VulnScan-OpenVAS Adapter

Do 05 November 2015 by Christoph Bleß en de  Tags Vulnerabiliy Scanner / OpenVAS / Java / VulnScan-API

VulnScan-OpenVAS

VulnScan-OpenVAS is a Java library, which implements the VulnScan-API to provide a common and simple way to use some features of OpenVAS in a Java-Application. The sources are available in my account on bitbucket.org. The necesary dependencies are also available in my bitbucket account. The dependencies are the VulnScan-API und the wrapped OpenVASClient. This library and the adapter for Nessus were developed during an academic studies project.

Usage

The first example shows how to create the client and authenticate to the server. The constructor takes three parameters. The first one is the host of the OpenVAS server, the second one is the port the server is listen to. The last parameter is the trustAll flag. This flag is used to set a TrustManager which accepts all SSL certificates. You can set this flag to true if your server runs with a self signed certificate. Otherwise you should set it to false.

try {
    // create the Client 
    AbstractClient client = new OpenVASClient("127.0.0.1", 9390, true);
    // authenticate 
    client.login("testuser", "testuser");

    // now you can do some magic stuff with the client ...
} catch(SessionException ex){ 
    // login wasn't successful
} catch (ClientException ex) { 
    // any other error during the communication with the Server
}

After you are authenticated you can execute other methods. The next example shows the usage of getScans(), getScanDetails(id), getScanStatus(id).

try {
    // create client and authenticate

    // get all availabe scans
    for (Scan s : client.getScans()){
        // Do something with the scan
        System.out.println(s); 
    }
    // Scan{id=c966cbad-cfc4-4629-a34b-567fda665e26, name=UNI-LAB, status=Done}
    // Scan{id=095dd09f-a958-4630-9df3-5172ebb36ae2, name=Windows 7 Scan, status=Stopped}
    // ...

    // you can also get the details of a scan, which contains the targets
    ScanDetails scanDetails = client.getScanDetails("095dd09f-a958-4630-9df3-5172ebb36ae2");
    System.out.println(scanDetails);
    // ScanDetails{id=c966cbad-cfc4-4629-a34b-567fda665e26, name=UNI-LAB, status=Done, targets=UNI-LAB}

    String status = client.getScanStatus("095dd09f-a958-4630-9df3-5172ebb36ae2");
    System.out.println(status);
    // Done
} catch(SessionException ex){ 
    // login wasn't successful
} catch (ClientException ex) { 
    // any other error during the communication with the Server
}

It is possible to start, stop, pause or resume existing scans. The following example shows the usage of the launch method, which is used to start a scan.

try {
    // create client and authenticate ...

    // Start scan with id 095dd09f-a958-4630-9df3-5172ebb36ae2
    SString id = client.launch("095dd09f-a958-4630-9df3-5172ebb36ae2");

    // we can use the method *getScanStatus* to check the current state of the scan. 
    while(!"Done".equals(client.getScanStatus(id))){
        try {
        Thread.sleep(5000);
    } catch (InterruptedException ex) {
        // Handle Exception
    }
    }
    System.out.println("Scan completed");
} catch(SessionException ex){ 
    // login wasn't successful
} catch (ClientException ex) { 
    // any other error during the communication with the Server
}

If the scan is completed you can get a list of vulnerabilities which were found during the execution of the scan. To request this list you have to use the method getResults which requires the scan id as parameter.

try {
    // create client and authenticate ...

    // get a list of vulnerabilities found by the scan
    List<Vulnerability> vulns = client.getResults("095dd09f-a958-4630-9df3-5172ebb36ae2");
    for (Vulnerability v : vulns){
        System.out.println(v); 
    }
    // ...
    // Vulnerability{id=4b519e0e-3d75-4a6b-ade7-a73c88757e34, name=/doc directory browsable ?, severity=5.0, pluginId=1.3.6.1.4.1.25623.1.0.10056}
    // Vulnerability{id=4eba09e2-a65f-49d3-9742-3257a1c631de, name=Anonymous FTP Checking, severity=0.0, pluginId=1.3.6.1.4.1.25623.1.0.900600}
    // Vulnerability{id=bec429e9-62d7-4c51-ad07-487cb0dcdcb2, name=Apache 'mod_deflate' Denial Of Service Vulnerability - July09, severity=7.1, pluginId=1.3.6.1.4.1.25623.1.0.800837}
    // Vulnerability{id=3f800da3-030f-4326-be38-e02d6561bc73, name=Apache 'mod_proxy_ftp' Module Command Injection Vulnerability (Linux), severity=7.5, pluginId=1.3.6.1.4.1.25623.1.0.900842}

    // ...
} catch(SessionException ex){ 
    // login wasn't successful
} catch (ClientException ex) { 
    // any other error during the communication with the Server
}

If the scan contains more than one target host you can use the method getResultByHost to get a list of vulnerabilities for each host. The result of this method is a map with the host as key an a list of vulnerabilities as value.

try {
    // create client and authenticate ...

    // get a list of vulnerabilities sorted by hosts
    Map<String, List<Vulnerability>> resultsByHost = client.getResultsByHost("095dd09f-a958-4630-9df3-5172ebb36ae2");
    for (String host : resultsByHost.keySet()){
        List<Vulnerability> hostVulns = resultsByHost.get(host);
        for (Vulnerability v : hostVulns){
            System.out.println("Host: " + host + " => " + v);
        }
    }
    // Host: 192.168.56.101 => Vulnerability{id=107bd163-27c7-4cd5-b90f-5eaf43167213, name=vsftpd Compromised Source Packages Backdoor Vulnerability, severity=7.5, pluginId=1.3.6.1.4.1.25623.1.0.103185}
    // Host: 192.168.56.101 => Vulnerability{id=72433449-cc58-4a36-9bec-5d2fe3a252e5, name=vsftpd Compromised Source Packages Backdoor Vulnerability, severity=7.5, pluginId=1.3.6.1.4.1.25623.1.0.103185}
    // Host: 192.168.56.101 => Vulnerability{id=d19d393a-22fd-4b03-a4ef-7e9df984cdc5, name=wapiti (NASL wrapper), severity=0.0, pluginId=1.3.6.1.4.1.25623.1.0.80110}

} catch(SessionException ex){ 
    // login wasn't successful
} catch (ClientException ex) { 
    // any other error during the communication with the Server
}

To get more detailed about a vulnerability you can get information about the plugin which found it. To get the information about a plugin you have to use the method getPlugin which needs an id of the plugin.

try {
    // ...

    // Abrufen der Informationen zu einem Plugin
    Plugin plugin = client.getPlugin("1.3.6.1.4.1.25623.1.0.80110");
    System.out.println(plugin);
    //  Plugin{id=1.3.6.1.4.1.25623.1.0.80110, name=wapiti (NASL wrapper), family=Web application abuses, cvss=null, description=NOSUMMARY, references=[]}
} catch(SessionException ex){ 
    // fehlerhafter Login
} catch (ClientException ex) { 
    // Anderer Fehler bei der Kommunikation mit dem Server
}