this post was submitted on 25 Jul 2024
7 points (100.0% liked)

homelab

6703 readers
2 users here now

founded 4 years ago
MODERATORS
7
submitted 5 months ago* (last edited 5 months ago) by MetaCubed to c/[email protected]
 

In the past, I've used nessus for vulnerability scanning my lab, but as my service count has grown, the 16 IP limit is becoming a little unwieldy.

Is anyone able to recommend an alternative that fits at least most of the requirements I have?

  • Free (preferably in both senses of the word)

  • Doesn't use Docker, even if containerized, I'd prefer to avoid having my scanner share a host with another service... and I'm not incredibly well versed with Docker

  • Scans multiple systems (I tried Trivy, but as far as I can tell it only scans the system you install it on)

  • Has a webui for management of scans

Alternatively, if anyone is willing to lend some advice for the configuration of Wazuh... I deployed the service months ago with the expectation that it could be used for vulnerability scanning (the Dev was in a few reddit threads suggesting that it had the capability), but i haven't been able to configure it properly.

I appreciate any advice people are willing to offer!

Edit: fixed formatting

top 11 comments
sorted by: hot top controversial new old
[–] h0bbl3s 4 points 5 months ago (1 children)

I know you said preferably no docker, but greenbone community edition is nice. It's a fork from nessus back in the day. They don't really put any restrictions on the community version. If you want to see it in action I have a test server up and running.

[–] MetaCubed 1 points 5 months ago (1 children)

I originally crossed this one out because of the docker requirement, but because of your comment i looked again. It looks like it can be built from source instead! I'm deploying it after work tomorrow

[–] h0bbl3s 2 points 5 months ago* (last edited 5 months ago) (1 children)

Yes you can! I've attempted on debian before but it's something like 12 components you have to build and configure and I ran into some issues. It's been a while though and I don't remember exactly what gave me trouble. I know I had issues at one point due to the host not having enough ram. If you don't have at least 8 gigs it's not going to be happy. At least in my experience.

Let me know how it goes though and what distro you use.

They have pretty good documentation.

[–] MetaCubed 2 points 4 months ago (1 children)

Just about to get the web interface running!

The build from source is actually incredibly straightforward! There's a few noob issues if you don't fully read the command blocks included in the instructions (They have some links you need to navigate to to install dependencies) but beyond that, for how large everything is, I'm very surprised how easy they make it! If it was difficult last time you tried, I'd give it another shot!

[–] h0bbl3s 2 points 4 months ago* (last edited 4 months ago) (1 children)

I think my issue was I was building it on a debian 11 bullseye. I managed to get all the individual pieces built and running, there was just one piece missing and I can't remember which now. I'll certainly give it a go. Someone just sent me a kvm build of debian sid just for that reason in fact! I believe they are working on the gvm debian package.

[–] MetaCubed 2 points 4 months ago (1 children)

I did it with Debian 12 bookworm. I'm working on getting the web interface accessible externally, as it's bound to local host only by default.

Theres 2 steps where you need to watch for noob traps if you plan on using Debian, one in particular being where the link to Rustup is contained within the command block, you need to navigate there in your web browser to grab the rustup install script before you run the commands. If you hit a wall, feel free to message me and I may be able to help!

[–] h0bbl3s 1 points 4 months ago* (last edited 4 months ago)

I'm on bookworm now myself. Check this out https://forum.greenbone.net/t/external-access-to-gsa-web-interface-ip/1671/4 and thanks I'll let you know if I run into trouble!

[–] [email protected] 2 points 5 months ago

I’ve heard wazuh can do authenticated vuln scanning, but since I’ve scaled down my homelab and hardened it to a point that vuln scanning is not currently needed I’ve had no need to do so. I have a friend deploying wazuh at his job so I’m gonna have to reach out to him some time to learn how he is doing it once I start growing my lab again.

I use nuclei for networked vuln scanning, which is all I really need right now. Works well with community rules, but it is a cli application. I really like how I don’t need to deploy it on a dedicated device, I just run it using all rules on the subnets that I want to scan from my laptop, which I have plugged into a vuln-scanning network with open fw rules, and check back in half an hour. Once I get a few more raspberry pis, I’ll have one on such a network that I can just run a scan from.

[–] Krafting 1 points 5 months ago (1 children)

You may checkout IVRE, it's a bit weird but it seems like it can do some stuff verywell

[–] MetaCubed 1 points 5 months ago

If Greenbone doesn't work out I might try this next, it looks interesting.

[–] [email protected] 0 points 5 months ago

OSSIM is a pain to install, but does tick all your boxes. But I think its basically abandoned by AT&T to force people on to Alienvault.

It installs to a VM, but has some very weird hard coded quirks, like expecting the network cards to be ethX, and the harddisks to be /dev/sdX. I can't remember exactly how I got it installed, but I can dig out the libvirt config if it helps.