• Subscribe to the low volume list for updates.

OpenVAS Tutorial and Tips

Follow this OpenVAS Tutorial to get an overview of OpenVAS management and administration. With a focus on the backend services this will allow you to get the full OpenVAS Vulnerability Scanning Framework up and running. Additional tips for troubleshooting and testing individual checks rounds out the tutorial.

About: HackerTarget.com provides an online hosted version of OpenVAS for convenient and easy access to OpenVAS, allowing immediate vulnerability scanning of Internet facing servers.

Getting Started with OpenVAS

Overview of Components

OpenVAS is comprised of a number of services and clients, by understanding the role of the different components you will be much better able to effectively administer OpenVAS servers.

OpenVAS Tutorial Component Overview

Communication from the client to the OpenVAS Manager is done using the OpenVAS Management Protocol (OMP).

What is an NVT?

NVT refers to Network Vulnerability Test. These are conducted using plugins that are developed in NASL code. The scripting language is a legacy of its original Nessus code base. NASL is the Nessus Attack Scripting Language, a scripting language for the testing of vulnerabilities first developed in 1998. With inspiration from the C programming language, non-coders wishing to quickly develop a vulnerability test may be better served by Nmap and its LUA based NSE (Nmap Scripting Engine) scripts.

On a typical OpenVAS server there will be tens of thousands of .nasl files, these are the vulnerability checks that are used by the OpenVAS scanner service. A guide to updating the NVT's can be found in this tutorial below.

Install OpenVAS on Ubuntu (PPA)

For those wishing to install OpenVAS on Ubuntu we have a complete installation guide available, that covers not only the base installation but also a number of optional additions to increase the effectiveness of our favorite vulnerability management solution.

Install OpenVAS on Kali (PPA)

The most famous of the Linux Penetration Testing distributions, Kali Linux is a popular choice for quickly getting tools up and running as many are pre-installed and pre-configured. Installing OpenVAS is very straightforward. Simply run the apt install and then run the configure script.

root@kali:~# apt-get update
root@kali:~# apt-get dist-upgrade

root@kali:~# apt-get install openvas
root@kali:~# openvas-setup
/var/lib/openvas/private/CA created
/var/lib/openvas/CA created

[i] This script synchronizes an NVT collection with the 'OpenVAS NVT Feed'.
[i] Online information about this feed: 'http://www.openvas.org/openvas-nvt-feed
...
sent 1052 bytes received 64342138 bytes 99231.26 bytes/sec
total size is 64342138 speedup is 1.00
[i] Initializing scap database
[i] Updating CPEs
[i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2002.xml
[i] Updating /var/lib/openvas/scap-data/nvdcve-2.0-2003.xml
...
Write out database with 1 new entries
Data Base Updated
Restarting Greenbone Security Assistant: gsad.
User created with password '* password that looks like uuid *'.

Install OpenVAS on Fedora (PPA)

From the official OpenVAS installation page getting up and running with Fedora is a few simple steps.

Note that these steps also apply for RHEL and CentOS.

Step 1: Configure Atomicorp Repository

wget -q -O - http://www.atomicorp.com/installers/atomic |sh

Step 2: Quick-Install OpenVAS
(as user root, only once)

yum install openvas
openvas-setup

Step 3: Quick-Start OpenVAS

( nothing to do, all is up and running directly after installation )

Step 4: Log into OpenVAS with user created in the step 2
Open https://localhost:9392/

Install OpenVAS from Source

The advantage of installing from source is that you get the most up to date version of OpenVAS. In this source installation guide for Ubuntu we step through the steps of getting OpenVAS installed from source. Of course depending on your Linux distribution the required development packages will be different.

While the linked guide is specifically for OpenVAS 7 and Ubuntu, the basic process can be followed for other versions and distributions.

Accessing the OpenVAS Web Interface

The OpenVAS Web Interface (gsad) runs on TCP port 9392. However depending on your installation it could also be listening on TCP 443. After installation this can be confirmed by checking the listening ports on your system.

root@localhost:/# netstat -alnp | grep LISTEN

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      3692/redis-server 1
tcp        0      0 0.0.0.0:9391            0.0.0.0:*               LISTEN      13806/openvassd: Wa
tcp        0      0 0.0.0.0:1337            0.0.0.0:*               LISTEN      3656/sshd
tcp6       0      0 :::9390                 :::*                    LISTEN      13804/openvasmd
tcp6       0      0 :::443                  :::*                    LISTEN      28020/gsad

From these ports, we can see in our installation gsad is running on port 443. The OpenVAS Scanner (openvassd) is running on TCP Port 9391 and the OpenVAS Manager (openvasmd) is running on TCP port 9390. Lastly is the redis-server on TCP 6379. This database is used to store temporary meta data during active scanning.

Opening https://server-ip/ in our browser shows the login screen for the Greenbone Security Assistant.

Key File Locations of an OpenVAS Install

It is important to know the locations of your OpenVAS log files and configuration. This will allow faster troubleshooting and management of your server.

The prefix of the path will generally depend on how OpenVAS was installed. A default source installation will put all the files under /usr/local/ while most packages will put the files in the expected locations /etc/openvas/, /var/lib/openvas and /var/log/openvas/.

OpenVAS Log Files

The most common location will be /usr/local/var/log/openvas/ or /var/log/openvas/. In here you will find the key log files, where you should look if things are not behaving as expected.

root@localhost:~# ls /usr/local/var/log/openvas/
gsad.log
openvasmd.log
openvassd.dump
openvassd.messages

OpenVAS Configuration

The primary configuration file for the OpenVAS scanner is openvassd.conf, if this file is not present then default settings are used for all the available options.

Location of the file is usually /etc/openvas/ or /usr/local/etc/openvas/.

Check the current running configuration with this tip. Running openvassd -s on a server with openvassd running will result in the current configuration being shown. If the configuration file is not present these will be the default settings.

root@localhost:~# openvassd -s

plugins_folder = /usr/local/var/lib/openvas/plugins
cache_folder = /usr/local/var/cache/openvas
include_folders = /usr/local/var/lib/openvas/plugins
max_hosts = 30
max_checks = 10
be_nice = no
logfile = /usr/local/var/log/openvas/openvassd.messages
log_whole_attack = no
log_plugins_name_at_load = no
dumpfile = /usr/local/var/log/openvas/openvassd.dump
cgi_path = /cgi-bin:/scripts
optimize_test = yes
checks_read_timeout = 5
network_scan = no
non_simult_ports = 139, 445
plugins_timeout = 320
safe_checks = yes
auto_enable_dependencies = yes
use_mac_addr = no
nasl_no_signature_check = no
drop_privileges = no
unscanned_closed = yes
unscanned_closed_udp = yes
vhosts =
vhosts_ip =
report_host_details = yes
cert_file = /usr/local/var/lib/openvas/CA/servercert.pem
key_file = /usr/local/var/lib/openvas/private/CA/serverkey.pem
ca_file = /usr/local/var/lib/openvas/CA/cacert.pem
kb_location = /tmp/redis.sock
config_file = /usr/local/etc/openvas/openvassd.conf

If your build of OpenVAS does not include a default configuration file you can simply use the output from openvassd -s. Simply redirect the output straight to your configuration location and proceed with making changes to the configuration.

Ensure you are not overwriting an inplace configuration with the following command.

openvassd -s > /usr/local/etc/openvas/openvassd.conf

OpenVAS NVT Updates

The key command for updating NVT's on the system is openvas-nvt-sync. Ensure the full process below is followed however, as without the rebuilding of the NVT cache /var/cache/openvas/. The new updated checks will not be used by the scanner.

root@localhost:~/# openvas-nvt-sync

After syncing the latest NVT's it is neccessary to have the OpenVAS manager update its NVT cache. This can be done by openvasmd --update if the manager is running or openvasmd --rebuild with the manager stopped. The second option is much faster.

root@localhost:~/# ps -ef | grep openvas
** get the pid **
root@localhost:~/# kill $pid_of_openvassd
root@localhost:~/# kill $pid_of_openvasmd
root@localhost:~/# openvasmd --rebuild
root@localhost:~/# openvasmd
root@localhost:~/# openvassd
root@localhost:~/# ps -ef | grep openvas
root     13804     1  7 Nov10 ?        05:56:12 openvasmd
root     13806     1  0 Nov10 ?        00:02:12 openvassd: Waiting for incoming connections

With the above process output we can see that the update has been successful. The Scanner and Manager are ready to start scanning.

Command Line OpenVAS Scanning with OMP

Usually required for automating OpenVAS scans, the command line client (omp) for OpenVAS allows you to turn the system into custom solution for your own needs.

The omp command has a large number of options. A nice feature is the ability to save your connection credentials into a file so they don't have to be repeated on the command line.

[Connection]
host=127.0.0.1
port=9390
username=hackertarget
password=yeahright

While there are a number of shortcuts that can be used as command line parameters, for full control the XML option is the go to option. This gives you full control over the system.

root@localhost:~# omp --help
Usage:
  omp [OPTION...] - OpenVAS OMP Command Line Interface

Help Options:
  -?, --help                       Show help options

Application Options:
  -h, --host=                Connect to manager on host 
  -p, --port=              Use port number 
  -V, --version                    Print version.
  -v, --verbose                    Verbose messages (WARNING: may reveal passwords).
  --use-certs                      Use client certificates to authenticate.
  --client-cert=        Client certificate. Default: /usr/local/var/lib/openvas/CA/clientcert.pem
  --client-key=          Client key. Default: /usr/local/var/lib/openvas/private/CA/clientkey.pem
  --client-ca-cert=     Client CA certificate. Default: /usr/local/var/lib/openvas/CA/cacert.pem
  -u, --username=        OMP username
  -w, --password=        OMP password
  --config-file=      Configuration file for connection parameters.
  -P, --prompt                     Prompt to exit.
  -O, --get-omp-version            Print OMP version.
  -n, --name=                Name for create-task.
  -C, --create-task                Create a task.
  -m, --comment=             Comment for create-task.
  -c, --config=            Config for create-task.
  -t, --target=            Target for create-task.
  -E, --delete-report              Delete one or more reports.
  -D, --delete-task                Delete one or more tasks.
  -R, --get-report                 Get report of one task.
  -F, --get-report-formats         Get report formats. (OMP 2.0 only)
  -f, --format=            Format for get-report.
  --filter=                Filter string for get-report
  -G, --get-tasks                  Get status of one, many or all tasks.
  -g, --get-configs                Get configs.
  -T, --get-targets                Get targets.
  -i, --pretty-print               In combination with -X, pretty print the response.
  -S, --start-task                 Start one or more tasks.
  -M, --modify-task                Modify a task.
  --ping                           Ping OMP server
  --timeout=               Wait  seconds for OMP ping response
  --file                           Add text in stdin as file on task.
  -X, --xml=              XML command (e.g. "").  "-" to read from stdin.
  --send-file=               Replace SENDFILE in xml with base64 offile.
  --details                        Enable detailed view.

A very simple example of sending an XML query using the omp client is to actually ask for help. The response from this command gives details of other possible XML queries.

omp --xml=""

Starting a Scan from the Command Line

As a quick introduction, the process for starting a scan from the command line involves:
1. Create Target (--xml="My Targetmytargettotest.com")
2. Create Task (use -C and the option --config=ID of your scan config, also requires --target=ID of target)
3. Start Task (--xml="")
4. Get Report (--xml="/usr/local/openvas/bin/omp --pretty-print --xml "" /usr/local/openvas/bin/omp --pretty-print --xml ""

Once the scan has completed you can retrieve the report using the get_reports XML. Requires the report_id and the format_id parameters.

Initially this may seem a bit overwhelming however, it is quite logical once you step through the process. Don't forget to use the query commands to get the different target / task / report / format identifiers as you go through the process.

Test a Single OpenVAS NVT (nasl) Plugin

Whether you wish to troubleshoot an NVT that is not working or test a single vulnerability the openvas-nasl command is your friend. This handy tool allows quick checks and debugging of broken plugins.

root@localhost:~# openvas-nasl --help
Usage:
  openvas-nasl [OPTION...] NASL_FILE... - standalone NASL interpreter for OpenVAS

Help Options:
  -h, --help                          Show help options

Application Options:
  -V, --version                       Display version information
  -d, --debug                         Output debug information to stderr.
  -D, --description                   Only run the 'description' part of the script
  -B, --both                          Run in description mode before running the script.
  -p, --parse                         Only parse the script, don't execute it
  -L, --lint                          'lint' the script (extended checks)
  -t, --target=               Execute the scripts against 
  -T, --trace=                  Log actions to  (or '-' for stderr)
  -c, --config-file=        Configuration file
  -e, --source-iface=     Source network interface for established connections.
  -s, --safe                          Specifies that the script should be run with 'safe checks' enabled
  -X, --authenticated                 Run the script in 'authenticated' mode
  -i, --include-dir=             Search for includes in 
  --debug-tls=                 Enable TLS debugging at 

The following error is a common occurrence when attempting to run the command. This is due to a failure in the signature check as shown in the error. Fixing it is mostly straight forward.

root@localhost:~# openvas-nasl -p /usr/local/var/lib/openvas/plugins/http_version.nasl

base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'
http_version.nasl: bad or missing signature. Will not execute this script

Note in the test command we have used the -p parameter. This is a good way to test things out, it simply attempts to parse the nasl script and will reveal any errors or other problems (such as missing signatures).

Full details of the Trusted NVT's is available, however we will jump into creating a private key, importing the OpenVAS plugin key and signing. So we can get on with our testing.

root@localhost:~# gpg --homedir=/usr/local/etc/openvas/gnupg --gen-key

Answer the questions as required to create your keyring and key. Then grab the official OpenVAS Transfer key.

root@localhost:~# wget http://www.openvas.org/OpenVAS_TI.asc
root@localhost:~# gpg --homedir=/usr/local/etc/openvas/gnupg --import OpenVAS_TI.asc

Final step is to get things signed.

root@localhost:~# gpg --homedir=/usr/local/etc/openvas/gnupg --lsign-key 48DB4530

pub 1024D/48DB4530 created: 2007-11-05 expires: never usage: SC
  trust: unknown validity: unknown
sub 2048g/70610CFB created: 2007-11-05 expires: never usage: E
[ unknown] (1). OpenVAS Transfer Integrity

pub 1024D/48DB4530 created: 2007-11-05 expires: never usage: SC
  trust: unknown validity: unknown
 Primary key fingerprint: C3B4 XXXX 288C XXXXX D526 XXXX 4847 XXXXX 48DB 4530

  OpenVAS Transfer Integrity

Are you sure that you want to sign this key with your
key "OpenVAS Test" (***)

The signature will be marked as non-exportable.

Really sign? (y/N) y

Now we have all the GPG signing sorted, lets try our test again.

root@localhost:~# openvas-nasl -p /usr/local/var/lib/openvas/plugins/http_version.nasl
base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'

That looks much better. Now we can test against a target. Keep in mind that we are running these plugins standalone from the OpenVAS manager so the target ID's from the command line section are not relevant. Our target is simply the target host or IP address.

root@localhost:~# openvas-nasl -p /usr/local/var/lib/openvas/plugins/pre2008/http_methods.nasl
base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'
http_func.inc: Not able to open nor to locate it in include paths
/usr/local/var/lib/openvas/plugins/pre2008/http_methods.nasl: Parse error at or near line 80

Doh! Almost there. This error is indicating that the plugin requries http_func.inc and it can not be found. So we simply need to indicate the location of the plugin directory to the openvas-nasl command.

root@localhost:/# openvas-nasl -i /usr/local/var/lib/openvas/plugins/ -t hackertarget.com /usr/local/var/lib/openvas/plugins/http_version.nasl
base gpgme-Message: Setting GnuPG homedir to '/usr/local/var/lib/openvas/gnupg'
base gpgme-Message: Using OpenPGP engine version '1.4.16'
base gpgme-Message: Setting GnuPG sysconf homedir to '/usr/local/etc/openvas/gnupg'
The remote web server type is :

nginx/1.10.3 (Ubuntu)

In addition we can use -d, the debug option to get more information.

Updating Client and Server Certificates

After running OpenVAS a number of years, this is an issue I have stumbled across more than once. The different OpenVAS components have certificates for encrypting the communication between components (including clients). These certificates expire and when that happens things break. The Manager can't talk to the Scanner for example.

The first error you may see is something like "503 service temporary down / unavailable". Checking the OpenVAS Manager log file will reveal.

from /var/log/openvas/openvasmd.log

lib  serv:WARNING:2017-06-21 05h32.56 UTC: openvas_server_verify: the certificate is not trusted
lib  serv:WARNING:2017-06-21 05h32.56 UTC: openvas_server_verify: the certificate has expired

So lets create new certificates for both server and clients.

root@localhost: ~# openvas-mkcert -f

-------------------------------------------------------------------------------
  Creation of the OpenVAS SSL Certificate
-------------------------------------------------------------------------------

Congratulations. Your server certificate was properly created.

The following files were created:

. Certification authority:
  Certificate = /usr/local/var/lib/openvas/CA/cacert.pem
  Private key = /usr/local/var/lib/openvas/private/CA/cakey.pem

. OpenVAS Server :
  Certificate = /usr/local/var/lib/openvas/CA/servercert.pem
  Private key = /usr/local/var/lib/openvas/private/CA/serverkey.pem

Press [ENTER] to exit

And now for the client certificates.

root@localhost: ~# openvas-mkcert-client -n -i

Generating RSA private key, 4096 bit long modulus
....................................................................................................++
................................++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Using configuration from /tmp/openvas-mkcert-client.445/stdC.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'AU'
localityName :PRINTABLE:'Sydney'
commonName :PRINTABLE:'om'
Certificate is to be certified until Nov 10 22:28:26 2018 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

This is from the INSTALL file for the OpenVAS manager, however after doing this and the database failed to rebuild and the log showed an authentication error:

lib serv:WARNING:2017-11-10 22h07.27 utc:12817: openvas_server_connect: failed to connect to server: Connection refused
lib auth: INFO:2017-11-10 22h07.31 utc:12819: Authentication configuration not found.

What was required was to register the new certificates with the OpenVAS manager. To do this I ran the following commands:

root@localhost: ~# openvasmd --get-scanners
* uuid is shown here*

root@localhost: ~# openvasmd --modify-scanner  --scanner-ca-pub /usr/local/var/lib/openvas/CA/cacert.pem --scanner-key-pub /usr/local/var/lib/openvas/CA/clientcert.pem --scanner-key-priv /usr/local/var/lib/openvas/private/CA/clientkey.pem

root@localhost: ~# openvasmd --rebuild --progress
Rebuilding NVT cache... done.

Following this everything is back on track.

Monitoring the OpenVAS Redis Instance

Redis contains data known as the KB. This is a store of information related to current scan tasks. The Redis server is accessed by OpenVAS using a unix socket /tmp/redis.sock.

It is possible to monitor data going into the Redis KB using the standard Redis monitoring command.

redis-cli -s /tmp/redis.sock

Conclusion

OpenVAS is a highly capable and powerful vulnerability testing solution. Hopefully this tutorial and included tips will prove useful to users out there. The team at Greenbone Networks, along with the community and other supporters have done a fantastic job building OpenVAS. The latest version has a range of fantastic new features and optimisations that have been a big step forward.

For some of these items I have only scratched the surface. Use the information here as pointers to allow you to dig deeper into the OpenVAS system.

There is a lot of good information available on the OpenVAS site and from the mailing list archive. Another often overlooked location for further information is the man pages for the openvassd and openvasmd servers.

Have you seen our other Free IP and Network Testing tools.

Discover. Explore. Learn.

Next level testing with advanced Security Vulnerability Scanners.

Trusted tools. Hosted for easy access.