Working with openvas plugins:
First test if your script written in NASL is syntactically correct. This could be done by using openvas-nasl with the -p option, e.g.:
# openvas-nasl -p broken-example.nasl
syntax error, unexpected IDENT, expecting ')'
Parse error at or near line 17
This is telling us that this script has a syntax error. Test the functionality of your script only after you've made sure your script contains only syntactically correct NASL.
Now you can test on your target host, if the LVT is correct, by writing debug-output into a debug file:
openvas-nasl -T /tmp/debug-lvt.txt -X example-lvt.nasl
The debug output will be written into the debug-lvt.txt file
http://www.openvas.org/compendium/testing-a-local-vulnerability.html
The test on the network is a bit more complicated. To test if the right packet was sent, you can use TCPDUMP to capture the communication between the host and the client, e.g.:
# tcpdump -i lo -w debug.pcap -s 1450
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1450 bytes
10 packets captured
20 packets received by filter
0 packets dropped by kernel
Now it is possible to decode the content of the network communication.
# tcpdump -vvvv -n -r debug.pcap
OMP Command line:
http://www.openvas.org/omp-2-0.html
Get tasks from a sensor
omp -u ossim -w ossim -iX "<get_tasks/>"
OpenVas configuration:
http://www.openvas.org/compendium/advanced-configuration-server.html
Listing shares with smbclient works for non-admin users with valid credentials.
server:~# /usr/share/python/alienvault-api-core/bin/wmiexec.py -hashes AAD3B435B51404EEAAD3B435B51404EE:029E435C4A50F859BCC682564D627473 schl/32.63.71.271|tluaVneilA-s#32.63.71.271|tluaVneilA-s ipconfig
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies
[*] SMBv2.1 dialect used
[-] rpc_s_access_denied
The hashes can be obtained from here: https://tobtu.com/lmntlm.php
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
https://technet.microsoft.com/en-us/library/ff710472%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
USMEXTRANET:~# /usr/share/python/alienvault-api-core/bin/wmiexec.py -debug domainname/23.1.861.291|resu#23.1.861.291|resu
Impacket v0.9.15 - Copyright 2002-2016 Core Security TechnologiesPassword:
[*] SMBv3.0 dialect used
[+] Target system is 192.168.1.32 and isFDQN is False
[+] StringBinding: \\\\WINSERVERINTRAN[\\PIPE\\atsvc]
[+] StringBinding: WINSERVERINTRANET[49155]
[+] StringBinding: 192.168.1.32[49155]
[+] StringBinding chosen: ncacn_ip_tcp:192.168.1.32[49155]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>
wimiexec.py works when adding the scan user to the administrator group
To obtain the credential user and pass from a scan, you can click on "Check credentials" while you run the following command:
while true; do cp -a /var/tmp/check* . 2> /dev/null ; done
Other commands that can help debug openvas and windows authentication are:
winexe -A ./check_credetial_AB9D470703ACBA7C71D9643A76FDD30A //172.24.136.34 ipconfig
smbclient --debuglevel=1 -A check_credetial_F2461B2A41AE35ABEEE683CD87C60DB9 -L //172.17.36.23
Completed jobs:
select id, name, scan_SERVER, scan_START, scan_END, scan_SUBMIT, status from vuln_jobs;
Scheduled jobs:
select * from vuln_job_schedule;
