This is a basic openvas tutorial for beginners. It will explain a little of how to use openvas web ui to perform a test of your systems. It will give you the basic options for using metasploit msfconsole to run an openvas vulnerability scan. It will also show how to import an openvas report into the metasploit database.
On the first run of ovenvas scanner on kali linux you need to run a setup script – if you do this as part of this OpenVas tutorial for beginners, then you will not need to do it again.
apps > kali > vlnerability analysis > openvas > openvas initial setup
You only need to run this once
You’ll need to set a password so that you can sign in:
openvasmd –user=admin –new-password=Your_New_password
You only need to run this once
You will then need to start the openvas services:
apps > kali > vlnerability analysis > openvas > start openvas
You then have a choice how you want to continue:
Once openvas has started, open your browser and point it to:
This opens the ‘greenbone’ web interface for openvas and sign in.
To initiate a simple scan of an ip address or hostname, click the small (tiny) purple icon with the wand in it. This will take you to a screen with an input where you can perform a full fast scan of a host.
There are loads of menus in the greenbone web ui:
The most important entry in this menu is ‘New Task’ – you can start complex scans from this screen.
Currently contains a single item: Hosts
This is where the list of accumulated hosts form all your scans appear.
Sec Info Management
Contains a few items, each representing the vulnerability databases that openvas knows about
Various configuration options, targets and scan configurations
Configuration of the web ui itsself
User management, Feed synchronisation, update, etc
You can do lots of things from the web ui. I use it to start scans and sometimes to export scans to import into metasploit. For more advanced usage, its usually better to use the msfconsole:
Open a terminal and type:
This will load msfconsole. For a beginners metasploit tutorial, please see my post on metasploit for beginners)
To show help for openvas inside metasploit type the command:
To start using openvas inside metasploit, you need to select the openvas modules:
The next step is to connect to your openvas database
# default username and password are set the first time you start openvas in a terminal
openvas_connect username password localhost 9390 ok
Once the database has connected, create a target to scan
openvas_target_create target_name ip_address comments
This command will show the list of configured scans
This command will shoe the list of your targets
You then need to string it together to create a scan task
openvas_task_create scan_name comment scan_id target_id
This command will then show the scan tasks
You then need to start the scan
You can use this commant to check the scan as it is running
This command will show the reports once the scans have completed
And this command will show the available formats for export
You can download reports in any of the formats from the above command..
openvas_report_download report_id format_id /path/to/saved/file report_name
Or you can import reports into metasploit – metasploit can only import xml and nbe reports
openvas_report_import report_id format_id
Once the report has imported into metasploit then the vulnerabilites will be available in the metasploit database / on the web ui for metasploit :D
You can find out more information on openvas at the projects website
I hope you have enjoyed this OpenVas tutorial for beginners and that it helps you get to grips with Openvas.