Introduction
In this walkthrough, I demonstrated the use of Openvas to scan for web application vulnerabilities. I explained the target, port, and credentials configurations in addition to breaking down the structure of the report.
Description
OpenVAS, an application used to scan endpoints and web applications to identify and detect vulnerabilities. It is commonly used by corporations as part of their mitigation solutions to quickly identify any gaps in their production or even development servers or applications. This is not an end all be all solution but can help to get rid of any common vulnerabilities that may have slipped through the cracks.
From the OpenVAS GitHub repository “This is the Open Vulnerability Assessment Scanner (OpenVAS) of the Greenbone Vulnerability Management (GVM) Solution. It is used for the Greenbone Security Manager appliances and is a full-featured scan engine that executes a continuously updated and extended feed of Network Vulnerability Tests (NVTs).”
Getting Started with OpenVAS
First things first, I installed OpenVAS using Docker, which makes the process super easy. After the installation, I logged in with the default credentials: “admin” for both the username and password.
The main dashboard gives you a quick overview of your recent scans and the severity of any vulnerabilities found. You can also set up different users and roles if you’re working with a team.
Setting Up a Scan
Before you can scan anything, you need to tell OpenVAS what to look at. Here’s how I did it:
- Configure a Target: I went to Configuration > Targets and created a new target. I gave it a name and entered the IP address of the machine I wanted to scan. You can also customize the port list, but for this scan, I chose to scan all ports.
- Set a Schedule (Optional): OpenVAS lets you schedule scans to run automatically. You can set a start time, how often you want it to run, and for how long. This is great for continuous monitoring.
- Create Alerts (Optional): You can also set up alerts to get email notifications about your scans. For example, you could get an alert every time a high-severity vulnerability is found.
Running the Scan
With my target configured, I was ready to create and run the scan task.
- Create a New Task: Under the Tasks menu, I created a new task and selected the target I had just set up. I made sure to check the “add results to assets” box.
- Choose a Scanner and Configuration: OpenVAS has a few different scanner types and configurations. I stuck with the default “Full and Fast” scan, which is a good starting point for finding most vulnerabilities.
Once I was happy with all the settings, I started the scan.
Analyzing the Report
After the scan was done, the dashboard showed me a summary of the vulnerabilities, categorized by severity. I then dove into the detailed report, which had a few key sections:
- Host and Port Summary: This section lists the scanned hosts and all the open ports that were found.
- Vulnerabilities: This is the most important part of the report. It breaks down the vulnerabilities by severity:
- High Severity: In my scan, I found a critical missing security update (MS-17-010), which could allow for remote code execution. The report also provided a solution: apply the vendor’s update.
- Medium Severity: I also found some medium-severity issues, like RPC enumeration, which could give an attacker information about the system.
- Low Severity: The report also listed some low-severity vulnerabilities.
Answering Questions with the Report
To finish up, I showed how you can use the report to answer specific questions, like when the scan started, how many open ports there were, and what the most critical vulnerability was.
Since this video is a walkthrough of the OpenVAS tool and its web interface, there were no technical commands shown in a terminal.
Room Questions
- When did the scan start in Case 001?
- When did the scan end in Case 001?
- How many ports are open in Case 001?
- How many total vulnerabilities were found in Case 001?
- What is the highest severity vulnerability found? (MSxx-xxx)
- What is the first affected OS to this vulnerability?
- What is the recommended vulnerability detection method?