that there was an attempt to log in from the OpenVAS Workstation.
Below
is some additional information. Any help with this would be
appreciated...
A P P L I C A T I O N S E R V E R ( T A R G E T
):
Centos 6.8
Allows keys and or password authentication SSH Debugging
enabled
O P E N V A S W O R K S T A T I O N :
Kali Rolling
OpenVAS 8
O P E N V A S C O N F I G
(/etc/openvas/openvassd.conf):
kb_location=/var/lib/redis/redis.sock
max_checks=15
log_whole_attack=yes
T A R G E T D E T A I L S :
Name: TEST2
Comment: My test box..
Hosts:
10.10.1.130
Exclude Hosts:
Reverse Lookup Only: No
Reverse Lookup
Unify: No
Maximum number of hosts: 1
Port List: OpenVAS Default
Alive
Test: Scan Config Default
Credentials for authenticated checks:
SSH:
test2_root on port 22
SMB:
ESXi:
N O T E :
test2_root is a credential
created using a username/password combination that does work when I
use
those credentials from a command line
S C A N D E T A I L S :
Name:
TEST2
Comment:
Target: TEST2
Alerts:
Schedule: (Next due: over)
Add to
Assets: yes
Alterable Task: no
Auto Delete Reports: Do not automatically
delete reports
Scanner: OpenVAS Default (Type: OpenVAS Scanner)
Scan
Config: Full and fast
Slave:
Order for target hosts: Sequential
Network
Source Interface:
Maximum concurrently executed NVTs per host:
15
Maximum concurrently scanned hosts: 10
Status:
New
Reports: 0
(Finished: 0)
Results: 0
Notes: 0
Overrides: 0
openvassd.messages:
[Thu Nov 10 15:11:04 2016][2390] openvassd 5.0.7
started
[Thu Nov 10 15:26:52 2016][2938] Starts a new scan. Target(s) :
10.10.1.130, with max_hosts = 10 and max_checks = 15
[Thu Nov 10
15:26:52 2016][2938] exclude_hosts: Skipped 0 host(s).
[Thu Nov 10
15:26:52 2016][2938] Testing test2 (10.10.1.130) [2957]
[Thu Nov 10
15:29:49 2016][2957] Finished testing 10.10.1.130. Time : 177.62
secs
[Thu Nov 10 15:29:49 2016][2938] Test complete
[Thu Nov 10 15:29:49
2016][2938] Total time to scan all hosts : 184 seconds
openvasmd.log
lib auth: INFO:2016-11-10 15h09.37 utc:2383:
Authentication configuration not found.
event task:MESSAGE:2016-11-10
15h26.42 UTC:2937: Status of task TEST2
(10bb59f1-7506-427f-82c4-0d2c10d5b42f) has changed to Requested
event
task:MESSAGE:2016-11-10 15h26.42 UTC:2937: Task TEST2
(10bb59f1-7506-427f-82c4-0d2c10d5b42f) has been requested to start by
admin
event task:MESSAGE:2016-11-10 15h26.46 UTC:2939: Status of task
TEST2 (10bb59f1-7506-427f-82c4-0d2c10d5b42f) has changed to
Running
event task:MESSAGE:2016-11-10 15h29.54 UTC:2939: Status of task
TEST2 (10bb59f1-7506-427f-82c4-0d2c10d5b42f) has changed to Done