Download slides here.
The OpenVAS project maintains a public feed of Network Vulnerability Tests (NVTs). It contains more than 47,000 NVTs, growing on a permanent basis. This feed is configured as the default for OpenVAS. You can find the feed here along with an NVT OID lookup tool.
There are several types of scan configs you can choose from (and you can also add your own). The scan config determines how thorough the scan will be and how long the scan will take. The scan configs are as follows:
- Discovery - Only NVTs are used that provide the most possible information of the target system. No vulnerabilities are being detected.
- Host Discovery - Only NVTs are used that discover target systems. This scan only reports the list of systems discovered.
- System Discovery - Only NVTs are used that discover target systems including installed operating systems and hardware in use.
- Full and Fast - This is the default and for many environments the best option to start with. This configuration is based on the information gathered in the prior port scan and uses almost all NVTs. Only NVTs are used that will not damage the target system. Plugins are optimized in the best possible way to keep the potential false negative rate especially low. The other configurations only provide more value only in rare cases but with much more required effort.
- Full and fast ultimate - This configuration expands the first configuration with NVTs that could disrupt services or systems or even cause shut downs.
- Full and very deep - This configuration differs from the Full and Fast configuration in the results of the port scan not having an impact on the selection of the NVTs. Therefore NVTs will be used that will have to wait for a timeout. This scan is very slow.
- Full and very deep ultimate - This configuration adds the dangerous NVTs that could cause possible service or system disruptions to the Full and very deep configuration.
Note on destructive tests: The difference between passive/active, non-destructive/destructive testing is typically illustrated by comparing the concepts of "vulnerability assessment" to "penetration testing": http://seclists.org/pen-test/2006/Aug/91 Unfortunately, as you'll read about in the above discussion, there is sometimes overlap in whether an activity is considered destructive. This overlap is why these profiles differentiate destructive/non-destructive tests.
Scheduling a Scan
In the Customer Portal go to the "Advanced" tab and select the "Scanning" button and then choose "Create Scan Job"
Creating a new scan job
When you create a scan give it a Name and a Description so you remember why you ran it and you can also rerun the scan in the future. When you create a scan you need to choose the sensor that will run the scan, the scan config, scheduling and then choose a target. In the example below we scanned a range of IP addresses using the "Full and Fast" scan (note CIDR notation). Also, note that you can choose credentials for the scan if required. For this scan we won't need credentials. Also note the Scan Now checkbox--if you un-check this box you can schedule a future scan.
Once the scan starts running you can see it's progress under the "Scan jobs" tab. Once the scan is complete "Status = Done" you can View the scan under the "Actions".
If you click on the number of vulnerabilities you can see a list of the issues. Also note the action to Generate a PDF Report.
If you click on a vulnerability you will see the detail like the following:
You can see the details of the vulnerability by taking the CVE referenced above and checking the MITRE database found here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0482
You can see the OID reference here. For the old Nessus ID's you can search their plugs via this URL: https://www.tenable.com/plugins/index.php?view=single&id=11902 where (11902 is the reference to the NVT in the OID).
Create a scan job report
On the scan job details page if you choose the "Generate PDF" of the scan you can see all the vulnerabilities in a report. You will find the report under the "Reports" tab.
If you download the report it will look like the following:
Add credentials for scanning
If you want to add credentials to login to an asset and scan it with authentication you can go to your user profile (choose your name in the upper right hand corner). Add the login username, password, choose the asset to assign the credentials to in one of the asset choices and save the record.
Viewing scan vulnerabilities as events
Each vulnerability found also creates an event that can be searched and also used for alarm correlation. To view the vulnerably events found by the scan do a simple search under the "Advanced" tab like the following: