OpenVAS cheat sheet for vulnerability assessment and penetration testing

This OpenVAS cheat sheet covers the essential commands and workflows for comprehensive vulnerability assessment and penetration testing integration.

OpenVAS Installation & Setup

Installing the OpenVAS vulnerability scanner and its components, including initial database setup and service configuration.

bash

# Install on Kali Linux
sudo apt update
sudo apt install openvas

# Set up and start OpenVAS (Kali)
sudo gvm-setup
sudo gvm-start

# Check installation
sudo gvm-check-setup

# Update the vulnerability databases (NVTs)
sudo greenbone-feed-sync --type nvt
sudo greenbone-feed-sync --type scap
sudo greenbone-feed-sync --type cert

# Stop OpenVAS
sudo gvm-stop

# Install on Ubuntu (using Docker - recommended)
docker pull greenbone/community-edition
docker run -d -p 443:443 --name greenbone-community-edition greenbone/community-edition

Access & Initial Configuration

Accessing the web interface, setting up initial user accounts, and configuring basic system settings for scanning operations.

bash

# Access web interface (default credentials: admin/admin)
https://localhost:9392

# Change default admin password
sudo gvmd --user=admin --new-password=YourNewPassword

# Create a new user
sudo gvmd --create-user=pentester --new-password=Password123

# Check service status
sudo systemctl status gvmd
sudo systemctl status gsad
sudo systemctl status ospd-openvas

Target Management

Defining and organizing the systems, networks, or applications that will be scanned for vulnerabilities.

bash

# Create target from CLI (alternative to web interface)
sudo gvmd --create-target --name "Internal Network" --hosts 192.168.1.1-254

# Create target with specific ports
sudo gvmd --create-target --name "Web Servers" --hosts 192.168.1.10,192.168.1.11 --ports 80,443,8080

# List all targets
sudo gvmd --get-targets

# Import targets from Nmap XML
openvas-cli --import-targets=nmap_scan.xml

Scan Configuration

Creating and customizing scan policies that determine how thoroughly systems are tested and what types of vulnerabilities to look for.

bash

# List available scan configurations
sudo gvmd --get-scans

# Common scan configurations:
#   "Full and fast" - Balanced between speed and coverage
#   "Full and very deep" - Comprehensive but slow
#   "Host Discovery" - Only host discovery
#   "System Discovery" - Discovery and service detection

# Create a custom scan configuration via web interface:
# 1. Go to Configuration -> Scan Configs -> New Scan Config
# 2. Select base (usually "Empty, static and fast")
# 3. Add specific NVT families as needed

Credential Management (Authenticated Scans)

Storing and managing authentication credentials that allow OpenVAS to perform deeper, authenticated scans of target systems.

bash

# Create SSH credentials via web interface:
# Configuration -> Credentials -> New Credential
# Type: SSH Key
# Login: username
# Key: Paste private key or use password

# Create SMB/Windows credentials:
# Type: Username + Password
# Login: administrator
# Password: [password]
# Auth Method: Password

# Assign credentials to targets in scan configuration

Vulnerability Scanning Commands

Executing actual vulnerability scans against targets using various configurations and options via command-line interface.

bash

# Basic scan via CLI
openvas-cli --target=192.168.1.0/24 --scan-config="Full and fast" --output=scan_report.pdf

# Scan with specific credentials
openvas-cli --target=windows_hosts --scan-config="Full and fast" --ssh-credential=ssh_creds --smb-credential=windows_creds

# Schedule a scan
openvas-cli --target=192.168.1.1-50 --scan-config="Full and fast" --schedule="weekly" --output=weekly_scan.pdf

# Quick discovery scan
openvas-cli --target=192.168.1.0/24 --scan-config="Host Discovery" --output=discovery_report.html

# Scan for specific vulnerabilities
openvas-cli --target=web_servers --scan-config="Web Application Tests" --output=web_scan.pdf

Common Scan Types for PT

Pre-configured scanning approaches tailored for different penetration testing phases and target types.

bash

# Initial network reconnaissance
openvas-cli --target=target_range --scan-config="Host Discovery" --output=discovery.html

# Comprehensive vulnerability assessment
openvas-cli --target=critical_hosts --scan-config="Full and very deep" --output=full_scan.pdf

# Web application focused scan
openvas-cli --target=web_servers --scan-config="Full and fast" --nvt-selection="Web Applications" --output=web_scan.html

# Windows environment scan (with credentials)
openvas-cli --target=windows_hosts --scan-config="Full and fast" --smb-credential=domain_admin --output=windows_scan.pdf

# Compliance scanning (PCI-DSS, HIPAA)
openvas-cli --target=compliance_scope --scan-config="PCI-DSS" --output=pci_scan.pdf

Reporting & Output

Generating and exporting scan results in various formats for analysis, reporting, and integration with other tools.

bash

# Generate different report formats
openvas-cli --target=192.168.1.1 --scan-config="Full and fast" --output=report.pdf
openvas-cli --target=192.168.1.1 --scan-config="Full and fast" --output=report.html
openvas-cli --target=192.168.1.1 --scan-config="Full and fast" --output=report.xml

# Generate report with specific details
openvas-cli --target=192.168.1.1 --scan-config="Full and fast" --output=detailed_report.html --format "Detailed Report"

# Export results for integration
openvas-cli --target=192.168.1.1 --scan-config="Full and fast" --output=results.xml --format "XML"

Integration with PT Workflow

Combining OpenVAS scanning with other penetration testing tools and methodologies for a comprehensive assessment.

bash

# Import Nmap results as targets
nmap -sS -oX nmap_scan.xml 192.168.1.0/24
openvas-cli --import-targets=nmap_scan.xml

# Export OpenVAS results to Metasploit
# 1. Generate XML report from OpenVAS
# 2. In Metasploit: db_import openvas_report.xml

# Filter results for exploitation
# In OpenVAS web interface: Filter by CVSS score > 7.0

# Create custom scan policy for specific exploits
# Focus on NVTs related to: MS17-010, Heartbleed, Shellshock, etc.

Advanced Scanning Techniques

Using specialized configurations for complex scanning scenarios, performance optimization, and targeted vulnerability detection.

bash

# Exclude specific tests
openvas-cli --target=192.168.1.1 --scan-config="Full and fast" --exclude-nvt-families="Denial of Service"

# Custom port range scanning
openvas-cli --target=192.168.1.1 --ports=1-1000,8080,8443 --scan-config="Full and fast"

# Optimize scan performance
openvas-cli --target=large_network --scan-config="Full and fast" --max-hosts=50 --max-checks=10

# Vulnerability trending (compare scans)
# Use web interface: Scan Management -> Compare Results

Troubleshooting & Maintenance

Maintaining the OpenVAS system, updating vulnerability databases, and resolving common operational issues.

bash

# Check OpenVAS service status
sudo systemctl status ospd-openvas
sudo systemctl status gvmd
sudo systemctl status gsad

# Update vulnerability databases
sudo greenbone-feed-sync --type nvt
sudo greenbone-feed-sync --type scap
sudo greenbone-feed-sync --type cert
sudo greenbone-feed-sync --type gvmd_data

# Restart services after updates
sudo systemctl restart ospd-openvas
sudo systemctl restart gvmd
sudo systemctl restart gsad

# Check feed status
sudo gvm-feed-sync -q

# View scan logs
sudo tail -f /var/log/gvm/ospd-openvas.log

Quick Reference for PT Phases

bash

# Reconnaissance Phase:
openvas-cli --target=scope --scan-config="Host Discovery"

# Vulnerability Assessment Phase:
openvas-cli --target=live_hosts --scan-config="Full and fast"

# Deep Assessment Phase:
openvas-cli --target=critical_assets --scan-config="Full and very deep" --smb-credential=admin_creds

# Compliance Phase:
openvas-cli --target=in_scope --scan-config="PCI-DSS" --output=compliance_report.pdf