Exam objective: 3.1 Conduct vulnerability discovery (network scans, authenticated/unauthenticated, host-based); 3.2 Analyse scan output.
In this lab you will install Greenbone Community Edition (the new name for OpenVAS), scan a vulnerable target, and triage the results — separating true positives from false positives.
mkdir greenbone && cd greenbone
curl -O https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml
sudo docker compose -f docker-compose-22.4.yml -p greenbone up -dFirst start downloads ~1 GB of vulnerability feeds — be patient. Watch progress:
sudo docker compose -p greenbone logs -f gvmdWeb UI at https://127.0.0.1:9392 — default credentials admin / admin (rotate after first login).
Inside the GSA web UI:
-
Configuration → Targets → New Target
- Name:
lab-target - Hosts: IP of your vulnerable VM (Metasploitable2/3, DVWA host).
- Port list:
All IANA assigned TCP and UDP.
- Name:
-
(Optional) Credentials — add SSH/SMB creds for an authenticated scan, which finds far more (config drift, missing patches).
- Scans → Tasks → New Task
- Target:
lab-target - Scan Config:
Full and fast(default).
- Target:
- Start the task. Refresh
Scans → Tasksto see progress.
Open the finished task → Reports → latest. Filter results:
- Severity ≥ 7 → focus first.
- Sort by QoD (Quality of Detection) — 95% or higher = high-confidence.
- Click each finding for the NVT details, references and remediation.
For each High/Critical, validate manually:
| Reported finding | Validation method | Outcome |
|---|---|---|
| MS17-010 SMB | nmap --script smb-vuln-ms17-010 |
True positive |
| Apache 2.4.49 path traversal | curl http://target/cgi-bin/.%2e/.%2e/etc/passwd |
True positive |
| Generic "outdated PHP" | Banner only, app behind WAF | False positive — note in report |
Reports → Download in PDF, XML or CSV. Attach the XML to your engagement folder (it parses nicely into Dradis from Lab 5).
sudo gvm-cli socket --xml="<get_tasks/>"Use gvm-cli to launch scans from CI/CD pipelines.
| Scan type | Strength | Weakness |
|---|---|---|
| Network (unauth) | No creds needed, attacker view | Lots of false positives on banner-only checks |
| Authenticated | Patch-level accuracy | Needs creds, more invasive |
| Host-based agent (e.g. Nessus Agent) | Continuous | Requires deployment |
| Container scan (Lab 17) | Image-level | Only as good as the SBOM |
- How to deploy Greenbone CE locally via Docker.
- How to run unauthenticated and authenticated scans.
- How to triage findings using severity, QoD and manual validation.