The NVTs used by OpenVAS to check for existing security issues on remote systems are written in the scripting language NASL. NASL (short for Nessus Attack Scripting Language). Information on how to write NT's can be found here. The OpenVAS project maintains a public feed of Network Vulnerability Tests (NVTs). It contains more than 47,000 NVTs, growing on a permanent basis. This feed is configured as the default for OpenVAS. You can find the feed here along with an NVT OID lookup tool.
There are several types of scan configs you can choose from (and you can also add your own). The scan config determines how thorough the scan will be and how long the scan will take. The scan configs are as follows:
- Discovery - Only NVTs are used that provide the most possible information of the target system. No vulnerabilities are being detected.
- Host Discovery - Only NVTs are used that discover target systems. This scan only reports the list of systems discovered.
- System Discovery - Only NVTs are used that discover target systems including installed operating systems and hardware in use.
- Full and Fast - This is the default and for many environments the best option to start with. This configuration is based on the information gathered in the prior port scan and uses almost all NVTs. Only NVTs are used that will not damage the target system. Plugins are optimized in the best possible way to keep the potential false negative rate especially low. The other configurations only provide more value only in rare cases but with much more required effort.
- Full and fast ultimate - This configuration expands the first configuration with NVTs that could disrupt services or systems or even cause shut downs.
- Full and very deep - This configuration differs from the Full and Fast configuration in the results of the port scan not having an impact on the selection of the NVTs. Therefore NVTs will be used that will have to wait for a timeout. This scan is very slow.
- Full and very deep ultimate - This configuration adds the dangerous NVTs that could cause possible service or system disruptions to the Full and very deep configuration.
Note on destructive tests: The difference between passive/active, non-destructive/destructive testing is typically illustrated by comparing the concepts of "vulnerability assessment" to "penetration testing": http://seclists.org/pen-test/2006/Aug/91 Unfortunately, as you'll read about in the above discussion, there is sometimes overlap in whether an activity is considered destructive. This overlap is why these profiles differentiate destructive/non-destructive tests.
Scheduling a Scan
In the MSP Portal go to the "Vulnerabilities" option and select the "Scan Jobs" tab and then choose "Create New"
Creating a new scan job
When you create a scan give it a Name and a Description so you remember why you ran it and you can also rerun the scan in the future. When you create a scan you need to choose the sensor that will run the scan, the scan config, scheduling and then choose a target. In the example below we scanned one asset (IP address) using the "Full and Fast" scan. Also, note that you can choose credentials for the scan if required. For this scan we won't need credentials.
Once the scan starts running you can see it's progress under the "Scan jobs" tab.
Viewing a completed scan
Once the scan is complete "Status = Done" you can View the scan under the "Actions".
On the scan job's details page you can see how many vulnerabilities were found (in this scan it was 7).
Create a scan job report / view details
On the scan job details page if you choose the "started at" date of the scan you can see all the vulnerabilities as follows. You can also "Generate a PDF" report.
If you click into a specific vulnerability you can see it's details as follows:
To download the PDF report of all the vulnerabilities, travel to the "Reports History" and download the PDF as follows:
The report will look something like the following:
Add credentials for scanning
If you want to add credentials to login to an asset and scan it with authentication you can go back to the main vulnerabilities page and choose the "credentials" tab. Add the login username, password, choose the asset to assign the credentials to in one of the asset choices and save the record.
then when you create a new scan like this "full and very deep ultimate" scan you can add the credentials record for this asset.
You can see below where this scan actually found 1 additional issue.
You can see the details of the vulnerability by taking the CVE referenced above and checking the MITRE database found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0482
You can see the OID reference here. For the old Nessus ID's you can search their plugs via this URL: https://www.tenable.com/plugins/index.php?view=single&id=11902 where (11902 is the reference to the NVT in the OID).
Viewing scan vulnerabilities as events
Each vulnerability found also creates an event that can be searched and also used for alarm correlation. To view the vulnerably events found by the scan do a simple search like the following: