Exploring the OpenVAS vulnerability scanner


OpenVAS provides many configuration options (Figure 1), but most of the options have conservative defaults that preserve performance and support functionality. A few of the most important options follow.

  • Port Range – This option sets the range of ports for scanning by the OpenVAS server. The default is to scan only ports defined in the openvas-services file, which covers all of the commonly used ports, except for some in the upper end of the port range. To get complete coverage of all ports, specify 1-65535. Scanning a smaller number of ports, including just the default range, will speed up the scan, but you might miss detecting malware such as backdoor daemons on a high number ports.
  • Hosts to test concurrently – This option sets the number of hosts that can be scanned in parallel, which has the effect of limiting the load on the OpenVAS server.
  • Checks to perform concurrently – This option sets the number of concurrent tests that can run on a single target at one time.
  • Safe Checks – This option instructs OpenVAS to rely on banners rather than perform a potentially invasive check of the target service. Turning safe checks off could result in services becoming unavailable to the server or users (Figure 2). A good idea would be to perform a regular check with safe checks set to on, then turn off safe checks for additional scans. For example, if OpenVAS scans are scheduled every Tuesday, the first Tuesday should be run with safe checks off, with systems administrators on hand to respond to any potential disruptions.
  • Port scanner – A choice of different port scanning options is available. The options range from simple TCP connection attempts (the OpenVAS TCP Scanner) to more sophisticated approaches, such as a SYN scan or an IKE scan. SYN scans can detect ports without completing the normal TCP handshake procedure. IKE scans are designed to locate IPSec, VPNs, and similar connection points.

OpenVAS offers many other configuration options. The OpenVAS website has more information on tailoring the settings to your own environment.

Local Access Credentials

Running a scan in the default configuration leads to a purely remote scan. Although you can get a lot of good information this way, the default settings essentially make OpenVAS into a glorified port scanner. By taking advantage of the local check capabilities, you can get much more accurate results. Local checks allow OpenVAS to determine the state of applications that normally might be inaccessible over the network (such as Wireshark) but that nevertheless might have vulnerabilities. Local checks also help locate vulnerable applications that you might not even know are running on your system.

Version 2.0.2 and higher of OpenVAS Client has a convenient Credentials Manager tool for entering local access credentials to scan target systems (Figure 3). SSH keys are created in RSA PKCS#8 format for compatibility across different implementations of SSH.

Once created, the keys can be installed easily on target systems via the RPM or DEB packages created by the wizard. The locations of the packages are defined during the creation procedure. A Windows installer that is also created prepares Windows targets for scanning with an SMB-based local user.

Getting to Work

Once your system is configured, it is time to run a scan by starting the OpenVAS Client. A dialog box asks for the user login (Figure 4). If this is the first login, you might be asked to save the SSL certificate. At this point, the client will also check for new plugins and plugin dependencies from the server.

Next, create a new task called Test Scans. A task is equivalent to a logical group. This grouping is completely abstract – the task could refer to a customer network, in the case of a consultant, or a grouping of nodes within a local or remote network, in the case of in an in-house systems administrator.

The next step is to create a new scope called Internal Testing. Scopes are defined within the context of a task. A scope is equivalent to a profile. For instance, a scope might include all Linux nodes or all AIX nodes. The scope can also equate to services rather than nodes, such as all machines running SSH daemons or SMB services. (Scope and tasks are entirely abstract. Currently, OpenVAS does not provide a means to automatically create a task and scope from previous scans or templates.)

With all of the pieces in place, it is time to run the first scan. First, set any desired options, such as preferred port scanners and target access credentials, then execute the scan by clicking on the Execute button. The scan begins at this point. The client will pop up an informational window with the current status of the port scan and checks (Figure 5).

Once the scan is complete, a report highlights the number of high-, moderate-, and low-priority issues (Figure 6). The client also can export a report in various formats, including HTML, XML, and PDF.

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • OpenVAS

    The more IT infrastructure complexity increases, the more indispensable vulnerability scanners become. If you are not interested in retaining the consulting services of a professional hacker, you might want to entrust the task of detecting vulnerabilities to a specialized software tool, such as OpenVAS.

  • Network Scanner OpenVAS 2.0 Enters Beta

    Beta test of the Open Vulnerability Assessment System (OpenVAS) is targeted at experienced users and developers of security solutions.

  • Charly’s Column: w3af

    After toiling away to create a small but exclusive website, Charly wanted to run a security scanner against it to check for vulnerabilities. The choice of tools is enormous, but Charly chose w3af.

comments powered by Disqus

Direct Download

Read full article as PDF: