Vulnerability scanning with OpenVas

OpenVas is a free open source vulnerability scanner. It covers various network vulnerability tests and is maintained on a daily basis. It can be installed on Windows and all flavors of Linux. This post will go through the setup on Linux and full scan of a vulnerable windows target.

OpenVas comes pre-installed on Kali linux. It can be manually downloaded from:
http://www.openvas.org/download.html

Before starting OpenVas it is necessary to run the setup first. This will create the database and prompt you to create login details. Do not forget these details. If you do however forget your login you can create a new admin user with the command sudo openvasad -c add_user -u administrator -r Admin.  To begin the setup run the command:
sudo openvas-setup

Note, this process may take a while. After the setup has complete it is a good idea to run the setup check as an extra precaution. Run the check with the command:
sudo openvas-check-setup

If all went well you should have a screen like the one above. Note this line:
OK: Greenbone Security Assistant is listening on port 9392, which is the default port.

Now we can go to our web browser and go to the url:
https://127.0.0.1:9392
You will be warned of an untrusted SSL certificate. This is only because OpenVas is using its own self-signed certificate. You should be presented with this login prompt:

Login with your credentials you created during the setup. Once you are logged in go to the administration tab and update your NVT, SCAP and CERT feed. This may take a very long time depending on how long it was since the last update.
NVT: Network Vulnerability Test
SCAP: Security Content Automation Protocol
CERT: Computer Emergency Response Team

Once that has completed you are ready to add your targets for scanning. Navigate to Configuration, targets. Once in the targets panel click on the star icon to add a new target:

Enter the IP address and any details of the host you wish to scan. Set the port options to your desired port range. In this case I will be scanning all TCP ports as assigned by IANA. You can also add a list of IPs located in an external file.

Once you have created your target click "Create Target". Now we need to create a task and add this target to it. Go to Scan management and click New Task. This where you set your desired type of scan. The first option "Full and Fast" is the fastest of them all. The scans take longer for each type of scan with "Full and very deep ultimate" taking the longest. For now I am just setting it at the Full and Fast. Under targets, add your target you created earlier. You have the option of adding any observers to the scan as well. This would be any user you want to let view the scan remotely.

Once the task has been created, it will be listed in the home page of OpenVas. Start the scan by clicking the play button to the left of your task.

You may need to refresh the browser to see the progress of the scan. While the scan is running you can view the results in real time by clicking the magnifying glass icon.

The box I am scanning is a Windows XP SP2 system running on Virtual Box. It is running xamp with apache and mysql enabled.

Scan Results

This scan took around half an hour to complete. Results can be printed to various outputs including pdf, html, xml etc... Very useful for giving reports to clients.
As well as printing the results you are also given advise on how to fix the issues like the one below.

After this scan I re-ran the scan using the Full and very deep ultimate setting. The scan took around and hour and half and found 1 more vulnerability bringing the total up to 7. This goes to show how taking the extra time can mean the difference between a successful compromise and an unsuccessful one.