I thank Maurizio Pagani for allowing me to publish and translate his interesting presentation, published on http://babel.it.
OpenVAS is a framework that includes services and tools for scanning and the complete managment of vulnerability.
A vulnerability scanner is a tool that allows you to scan a target system (IP/HOSTNAME) based on a range of ports and a set of policies. The tool is supported by a database that is used from the vulnerability scanner to analyze possible problems whenever you find a listening service. The tool that scans receives daily updates from the database Network Vulnerability Tests “NVTs”.
The following illustration shows the logical architecture of the OpenVAS framework:
We explain briefly the different components:
OpenVAS CLI: is a set of tools that allow administration of OpenVAS through the shell. This allows you to perform scanning, manage and create reports of various VA made.
Greenbone Security Assistant: is a web-based tool with an intuitive interface from which you can do the reporting/scan, manage and monitor the scanning profiles of various VA that you are making.
Greenbone Desktop Security: Like OpenVAS CLI, and Greenbone Security Assistant, is the tool that allows us to manage everything through the GUI interface on the desktop.
OpenVAS Scanner: is the component that allows us the scan of hostname/ip, port range “from-to” or entire networks such as “192.168.1.0/28″. Scanning can be initiated at various levels. By default OpenVAS has four scanning options:
- Full and fast – Exploits the majority of NVT’s. And is optimized through the use of information previously collected.
- Full and fast completed – Exploits the majority of NVT’s, between them there are some that may cause a shutdown of the service/remote system. This profile is optimized by the use of information previously collected.
- Full and very deep – Exploits most of NVT’s but is slower because it doesn’t uses the information previously collected.
- Full and very deep ultimate – Exploits the majority of NVT’s, between them there are some that may cause a shutdown of the service/remote system. This profile is slower because it doesn’t uses the information previously collected.
OpenVAS Manager: is the heart of OpenVAS, the manager receives task/information from the OpenVAS Administrator and the various administration tools CLI/WEB/GUI, then use the OpenVAS Scanner that will perform the Vulnerability Assessment. Also includes component that processes the results of the scans, so it also generates the final report.
OpenVAS Administrator: is the component through which users can manage and the feed (ie the updates).
NVT’s: it is the container of feed, ie test cases that detect the vulnerabilities, which are currently over 20,000.
Results, config: is the database (PostgreSQL) where reports are collected and where the entire configuration of OpenVAS is stored.
Now we see how to scan using the management tools included in OpenVAS. The system that i’m using in this examples s installed on a local virtual machine on which the OpenVASis already installed. First of all if you have already installed OpenVAS run this command to verify that everything is
In this screenshot the steps are only 4 but in reality it will proceed with the verification in 9 step.
Now we enter in the graphical web browser and as url we type http://YOUR-IP:9392
After logging just go in the Configuration and click on “New Target”.
The example in the screenshot shows how to insert a new target on which to run a Vulnerability Assessment. Click on “Create Target” and then “New Task”:
The task requires the inclusion of a “Name”, the scan type (in this case, Full and Fast) and finally the target to scan. Create your own Task and go the Tasks Window :
Here is the list of targets on which perform a Vulnerability Assessment. Now click on the green icon on the left to start the scan on that target, according to the type of scan that you chose to do, the time to complete the Assesment can vary greatly.
Once finished it will give you as report like this one:
Fortunately the “Win 7″ in the example does not have vulnerabilities because all services are closed, as you can see there is “localhost” or the linux hosting OpenVAS that is “High”, open this scan and analyze the report:
The screenshot does not show all the reports but simply serves to provide a preview on the output that OpenVAS generates when it finish a scan.
In the upper part of the report you have a summary of the vulnerability classes divided into “High/Medium/Low”:
In the bottom right under “Downloads” there is an useful option to download the OpenVAS report in various formats for example PDF. The report includes an index created inside it, so it’s easy to find the vulnerability without having to read the whole document that usually is composed by numerous pages.
That is the screenshot of the PDF generated by OpenVAS.
The database is postgresql, so you can browse and analyze the various fields that interest you. As mentioned before it is updated every day.
The target systems are operating systems (but I never tried if you can even scan of appliances, eg. Pix firewall)
The scans, based on the choice you do are more or less invasive, eg. “Full and Very Deep ultimate” could even broke the connection on the remote server.
The product is available on linux as server while the client can either be installed on linux and windows.