A brief introduction to the OpenVAS vulnerability scanner
What Is the OpenVAS vulnerability scanner?
The Open Vulnerability Assessment System (OpenVAS) is a vulnerability scanner maintained and distributed by Greenbone Networks. It is intended to be an all-in-one vulnerability scanner with a variety of built-in tests and a Web interface designed to make setting up and running vulnerability scans fast and easy while providing a high level of user configurability.
Greenbone is the company that operates OpenVAS and offers the vulnerability scanner as a free or paid version. The main difference is in the feed of Network Vulnerability Tests (NVTs) used by the scanner.
The paid version of the feed is called the Greenbone Security Feed, while the free version of the feed is called the Greenbone Community Feed. Both feeds are updated on a daily basis and include the most recent threats.
The main difference between the two feeds is that the Greenbone Security Feed includes some advanced NVTs specifically targeted for enterprise environments. This difference does not affect the tool’s usability for the casual user but may be important for a pen tester using it for enterprise-level engagements.
Getting started with OpenVAS
OpenVAS is a vulnerability scanner designed to run in a Linux environment. It can be installed either as a self-contained virtual machine or from source code provided under GNU General Public License (GPL). In this section, we discuss how to install the OpenVAS scanner and how to run your first scan.
OpenVAS is designed to be a self-contained vulnerability scanning framework. It is available either as a virtual machine or as source code that can be compiled and installed on an existing Linux machine. In this section, we discuss how to set up each of these two options.
If you plan to use the OpenVAS virtual machine, you will need a virtual machine player. If you don’t have one already, check out VirtualBox. It’s a free virtual machine player compatible with the OpenVAS virtual machine. Other compatible options are ESXi and Hyper-V.
Once you have a virtual machine player installed, you can download the OpenVAS ISO file from the Greenbone website. To load the virtual machine into VirtualBox, you need to create a new Linux virtual machine (select Other Linux 64-bit for the version).
Configure the VM with the following parameters:
- 2048 MB of RAM
- A new hard disk with 9 GB of storage
- After creating the machine, right click and go to Settings → System → Processor and select 2 CPUs
- Set the network type to NAT
After the machine is set up, power it up. When it asks for a startup disk, choose the downloaded OpenVAS file. At the time of writing, it was called gsm-ce-4.2.20.iso. Select the Setup option and follow the prompts to set up your OpenVAS virtual machine.
Once setup is completed, you’ll need to setup the Greenbone Security Manager (GSM). To do so, take the following steps:
- Note the IP address of the Web interface
- Shut down the computer
- In VirtualBox, go to Settings->Network->Advanced->Port Forwarding
- Create a new rule with the following options:
- Protocol: TCP
- Host IP Address: 127.0.0.1
- Host Port: 8443 (Or any unused port over 1024)
- Gust IP Address: (Web Interface Address)
- Guest Port: 443
- Log into the machine with the account credentials that you set earlier
- Follow the prompts to configure the Web Interface
- When you reach the Greenbone OS configuration menu, select About
- If you do not have a Feed Version shown, wait until it updates
- On your host, browse to https://127.0.0.1:8443
- Log in with the web credentials that you set
If all goes well, you should be looking at the dashboard of the Greenbone Security Manager. At this point, you are ready to perform your first scan with OpenVAS.
The other installation option for OpenVAS is to compile and install the source code on an existing Linux machine. This process is more complicated and is only recommended for Linux users with experience compiling large projects from scratch. The source code for OpenVAS can be downloaded from repositories listed on the GVM-9 page.
Your first OpenVAS scan
Once you have your OpenVAS scanner set up, you can perform your first vulnerability scan. Scans can be configured and run using the OpenVAS web interface. In this section, we’ll walk through setting up a simple scan and some of the available advanced scan options. For both types of scans, it is necessary to browse to Scans → Tasks.
The OpenVAS web interface includes a wizard to help set up scans of target machines. To access the wizard, click on the purple button with a picture of a wand in the top left corner of the screen. To start, select the Task Wizard Option.
In order to perform a scan, you need an IP address to scan. For this part of the exercise, you can either provide the IP address of a machine that you own (like the host machine running the VM), set up a virtual machine to test (Metasploitable from Rapid7 is a good choice), or find a machine online deliberately set up for pen testers. Once you have found an IP address to use, enter it into the wizard and select Start Scan.
Once the scan has been started its progress will be shown at the bottom of the page. The remainder of the page includes visualizations that summarize the current progress and results of the configured scans.
While the scan is running, click on its Status bar (in the second column). As the scan runs, any vulnerabilities that it detects will be listed in the report shown. You can click on each reported vulnerability to get details.
Advanced scan options
For users wishing to have a greater level of control over their scans, the OpenVAS web interface also includes an Advanced Task Wizard (also accessed by browsing to Scans->Tasks and clicking the purple button). The advanced wizard offers the following scanning options:
- Setting a name for the task
- Choosing a scan config
- Setting the target IP address
- Scheduling future scans
- Using a credentialed scan
OpenVAS provides several default scan configs and allows users to create custom configs. To see the descriptions of scan configs and create new ones, browse to Configuration → Scan Configs. By default, OpenVAS provides eight scan configs (though one is empty) and the details of each config can be seen by clicking on them. To create a new scan config, click the blue star button in the top left corner, create the config, and then click in to edit it.
OpenVAS’s web interface offers many operations in its Configuration tab. Once you have explored the options and made any necessary modifications, try running an advanced scan using different targets, scan configs, and credentials.
Using OpenVAS for vulnerability scanning
The OpenVAS vulnerability scanner is a free appliance designed to allow users to quickly and easily perform targeted scans of their computer systems. It is free, updated daily, and easy to use, making it an ideal choice for the independent penetration tester or small business sysadmin who needs an inexpensive and intuitive option for identifying potential security holes. For larger enterprises, Greenbone (the organization behind OpenVAS) offers a paid version that includes additional enterprise-focused vulnerability scanning options for a comprehensive vulnerability scanning solution.
About NVT Feed, OpenVAS
Using the Greenbone Community Edition, Greenbone Networks
GVM-9 (stable, initial release 2017-03-07), Greenbone
Download Metasploitable, Rapid7