A couple years ago we did a tutorial on Hacking Tutorials on how to install the popular

vulnerability assessment tool OpenVAS on Kali Linux. We’ve covered the installation process on
Kali Linux and running a basic scan on the Metasploitable 2 virtual machine to identify
vulnerabilities. In this tutorial I want to cover more details about automated vulnerability scanning
starting with the installation process followed by setting up targets, running internal and external
scans and finally define custom scanning configurations. Due to the length of the full tutorial we’ll
split it into 2 or 3 parts that will be published in the upcoming weeks. In part 1 of this tutorial I
want to cover the installation of the most recent version of OpenVAS 9.0, which was released in
2017. The latest version 9.0 introduces a new web interface which offers end users better ways to
manage scanning options, assets and workflows through the web interface. In this tutorial we will
walk through the installation process on Kali Linux, so we can run vulnerability scans from our
own device, and as virtual appliance in a network. The virtual appliance can be installed in a
network environment to have it periodically run automated scans on devices present on the
network. In part 2 of ‘Vulnerability Scanning with OpenVAS 9.0’ I want to dive a little bit deeper
into vulnerability scanning with this tool by configuring targets, assets and custom scanning
configurations.
Before we can start configuring vulnerability scans we have to install OpenVAS first. We can do
this with a package manager or by installing the OpenVAS appliance on VMware
Workstation/ESXi, Oracle VirtualBox or Hyper-V. In the first part of this tutorial we’ll use APT
on Kali Linux and then we will set up the appliance on VMware. As far as virtual machine
resources are concerned, we’ve dedicated 2 GB of RAM and 2 processor cores to the Kali Linux
VM which should be sufficient to run some basic scans smoothly with a limited number of
signatures on a limited number of targets.
Vulnerability Scanning with OpenVAS 9

 Vulnerability Scanning with OpenVAS 9 part 1: Installation & Setup

 Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability Scanning

 Vulnerability Scanning with OpenVAS 9 part 3: Scanning the Network

 Vulnerability Scanning with OpenVAS 9 part 4: Custom scan configurations (Will be

published soon)

1
Vulnerability Scanning with OpenVAS 9 part 1: Installation &
Setup
Installing Openvas 9 on Kali Linux

To install Openvas 9 and its dependencies on our Kali Linux system we simply have to
run the following command:

apt-get update && apt-get install openvas

Press ‘Y’ to continue the installation of OpenVAS and dependencies.

The next step to run the setup procedure that will setup OpenVAS and download a large
number of Network Vulnerability Tests (NVTs) or signatures. Due to the large number of
NVTs (50.000+) the setup procedure might take a while to complete and consume a
considerable amount of data. On the test setup we’ve used for this tutorial the total setup
procedure took 10 minutes to complete which is not bad at all.

Run the following command to start the setup process:

openvas-setup

2
Setup process is running.
When the setup process is finished, all required OpenVAS processes are started and the
web interface will be opened automatically. The web interface is running locally on port
9392 and can accessed through: https://localhost:9392. OpenVAS will also setup and
admin account and automatically generate a password for this account which is displayed
in the last section of the setup output:

Take note of the admin password generated by openvas-setup.

Password reset
Did you forgot to note down the password? You can change the admin password using the
following commands:
openvasmd –user=[username]–new-password=[password]
openvasmd –user=admin –new-password=[password]
The next step is to accept the self-signed certificate warning and use the automatically
generated admin credentials to login on the web interface:

3
Accept the self-signed certificate warning and use the generated admin credentials to login.
After logging in on the web interface we’re redirected to the Greenbone Security Assistant
dashboard. From this point on we can start to configure and run vulnerability scans.

4
Starting and stopping OpenVAS

The last step I want to point out before we head on with the installation of the virtual
appliance is how to start and stop OpenVAS services. OpenVAS services may consume
a lot of unnecessary resources and therefore it is advised to terminate these services
when you’re not using OpenVAS.

Run the following command to stop the services:

openvas-stop

To start the OpenVAS services again, run:

openvas-start

Setting up the OpenVAS Virtual Appliance

Instead of installing OpenVAS on Kali Linux we can also install the OpenVAS virtual
appliance in a network and configure it to periodically run scans on the network. The
virtual appliance can be downloaded using the following
link: http://www.openvas.org/vm.html
After downloading the virtual appliance from the OpenVAS website we have to configure
a new virtual machine. In this tutorial we will be using VMware but you can also use other
hypervisors such as Hyper-V on Windows or Oracle VirtualBox. In production
environments you will most likely use VMware ESXi, Microsoft Hyper-V or other
hypervisors. Let’s start with configuring a VM with the following specifications:

Processor cores: 2
2 GB RAM
10 GB Hard disk
Network: NAT (only when using VMware Workstation/Free/Virtualbox)
CD/DVD drive: ISO (choose the downloaded iso file as medium)
Guest operating system: Linux Kernel 4.x or later 64-bit (VMWare) or Other Linux (64bit)
(VirtualBox)
For VMWare Workstation the virtual machine will be configured as follows:

5
And for VMWare ESXi we’ll create a virtual machine with the following specifications:

The next step is to boot the virtual machine which will take us to the following installation
menu:

6
Choose setup to install the GSM appliance.
From this menu choose the setup option. Next we’re asked if we really want to format the
hard drive, choose yes:

Choose yes to proceed with the installation.

At this point the virtual appliance will be installed and we’re presented with a dialog saying
that the installation is in progress and the GSM community edition is being prepared.
Please note that this process might take a while to complete. When the installation

7
process is finished we have to specify a username for the administrator user. We’ll keep
it default as admin as well as the password:

Choose the admin username/password.

Tip: If you’re installing the appliance in your production network make sure that you choose a
strong password for the administrative account.
After specifying the username and password we’re asked to reboot the machine, choose
‘yes’ to reboot and also to eject the installation medium:

8
Choose Yes to reboot the machine.
After the virtual machine has rebooted (twice) we’re taken to a login screen looking as
follows:

Appliance login
Note: After the first reboot we’re presented with a different login screen, just wait until the second
reboot happens.

Here we can login using the credentials we’ve created earlier in the installation process
(username: admin). After logging in we’re presented with the following message which
tells us OpenVAS has not been fully configured yet. From here we can proceed with the
setup process. Choose ‘yes’ in the following menu the proceed with the setup process:

9
Choose ‘Yes’ to configure GSM.
Next, we’re asked to configure an IP address for the appliance, choose ‘yes’:

Choose ‘Yes’.
For our test setup we’ll keep the network configuration default and have it assigned an IP
address by our DHCP server. Optionally you can set a static IP address which is of course
the recommended option in a production environment. Choose ‘Ready’ to proceed:

10
The next step is to create a web-admin user, choose ‘Yes’ in the following menu:

Choose web-user username and password.

Create the user by choosing a username and password:

Create the web-admin user by specifying a username and password.

Finally we’re ask about a subscription key, unless you’re in the possession of a
subscription key, choose ‘skip’ which will provide us with the Greenbone community feed:

11
Choose ‘skip’ if you don’t have a subscription key.
Next we’re asked if we want to update the feed, choose ‘yes’ to upgrade the feed in the
background. After running through all settings we can log out or reboot the appliance and
we’re presented with an IP address to access the web interface:

IP address for the web interface.

When we browser to the web interface we’re presented with a login page. Use the
credentials of the web-admin account we’ve created during the configuration process:

12
Use the web-admin account to login.
At this point we’ve got a fully functional OpenVAS virtual appliance up and running that
can be configured to run vulnerability scans. This will conclude the installation process of
the appliance. In part 2 (will be published on 9 May 2018) we will continue with configuring
targets, assets and run vulnerability scans.

13
Vulnerability Scanning with OpenVAS 9 part 2: Vulnerability
Scanning
Is the previous tutorial Vulnerability Scanning with OpenVAS 9.0 part 1 we’ve gone through
the installation process of OpenVAS on Kali Linux and the installation of the virtual
appliance. In this tutorial we will learn how to configure and run a vulnerability scan. For
demonstration purposes we’ve also installed a virtual machine with Metasploitable 2
which we’ll target with OpenVAS. If you don’t know how to install Metasploitable you can
check out the installation tutorial for Metasploitable 2 (scroll down a bit) or Metasploitable 3.
Before we can actually start vulnerability scanning with OpenVAS 9, we have to complete
the following tasks:

1. Create and configure a target.

2. Create and configure a scan task.
3. Run the scan.
4.
At this point of the tutorial you need to have OpenVAS 9.0 installed and configured. If you
haven’t done this at this point I recommend to follow part 1 of vulnerability scanning with
OpenVAS first. To follow along it is also recommended to have a vulnerable
Metasploitable machine up and running that is accessible from the OpenVAS appliance
or the Kali Linux VM you’ve installed OpenVAS on. The lab setup used for this tutorial
looks as follows:
 Host machine with VMWare Workstation Pro 12.
 Kali Linux 2018.2 VM with OpenVAS 9.0 installed (192.168.65.128).
 Metasploitable 2 VM (192.168.65.137).
All virtual machines use the NAT network which can be configured in the network settings
on the network adapter. Now that we’ve got everything up and running, let’s start with
configuring a target and a scan task.

Tip: Did you forgot to write down or change your OpenVAS admin password? Check out the
installation tutorial to find out how to reset the admin password.

1 Creating a target in OpenVAS

The first step is to create and configure a target using the OpenVAS/Greenbone Security
Assistant web interface. This newly created target is selected in the following step where
we configure a scanning task.

To create a target, we need to follow 2 steps:

1. Go to ‘Configuration’ in the top menu and select ’Targets’.

2. Click the blue icon in the top left corner to create a new target.

14
Click configuration and then new target.
After hitting the new target button, a dialog screen appears where we have to enter the
following information:

1. Target name, we’ll name it Metasploitable 2.

2. The target IP host which is the IP address for our Metasploitable 2 lab machine.
Keep all other settings default and click the ‘Create’ button.

Enter the target name, IP and click create.

The newly created target will now appear in the list of available targets:

15
Newly created target.
Now that we’ve got our target all set up, let’s continue with creating a scan task that will
scan the Metasploitable 2 target for vulnerabilities.

2 Configuring a scanning task in OpenVAS

In this section of the tutorial we will create a new scanning task. A scanning task defines
which targets will be scanned and also the scanning options such as a schedule, scanning
configuration and concurrently scanned targets and NVTs per host. In this tutorial we will
just create a scan task and use default scan configurations. In Vulnerability Scanning with
OpenVAS 9.0 part 3 (Will be published on: May 25 2018) we will have a more detailed
look into scanning configurations.

To create a new scan task, we have to perform the following steps:

1. Go to ‘Scans’ in the top menu and select ’Tasks’.

2. Point to the blue icon in the top left corner and select ‘New Task’.

Click scans -> Tasks and then new task.

After clicking the new scan option, a dialog screen appears where we have to enter the
following information:

16
 1. Task name, we’ll name it ‘Scan Metasploitable 2’.
2. Make sure that the Metasploitable 2 target we’ve created earlier is selected.
3. Tick the schedule once checkbox.
4. Keep all other settings default and click the ‘Create’ button to create the new task.

Enter the task name, target and schedule the task only once.
The newly created task will now appear in the task list as follows:

Newly created scan task.

There’s also a few other options to create scan tasks. We can use the scan task wizard
to instantly scan a target and also the advanced scan task wizard which gives a few more
options to configure. For demonstration purposes we’ll stick with the task we’ve just
created.

Now that we’ve configured the scan task and added the Metasploitable 2 machine to the
target list, all that remains is to run the task and wait for the results.

17
3 Running the OpenVAS vulnerability scan

To run the newly created task we just have to click the green start button as follows:

Run the scan task.

The scan task will now execute against the selected target. Please note that full scan may
take a while to complete. When you refresh the tasks page you will be able to check the
progress for the executed task:

1. Reload the page.

2. Check task status/progress.

Vulnerability scan in progress…

After waiting a while the scan task is finished and the status changes to ‘Done’:

18
Vulnerability scan finished
As expected we can see that OpenVAS found a number of severe vulnerabilities. Let’s
have a look at the details of the results.

4 Interpreting the scan results

Now that the vulnerability scan is finished we can browse to ‘Scans -> Reports’ in the top
menu. On the reports page we can find the report for the completed scanning task:

19
Vulnerability scanning report
By clicking the report name we can get an overview of all discovered vulnerabilities on
the Metasploitable 2 machine, which is a lot as already expected. The results are ordered
on severity rate by default:

Discovered vulnerabilities.
When we click on the vulnerability name we can get an overview of the details regarding
the vulnerability. The following details apply to a backdoor vulnerability in Unreal IRCD
we’ve covered in an earlier tutorial:

20
Vulnerability details.
Finally, we can also export the report in a variety of formats, such as: XML, HTML and
PDF. WE can do this by selecting the desired format from the drop-down menu and click
the green export icon as follows:

Export vulnerability report to PDF.

For now, this will conclude part 2 of the vulnerability scanning with OpenVAS tutorial. In
the next and final part, we will be focusing on custom scanning configurations to fine tune
our scanning needs. Part 3 of vulnerability scanning with OpenVAS will be published on
May 25.

21
Vulnerability Scanning with OpenVAS 9 part 3: Scanning
the Network
In the previous parts of the Vulnerability Scanning with OpenVAS 9 tutorials we have
covered the installation process and how to run vulnerability scans using OpenVAS and
the Greenbone Security Assistant (GSA) web application. In part 3 of Vulnerability
Scanning with OpenVAS 9 we will have a look at how to run scans using different scan
configurations, review the results and also learn how to run credentialed scans. Finally,
we will set up schedules that periodically fire up scanning tasks to automatically scan the
network for hosts and vulnerabilities. For demonstration purposes I have booted up
several random virtual machines and networked devices in my private lab which will be
scanned throughout this tutorial. If you want to follow along with this tutorial, please make
sure that you replace all environment specific variables such as IP addresses to match
your own environment.
Running customized vulnerability scans

In the previous part of Vulnerability Scanning with OpenVAS 9 we’ve learned how to run
a vulnerability scan against a single target on the network. In this part we will configure a
host list and run scans periodically using a schedule.

Creating a Target list for host discovery

Before we can run a scheduled task on specific hosts or subnets we have to create a list
of targets. To do this, click the ‘Targets’ menu item from the ‘Configuration’ menu and
click the blue icon in the top left corner to create a new target:

22
We’ll name the new target ‘Target list 192.168.100.1/24’. In the next section of the new
target dialog screen we can specify the target hosts using a few different options. We can
either specify a manual host (range), read the hosts from a file or create a target list from
the host assets. The last option is greyed out as we currently have no hosts assets in our
inventory. When you have to scan multiple subnets using a single target list it’s easier to
read the hosts from a text file. To do this simply create a text file and separate each target
IP or range with a comma on a single line as follows: 192.168.100.0/24,192.168.200.100-
110,192.168.300.10


Single IPv4 address: 192.168.300.10

IPv4 address range in short format: 192.168.200.100-11

IPv4 address range in long format: 192.168.200.100-192.168.200.110

IPv4 address range in CIDR notation: 192.168.100.0/24
For this demonstration we’ll go with the manual option and specify a range of
192.168.100.1/24. This range contains all IP addresses from 192.168.100.1 to
192.168.100.254. Then we have some options to exclude certain hosts, reverse lookups
and we can specify the port list and alive test settings. We’ll keep all settings default
except the alive test setting which we set to ‘ICMP & ARP Ping’.

Setting up a Host Discovery task

23
Now that we’ve got our target list set up, let’s run a scan to discover hosts in the subnet
we’ve specified earlier in the target list. Go to ‘Scans – > Tasks’ in the top menu and
create a new task:

For this task we will set the ‘Scan targets’ option to the newly created target list and we
choose to add the results to our assets. Then we will set the ‘Scan config’ to ‘Host
Discovery’ and click the ‘Create’ button to create the new scan task:

Next, we run the newly created task by clicking the ‘Run task’ icon:

24
After the host discovery scan is finished we can find the results on the results page (Scans
-> Results):

The result list consists of all hosts that were discovered using ICMP or ARP Ping. We can
also find the discovered hosts in the assets section of OpenVAS:

25
Running a System Discovery scan

We now have an overview of all hosts that responded to our host discovery probes but
this only tells us that the host is life. To get some more information about these live hosts
we can run a ‘System Discovery’ scan. Before we run this scan let’s have a look at what
it exactly does. Go to ‘Configuration -> Scan configs’ and click the System Discovery scan
config:

When we click the NVT family entries we can see that the System Discovery scan uses
various checks to determine the operating system and to discover SMB servers, printers
and various services. Now that we know what this scan does let’s run it on a few targets.

26
From the discovered hosts we’ve selected a few targets and included them in a new
custom target list:

Then we create a new scan task, select the custom target list and finally choose the
‘System Discovery’ scan:

Next, we can execute the task and wait until it is finished.

27
This looks a lot more interesting than the Host Discovery scan, it even found a few severe
vulnerabilities with the limited scan configuration. In the scan results we can find that the
scan discovered 2 vulnerabilities: DistCC Detection and an FTP server that allows
anonymous logins.

Another interesting update took place in the assets section. When we browse to Assets -
> Operating Systems

28
we

Running a Full & Fast vulnerability scan

Now that we’ve discovered the live hosts on the 192.168.100.1/24 subnet, created a
custom target list based on these hosts and ran some scans, let’s run a Full & Fast
vulnerability scan. The Full & Fast vulnerability scan is a balanced scan config that is
optimized to provide the best results in the least amount of time. This type of scan probes
for the most NVTs and uses previously collected information. Let’s set up this scan by
creating a new task:

29
Again, we use the Custom Target list we’ve created earlier and select the Full & Fast scan
config. You can also specify how many NVTs and hosts will be scanned simultaneously
using the scan config settings. When you’re targeting many hosts with a relatively heavy
scan config, please take into account that your machine has enough resources available
to effectively perform the scan task. Also take into account that scanning different hosts
at once with this type of scan generates a lot of network traffic and might even crash
services and hosts. For this demonstration we’ve scanned one host and 20 NVTs at the
same time. After a little over 1 hour of scanning, OpenVAS came up with the following
results:

30
The discovered vulnerabilities range from information disclosure vulnerabilities, such as
‘DCE/RPC and MSRPC Services Enumeration Reporting’ for host 192.168.100.106 to
more severe vulnerabilities such as ‘Microsoft Windows SMB Server Multiple
Vulnerabilities-Remote (4013389)’ or better known as MS17-010 and EternalBlue.
OpenVAS also scan targets for known misconfigurations of which ‘IIS ASP.NET
Application Trace Enabled’ is a nice example. A Misconfiguration like enabled application
tracing can be abused to allow an attacker to view web requests. These request[FB1] s
can include sensitive data such as POST requests with login credentials.

So far, the results are pretty interesting as we’ve found some serious vulnerabilities such
as MS17-010. We’ve also found different misconfigurations that allow attackers to retrieve
sensitive data from our systems that can be used to access system or provide useful
information for later attack stages. At this point I don’t want to go into too much detail
about false positives, or even worse false negatives, but scanning tools like OpenVAS
can only detect vulnerabilities that it scans for. As I’m scanning my own private lab
machines I know there’s a few vulnerabilities/misconfigurations that OpenVAS didn’t pick
up and they would go unnoticed without further testing. While OpenVAS did reveal severe
vulnerabilities, we cannot rely on scanning results entirely and therefore it is also
important to do manual testing in combination with automated scanning. In part 4 of
Vulnerability scanning with OpenVAS we will cover false negatives (undetected
vulnerabilities) and we’ll have a look at what we can do to avoid this. In the next section
we will have a look at how to perform credentialed scans with OpenVAS.

Credentialed vulnerability scans

Until now we’ve only scanned targets for vulnerabilities from the network perspective,
such as vulnerable web servers, SMB and FTP servers. We can also supply credentials
in the target configuration so that OpenVAS is able to sign in and check for local
vulnerabilities such as security issues in kernels and installed software, for example
vulnerabilities that allow for privilege escalation. Another way of using credentials is to

31
check a target for default or easy to guess credentials, such as admin/admin. In this case
OpenVAS will check the given credentials on a target and report back if they worked
correctly. A good use case for this would be creating default credentials when you’re
scanning (a range of) Cisco devices. In this case you could add cisco/cisco as username
and password or just the username. For this demonstration we will scan Metasploitable
2 and supply admin credentials.

To run credentialed scans on a target we have to create credentials first by going to

‘Configuration -> Credentials’ and click the blue star icon to create a new set of
credentials:

We’ll name it ‘MS2’ and supply the default credentials for Metasploitable 2 (username
and password: msfadmin). The next step is to create a new target, enter the target IP
address and specify the newly created credentials for SSH access so OpenVAS is able
to run authenticated checks:

32
From here you’ll have to create a new scanning task and run it as we already did a few
times during this tutorial. Now that we’ve supplied the credentials, local vulnerabilities will
be included in the report once the scan is finished.

Scheduling scan tasks

The last topic that we’ll cover in this tutorial is scan task scheduling. Task scheduling is
particularly useful when you want to scan a host or network ranges on a regular basis
during pre-specified hours. Let’s say we want to run a vulnerability scan on the company
network at night when there’s little to no traffic. In this case we can create a daily schedule
that runs every day at 11 PM. Let’s have a look at how to do this.

First, we need to create a schedule which we will then assign to a scanning task. To
create a schedule, go to Configuration -> Schedules, create a new schedule and specify
the desired parameters:

33
This schedule will run the vulnerability scan every day at 11 PM starting today. The only
thing that remains is to create a new scanning task and assign the schedule:

Some final words

By now you should have a good overview of the features and how to perform vulnerability
scans with OpenVAS and the Greenbone Security Assistant web application. In this
tutorial series we’ve covered the installation process for the local version and the
appliance, creating target lists for individual targets and ranges. Then we went on with
running different kinds of scans to detect live hosts, discover system information and
vulnerabilities. We’ve also covered credentialed scans and scheduling scans to run scan
tasks overnight. In the following and final part 4 we will cover custom scan configurations
and learn how to configure our own scanning configurations. Custom scan configurations
were initially planned for part 3 but as this tutorial has gotten a bit too long already I’ve
decided to move this section to part 4. In this part we’ve briefly touched on the subject of
false negatives (i.e. undetected vulnerabilities). This is something we will cover too in the
next part where we’ll have a look at the limitations of automated scanning tools like
OpenVAS and how to avoid them.

34