OpenVAS: The Open-Source Vulnerability Scanner for Network Security

Guide to OpenVAS: The Open-Source Vulnerability Scanner for Network Security

In the dynamic world of cybersecurity, identifying and mitigating vulnerabilities is critical to safeguarding networks and systems. OpenVAS (Open Vulnerability Assessment System), maintained by Greenbone Networks, is a powerful open-source vulnerability scanner that empowers security professionals, system administrators, and ethical hackers to assess and strengthen their infrastructure. This article provides an in-depth exploration of OpenVAS, covering its features, installation, core components, practical usage examples, and advanced vulnerability scanning techniques—all while emphasizing ethical and legal use. As of September 2025, this guide reflects the latest updates to OpenVAS (Greenbone Vulnerability Management, GVM) and best practices for its deployment.

Introduction to OpenVAS

OpenVAS is a comprehensive vulnerability scanning and management framework designed to detect security weaknesses in systems, applications, and networks. Initially a fork of the Nessus scanner after its shift to a proprietary license in 2005, OpenVAS has evolved into a robust tool under Greenbone's stewardship. It is part of the Greenbone Vulnerability Management (GVM) framework, offering a modular architecture for scanning, reporting, and compliance.

OpenVAS is free, open-source (GNU GPL), and ideal for organizations with limited budgets. It supports both authenticated and unauthenticated scans, a vast database of Network Vulnerability Tests (NVTs), and integration with security tools, making it a cornerstone for vulnerability management.

History and Development

Originating as GNessUs in 2005, OpenVAS was created by pentesters at SecuritySpace and others as a response to Nessus's proprietary shift. Renamed OpenVAS, it became part of the GVM framework, with continuous updates to its NVT feed (over 100,000 tests in the paid Greenbone Security Feed, 50,000+ in the free Community Feed). The 2025 release enhances performance, scalability, and integration, supporting enterprise-grade deployments.

Key Features

OpenVAS offers a robust feature set for vulnerability assessment:

• Comprehensive Vulnerability Detection: Scans for thousands of CVEs, misconfigurations, and outdated software.
• Authenticated and Unauthenticated Scans: External (perimeter) and internal (credentialed) testing.
• Customizable Scan Policies: Tailor scans for specific assets or compliance needs.
• Regularly Updated NVT Feed: Greenbone Community Feed (free) or Greenbone Security Feed (paid).
• Detailed Reporting: Actionable reports with severity ratings and remediation guidance.
• Web Interface (GSA): Intuitive Greenbone Security Assistant for scan management.
• Scalability: Supports small networks to large enterprises.
• Integration: Works with SIEM, ticketing systems, and tools like Nmap.

Components of OpenVAS (GVM)

Component	Description
OpenVAS Scanner	Executes NVTs to scan targets for vulnerabilities.
Greenbone Security Assistant (GSA)	Web interface for managing scans and reports.
Greenbone Vulnerability Manager (GVMd)	Orchestrates scans, schedules, and user authentication.
OpenVAS CLI	Command-line interface for scripting and automation.
Database Backend	Stores results and configurations (e.g., PostgreSQL, Redis).
Feed Services	Updates NVTs, CERT, and SCAP data.

Plugins are written in Nessus Attack Scripting Language (NASL).

Installation and Setup

Dependencies

• Core: libgvm, gvm-libs, openvas-scanner, postgresql, redis.
• Optional: libpcap, libssh, libksba, python3-gvm.

Installation on Linux (Kali/Ubuntu)

Kali Linux includes OpenVAS pre-installed. For Ubuntu or other distros:

1. Install dependencies:

sudo apt-get install gvm

2. Set up GVM:

sudo gvm-setup

This generates an admin password (save it).

3. Update feeds:

sudo gvm-feed-update

4. Start services:

sudo systemctl start openvas-scanner openvas-manager openvas-gsa

5. Verify: gvm-check-setup.

Docker

Use the official Greenbone Docker image:

docker pull greenbone/community-edition

docker run -d -p 9392:9392 greenbone/community-edition

Access GSA at https://localhost:9392.

Troubleshooting

• Feed Sync Issues: Run gvm-feed-update manually.
• Service Failures: Check logs at /var/log/gvm/.
• Port Conflicts: Ensure 9392 (GSA) is free.

Usage Examples

Prerequisites: Kali Linux, compatible hardware, root access, updated NVT feed.

Example 1: Basic Scan via Web Interface

1. Access GSA: https://localhost:9392, log in with admin credentials.
2. Navigate to Scans > Tasks, click the wand icon for Task Wizard.
3. Enter target IP (e.g., 192.168.1.100 or a test VM like Metasploitable).
4. Select Start Scan. Monitor progress and view results under Scans > Reports.
• Output includes vulnerabilities, CVSS scores, and remediation steps.

Example 2: Credentialed Scan

1. Create credentials: Configuration > Credentials, add SSH or SMB credentials.
2. Define target: Configuration > Targets, select IP and assign credentials.
3. Create task: Scans > Tasks > New Task, choose "Full and Fast" profile.
4. Start scan and export report (PDF/CSV) from Scans > Reports.

Example 3: CLI Scan

omp -u admin -w <password> -h localhost -p 9390 --xml "<create_task><name>TestScan</name><target><name>Target</name><hosts>192.168.1.100</hosts></target><config>Full and fast</config></create_task>"

omp -u admin -w <password> -h localhost -p 9390 -iX "<start_task><task_id>TASK_ID</task_id></start_task>"

Retrieve TASK_ID from the first command’s response.

Vulnerability Scanning Techniques

Note: These techniques are for ethical use on systems you own or have explicit permission to scan. Unauthorized scanning is illegal.

1. Unauthenticated Perimeter Scan

Simulate an external attacker:

1. Use Task Wizard to scan an external IP.
2. Select "Full and Fast" profile to check open ports and services.
3. Review for exposed services (e.g., HTTP, SSH) or misconfigured firewalls.

2. Credentialed Internal Scan

Gain deeper insights:

1. Configure SSH credentials for a Linux server.
2. Create a task with credentials and "Deep Scan" profile.
3. Identify internal issues like outdated packages or weak permissions.

3. Scheduled Compliance Scans

Ensure PCI-DSS/ISO 27001 compliance:

1. Set up a target with multiple hosts.
2. Schedule weekly scans: Scans > Schedules, set to alert on CVSS 7.0+ vulnerabilities.
3. Export compliance reports for auditors.

4. Targeted Web Application Scan

Focus on web servers:

1. Configure: Configuration > Scan Configs, clone "Full and Fast," set regex to scan only / (root directory) to avoid deep crawling.
2. Scan ports 80/443 for vulnerabilities like XSS or SQL injection.
3. Combine with tools like Nikto for enhanced web testing.

5. Custom NVT Development

Write NASL scripts for specific vulnerabilities:

# Example: Check for outdated Apache version

SCRIPT_OID("1.3.6.1.4.1.25623.1.0.123456");

set_kb_item(name:"http/server", value:"Apache");

if(get_port_state(80)) {

  banner = get_http_banner(port:80);

  if(banner =~ "Apache/2\.[0-2]") {

    security_message(port:80, data:"Outdated Apache version detected.");

  }

}

Test with openvas-nasl -t <target> script.nasl.

Legal and Ethical Considerations

OpenVAS is a dual-use tool. Scanning networks without permission violates laws like the U.S. Computer Fraud and Abuse Act or equivalent regulations. Always obtain explicit consent from system owners. Greenbone promotes ethical use, with security contacts for responsible disclosure. 18.....

Best Practices

• Update Feeds Regularly: Use gvm-feed-update or automate via cron jobs.
• Verify False Positives: Manually validate critical findings with tools like Metasploit.
• Secure Deployment: Use TLS, restrict port 9392 to VPN/internal IPs, and avoid default credentials.
• Prioritize Remediation: Focus on high CVSS scores first.
• Integrate: Combine with Nmap, SIEM, or ticketing systems.

Limitations

• False Positives/Negatives: May report non-exploitable issues or miss zero-days.
• Resource Intensive: Requires robust hardware for large scans.
• Not a Pen-Testing Replacement: Complements manual testing.

Conclusion

OpenVAS is a versatile, cost-effective tool for vulnerability management, suitable for startups, enterprises, and ethical hackers. Its comprehensive NVT database, customizable scans, and integration capabilities make it a powerful ally in securing networks. By following the examples and techniques outlined, you can leverage OpenVAS to proactively protect your systems. Visit greenbone.net for updates and community support.

To convert this Markdown to .docx for your website, use Pandoc: pandoc openvas-tutorial.md -o openvas-tutorial.docx. Alternatively, paste into Microsoft Word or a CMS with Markdown support.