Skip to content

Vulnerability Scanning with OpenVAS

Note: This guide provides practical OpenVAS usage for penetration testing workflows.

Table of Contents

Introduction

OpenVAS (Open Vulnerability Assessment System) is a comprehensive open-source vulnerability scanning framework integrated into Kali Linux. Unlike commercial solutions like Nessus, OpenVAS is completely free and provides enterprise-grade vulnerability assessment capabilities.

Key Features

  • Free and Open Source: No licensing costs or IP restrictions
  • Comprehensive Database: Regularly updated vulnerability feeds
  • Network Vulnerability Testing (NVT): Extensive test library
  • GVM Framework: Modern Greenbone Vulnerability Management
  • Web Interface: User-friendly Greenbone Security Assistant (GSA)
  • Automated Updates: Regular feed synchronization
  • Multiple Scan Profiles: Pre-configured for different scenarios

OpenVAS Overview

Architecture

OpenVAS is part of the Greenbone Vulnerability Management (GVM) framework consisting of:

Core Components: - GVM Scanner (openvas-scanner): Performs actual scans - GVM Manager (gvmd): Central management daemon - GSA (Greenbone Security Assistant): Web interface - PostgreSQL Database: Stores configuration and results - Redis: Caching system for NVTs

Feed System: - NVT Feed: Network Vulnerability Tests - SCAP Feed: Security Content Automation Protocol data - CERT Feed: Computer Emergency Response Team advisories - GVMD Data Feed: Additional vulnerability information

Advantages

Free: No cost, unlimited IPs
Open Source: Transparent, community-driven
Regularly Updated: Daily feed updates
Comprehensive: 50,000+ NVTs
Active Development: Continuous improvements
Integration: API access for automation

Limitations

Resource Intensive: Requires substantial CPU/RAM
Slower Setup: Initial feed download takes time
Complexity: More components to manage
Updates: Manual feed management required
Commercial Support: Limited compared to paid solutions

Installation and Setup

System Requirements

Minimum: - 4 CPU cores - 8GB RAM - 20GB disk space - Kali Linux or Debian-based system

Recommended: - 8+ CPU cores - 16GB+ RAM - 50GB disk space (for feeds) - SSD storage

Installation on Kali Linux

OpenVAS comes pre-installed on Kali Linux but requires setup:

# Verify installation
apt list --installed | grep gvm

# If not installed
sudo apt update
sudo apt install gvm -y

Initial Setup and Feed Update

Step 1: Update Vulnerability Feeds

This is the most critical and time-consuming step:

# Update all GVM feeds (takes 15-30 minutes)
sudo gvm-feed-update

What This Does: - Downloads NVT feed (vulnerability tests) - Syncs SCAP data (CVE information) - Updates CERT advisories - Synchronizes GVMD data

Expected Output: 

Updating NVT feed...
Updating SCAP data...
Updating CERT data...
Feed update complete.

First-Time Setup

The initial feed update can take 15-30 minutes depending on your connection. Subsequent updates are much faster (5-10 minutes).

Step 2: Start GVM Services

# Start all GVM services
sudo gvm-start

Services Started: - PostgreSQL database - Redis cache - gvmd (manager daemon) - gsad (web interface) - openvas-scanner

Verify Services: 

# Check service status
sudo gvm-check-setup

Expected Output: 

gvmd         OK
openvas      OK
postgresql   OK
redis        OK
gsad         OK

Accessing the Web Interface

Step 3: Open Greenbone Security Assistant

# Firefox will open automatically after gvm-start
# Or manually navigate to:
https://127.0.0.1:9392

Default Credentials: - Username: admin - Password: Generated during setup (check with sudo gvm-setup)

Certificate Warning: 1. Click Advanced 2. Scroll down and click Accept the Risk and Continue 3. Self-signed certificate is expected and safe for localhost

Creating Custom Admin Password

# Change admin password
sudo gvmd --user=admin --new-password='<YourStrongPassword>'

Stopping Services

# Stop all GVM services
sudo gvm-stop

Performing Vulnerability Scans

Dashboard Overview

After logging in, you'll see the Greenbone Security Assistant (GSA) dashboard:

Main Sections: - Dashboard: Overview and statistics - Scans > Tasks: Manage scanning tasks - Assets: Discovered hosts and systems - SecInfo: Vulnerability database (CVEs, NVTs) - Configuration: Scan profiles and settings

Quick Scan with Task Wizard

Step 1: Access Task Wizard

  1. Click Scans in the top menu
  2. Select Tasks from dropdown
  3. Click Task Wizard (purple wand icon, top-left)

Step 2: Enter Target

In the Task Wizard popup: 

IP address or hostname: <target_ip>
# Examples:
# Single IP: 192.168.1.100
# Range: 192.168.1.1-254
# CIDR: 192.168.1.0/24
# Hostname: vulnerable.example.com

Step 3: Start Scan

Click Start Scan

The wizard automatically: - Creates a new target - Selects default scan configuration - Creates a scanning task - Starts the scan immediately

Manual Task Creation

For more control, create tasks manually:

Step 1: Create Target

  1. Navigate to Configuration > Targets
  2. Click New Target (star icon)
  3. Configure:
  4. Name: Descriptive name (e.g., "Web Server Scan")
  5. Hosts: Target IPs or hostnames
  6. Port List: All IANA TCP (default) or custom
  7. Credentials: Optional for authenticated scans

Step 2: Create Task

  1. Navigate to Scans > Tasks
  2. Click New Task (star icon)
  3. Configure:
  4. Name: Task name
  5. Scan Targets: Select created target
  6. Scanner: OpenVAS Default
  7. Scan Config: Choose profile (see below)
  8. Schedule: Now, once, or recurring

Step 3: Launch Task

  1. Find task in list
  2. Click Start (play icon)

Scan Configuration Profiles

Profile Speed Depth Use Case
Full and Fast Fast Medium General purpose, recommended
Full and Deep Slow Deep Comprehensive assessment
Full and Very Deep Very Slow Very Deep Maximum coverage
Host Discovery Very Fast Minimal Network mapping only
System Discovery Fast Low OS and service detection

Selecting a Profile: - External Scan: Full and Fast - Internal Audit: Full and Deep - Compliance Check: Full and Very Deep - Quick Check: Host Discovery + System Discovery

Monitoring Scan Progress

Task Status Indicators:

Status Meaning
New Task created, not started
Requested Queued for execution
Running Currently scanning
Stopped Manually stopped
Done Completed successfully

Progress Bar: - Shows percentage complete - Estimated time remaining - Current phase (discovery, testing, cleanup)

During Scan: - Click task name for details - View real-time progress - Monitor resource usage

Scan Duration

Typical scan times: - Single host (Full and Fast): 10-30 minutes - /24 network (Full and Fast): 2-8 hours - Full and Very Deep: 2-5x longer

Analyzing Results

Accessing Reports

Step 1: Navigate to Reports

  1. Go to Scans > Tasks
  2. Find completed task
  3. Click number in Reports column (e.g., "1")

Step 2: Select Report

  1. Click date/time in Date column
  2. Report details page opens

Report Tabs Overview

Results Tab

Vulnerability Findings:

Severity Levels:

Severity CVSS Score Color Priority
High 7.0-10.0 Red Critical
Medium 4.0-6.9 Orange Important
Low 0.1-3.9 Yellow Minor
Log N/A Blue Informational

Key Information: - Name: Vulnerability description - Host: Affected IP address - Port: Service and port number - Severity: Risk level - QoD: Quality of Detection (confidence)

Clicking a Result Shows: - Detailed description - Impact assessment - Detection method - Solution/remediation - CVE references - CVSS vector

Ports Tab

Discovered Open Ports:

Example output: 

Host: 192.168.1.100
22/tcp    - SSH (OpenSSH 7.9)
80/tcp    - HTTP (Apache 2.4.41)
443/tcp   - HTTPS (Apache 2.4.41)
3306/tcp  - MySQL (5.7.30)
8080/tcp  - HTTP (Tomcat 9.0)

Information Provided: - Port number and protocol - Service name - Version information - Banner details

Applications Tab

Detected Software: - Operating system - Web servers - Database systems - Application versions - Installed software

Operating Systems Tab

OS Detection Results:

Example: 

Host: 192.168.1.100
OS: Microsoft Windows Server 2019
Confidence: 95%
CPE: cpe:/o:microsoft:windows_server_2019

Details Include: - Operating system family - Specific version - Architecture (x86/x64) - Confidence level - CPE identifier

TLS Certificates Tab

SSL/TLS Certificate Analysis: - Certificate validity - Issuer information - Expiration dates - Weak ciphers - Protocol versions

Filtering and Sorting Results

Filter Options: 

By Severity: High, Medium, Low, Log
By Host: Specific IP addresses
By Solution Type: Patch, Configuration, Workaround

Sort Options: - Severity (High to Low) - Host (IP order) - Port number - QoD (confidence)

Exporting Reports

Available Formats:

  1. PDF: Professional reports
  2. XML: Machine-readable
  3. CSV: Spreadsheet analysis
  4. TXT: Plain text
  5. HTML: Web viewable

Export Steps: 1. Open report 2. Click Export icon (download) 3. Select format 4. Choose options (filtering, sorting) 5. Click OK

Report Sections: - Executive Summary - Vulnerability Overview - Detailed Findings - Host Information - Appendices

Best Practices

Pre-Scan Preparation

1. Update Feeds Regularly 

# Run weekly or before important scans
sudo gvm-feed-update

2. Verify System Resources 

# Check available memory
free -h

# Monitor during scan
htop

3. Define Clear Scope - Document target IPs - Verify authorization - Identify critical systems - Plan scan windows

During Scans

Monitor Resource Usage: 

# Watch OpenVAS processes
ps aux | grep openvas

# Check CPU and memory
top -u _gvm

Adjust Scan Settings: - Reduce concurrent hosts for stability - Use slower scan profiles for accuracy - Schedule scans during off-hours

Post-Scan Actions

1. Verify Results - Check for false positives - Cross-reference with other tools - Manually test critical findings

2. Prioritize Remediation 

Priority 1: High severity + exploit available
Priority 2: High severity
Priority 3: Medium severity + public-facing
Priority 4: Medium severity
Priority 5: Low severity

3. Document Findings - Export comprehensive reports - Add context and recommendations - Track remediation progress

Performance Optimization

Increase Performance: 

# Allocate more resources (if VM)
# Edit /etc/default/gvmd
MAX_SCANS=4  # Reduce for stability

# Optimize PostgreSQL
sudo nano /etc/postgresql/*/main/postgresql.conf
# Increase: shared_buffers, work_mem

Reduce Scan Time: - Use targeted port lists - Select specific vulnerability tests - Scan smaller IP ranges - Use "Full and Fast" profile

OpenVAS vs Other Scanners

Comparison Matrix

Feature OpenVAS Nessus Nmap NSE
Cost Free Paid/Limited Free Free
Vulnerability DB 50,000+ NVTs 168,000+ plugins Limited
Ease of Use Medium Easy Advanced
Updates Manual/Automated Automatic Manual
Web Interface Yes (GSA) Yes No
API Yes Yes Limited
Support Community Commercial Community
Resource Usage High Medium Low
Authenticated Scans Yes Yes Yes
Reporting Comprehensive Excellent Basic

When to Use OpenVAS

Choose OpenVAS for: - Budget-conscious assessments - Unlimited IP scanning - Open-source compliance - Learning vulnerability scanning - Long-term vulnerability management - Internal network audits

Use Nessus for: - Professional engagements - Client-facing reports - Enterprise environments - Commercial support needs - Advanced plugin management

Use Nmap NSE for: - Quick verification - Lightweight scanning - Specific CVE checks - Scripting and automation - When OpenVAS/Nessus unavailable

Troubleshooting

Common Issues

Issue 1: Services Won't Start

# Check logs
sudo journalctl -u gvmd -n 50
sudo journalctl -u openvas-scanner -n 50

# Restart services
sudo gvm-stop
sudo gvm-start

Issue 2: Feed Update Fails

# Check disk space
df -h

# Retry update
sudo gvm-feed-update

# Manual update
sudo greenbone-feed-sync --type GVMD_DATA
sudo greenbone-feed-sync --type SCAP
sudo greenbone-feed-sync --type CERT

Issue 3: Scan Hangs or Crashes

# Reduce concurrent tasks
# Edit scan configuration
# Lower "Maximum concurrently executed NVTs per host"

# Increase timeout values
# Configuration > Scan Configs > Edit

Issue 4: High Resource Usage

# Limit OpenVAS processes
sudo systemctl edit openvas-scanner

# Add:
[Service]
Nice=10
IOSchedulingClass=2

Quick Reference

Essential Commands

# Update feeds
sudo gvm-feed-update

# Start services
sudo gvm-start

# Stop services
sudo gvm-stop

# Check setup
sudo gvm-check-setup

# Reset admin password
sudo gvmd --user=admin --new-password='<password>'

# Check version
gvmd --version
openvas --version

Web Interface Access

URL: https://127.0.0.1:9392
Default User: admin
Password: (set during setup)

Scan Workflow

  1. Update feeds: sudo gvm-feed-update
  2. Start services: sudo gvm-start
  3. Login: Navigate to https://127.0.0.1:9392
  4. Create scan: Scans > Tasks > Task Wizard
  5. Enter target: IP or hostname
  6. Start scan: Click Start Scan
  7. Monitor: Watch progress bar
  8. Review results: Click Reports number
  9. Export report: Select format and download

Summary

OpenVAS provides enterprise-grade vulnerability scanning capabilities at no cost. While it requires more setup and resources than alternatives, it offers:

Key Benefits: - Comprehensive vulnerability detection - No IP or scan limitations - Regular updates - Professional reporting - Open-source transparency

Best Practices: - Keep feeds updated - Verify findings manually - Combine with other tools (Nmap, Nessus) - Monitor system resources - Document and prioritize findings

Integration in Workflow: 1. Nmap: Quick reconnaissance 2. OpenVAS: Comprehensive scanning 3. Nessus: Commercial validation (if available) 4. Manual Testing: Verify and exploit

OpenVAS is an excellent addition to any penetration tester's toolkit, especially for budget-conscious assessments and unlimited scanning needs.

Legal Disclaimer

Educational Purpose Only

All information in this guide is for educational purposes only. Always: - Obtain written authorization before scanning - Practice only in authorized lab environments - Obey all applicable laws - Use responsibly and ethically

Unauthorized vulnerability scanning is illegal. The author assumes no liability for misuse of this information.

OpenVAS and Greenbone Vulnerability Management are trademarks of Greenbone AG