Penetration testing

A brief introduction to the OpenVAS vulnerability scanner

Howard Poston
October 31, 2018 by
Howard Poston

What Is the OpenVAS vulnerability scanner?

The Open Vulnerability Assessment System (OpenVAS) is a vulnerability scanner maintained and distributed by Greenbone Networks. It is intended to be an all-in-one vulnerability scanner with a variety of built-in tests and a Web interface designed to make setting up and running vulnerability scans fast and easy while providing a high level of user configurability.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Feeds

Greenbone is the company that operates OpenVAS and offers the vulnerability scanner as a free or paid version. The main difference is in the feed of Network Vulnerability Tests (NVTs) used by the scanner.

The paid version of the feed is called the Greenbone Security Feed, while the free version of the feed is called the Greenbone Community Feed. Both feeds are updated on a daily basis and include the most recent threats.

The main difference between the two feeds is that the Greenbone Security Feed includes some advanced NVTs specifically targeted for enterprise environments. This difference does not affect the tool’s usability for the casual user but may be important for a pen tester using it for enterprise-level engagements.

Getting started with OpenVAS

OpenVAS is a vulnerability scanner designed to run in a Linux environment. It can be installed either as a self-contained virtual machine or from source code provided under GNU General Public License (GPL). In this section, we discuss how to install the OpenVAS scanner and how to run your first scan.

Installation

OpenVAS is designed to be a self-contained vulnerability scanning framework. It is available either as a virtual machine or as source code that can be compiled and installed on an existing Linux machine. In this section, we discuss how to set up each of these two options.

Virtual machine

If you plan to use the OpenVAS virtual machine, you will need a virtual machine player. If you don’t have one already, check out VirtualBox. It’s a free virtual machine player compatible with the OpenVAS virtual machine. Other compatible options are ESXi and Hyper-V.

Once you have a virtual machine player installed, you can download the OpenVAS ISO file from the Greenbone website. To load the virtual machine into VirtualBox, you need to create a new Linux virtual machine (select Other Linux 64-bit for the version).

Configure the VM with the following parameters:

  • 2048 MB of RAM
  • A new hard disk with 9 GB of storage
  • After creating the machine, right click and go to Settings → System → Processor and select 2 CPUs
  • Set the network type to NAT

After the machine is set up, power it up. When it asks for a startup disk, choose the downloaded OpenVAS file. At the time of writing, it was called gsm-ce-4.2.20.iso. Select the Setup option and follow the prompts to set up your OpenVAS virtual machine.

Once setup is completed, you’ll need to setup the Greenbone Security Manager (GSM). To do so, take the following steps:

  • Note the IP address of the Web interface
  • Shut down the computer
  • In VirtualBox, go to Settings->Network->Advanced->Port Forwarding
  • Create a new rule with the following options:
    • Protocol: TCP
    • Host IP Address: 127.0.0.1
    • Host Port: 8443 (Or any unused port over 1024)
    • Gust IP Address: (Web Interface Address)
    • Guest Port: 443
  • Log into the machine with the account credentials that you set earlier
  • Follow the prompts to configure the Web Interface
  • When you reach the Greenbone OS configuration menu, select About
  • If you do not have a Feed Version shown, wait until it updates
  • On your host, browse to https://127.0.0.1:8443
  • Log in with the web credentials that you set

If all goes well, you should be looking at the dashboard of the Greenbone Security Manager. At this point, you are ready to perform your first scan with OpenVAS.

Source code

The other installation option for OpenVAS is to compile and install the source code on an existing Linux machine. This process is more complicated and is only recommended for Linux users with experience compiling large projects from scratch. The source code for OpenVAS can be downloaded from repositories listed on the GVM-9 page.

Your first OpenVAS scan

Once you have your OpenVAS scanner set up, you can perform your first vulnerability scan. Scans can be configured and run using the OpenVAS web interface. In this section, we’ll walk through setting up a simple scan and some of the available advanced scan options. For both types of scans, it is necessary to browse to Scans → Tasks.

Simple scan

The OpenVAS web interface includes a wizard to help set up scans of target machines. To access the wizard, click on the purple button with a picture of a wand in the top left corner of the screen. To start, select the Task Wizard Option.

In order to perform a scan, you need an IP address to scan. For this part of the exercise, you can either provide the IP address of a machine that you own (like the host machine running the VM), set up a virtual machine to test (Metasploitable from Rapid7 is a good choice), or find a machine online deliberately set up for pen testers. Once you have found an IP address to use, enter it into the wizard and select Start Scan.

Once the scan has been started its progress will be shown at the bottom of the page. The remainder of the page includes visualizations that summarize the current progress and results of the configured scans.

While the scan is running, click on its Status bar (in the second column). As the scan runs, any vulnerabilities that it detects will be listed in the report shown. You can click on each reported vulnerability to get details.

Advanced scan options

For users wishing to have a greater level of control over their scans, the OpenVAS web interface also includes an Advanced Task Wizard (also accessed by browsing to Scans->Tasks and clicking the purple button). The advanced wizard offers the following scanning options:

  • Setting a name for the task
  • Choosing a scan config
  • Setting the target IP address
  • Scheduling future scans
  • Using a credentialed scan

OpenVAS provides several default scan configs and allows users to create custom configs. To see the descriptions of scan configs and create new ones, browse to Configuration → Scan Configs. By default, OpenVAS provides eight scan configs (though one is empty) and the details of each config can be seen by clicking on them. To create a new scan config, click the blue star button in the top left corner, create the config, and then click in to edit it.

OpenVAS’s web interface offers many operations in its Configuration tab. Once you have explored the options and made any necessary modifications, try running an advanced scan using different targets, scan configs, and credentials.

Using OpenVAS for vulnerability scanning

The OpenVAS vulnerability scanner is a free appliance designed to allow users to quickly and easily perform targeted scans of their computer systems. It is free, updated daily, and easy to use, making it an ideal choice for the independent penetration tester or small business sysadmin who needs an inexpensive and intuitive option for identifying potential security holes. For larger enterprises, Greenbone (the organization behind OpenVAS) offers a paid version that includes additional enterprise-focused vulnerability scanning options for a comprehensive vulnerability scanning solution.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.

Sources

About NVT Feed, OpenVAS

Using the Greenbone Community Edition, Greenbone Networks

GVM-9 (stable, initial release 2017-03-07), Greenbone

Download Metasploitable, Rapid7

Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at howard@howardposton.com or via his website at https://www.howardposton.com.