Skip to content

Latest commit

 

History

History
97 lines (63 loc) · 3.02 KB

File metadata and controls

97 lines (63 loc) · 3.02 KB

Lab 15 — Vulnerability Scanning with Greenbone / OpenVAS

Exam objective: 3.1 Conduct vulnerability discovery (network scans, authenticated/unauthenticated, host-based); 3.2 Analyse scan output.

In this lab you will install Greenbone Community Edition (the new name for OpenVAS), scan a vulnerable target, and triage the results — separating true positives from false positives.


Step 1 — Install via Docker

mkdir greenbone && cd greenbone
curl -O https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml
sudo docker compose -f docker-compose-22.4.yml -p greenbone up -d

First start downloads ~1 GB of vulnerability feeds — be patient. Watch progress:

sudo docker compose -p greenbone logs -f gvmd

Web UI at https://127.0.0.1:9392 — default credentials admin / admin (rotate after first login).


Step 2 — Add a target

Inside the GSA web UI:

  1. Configuration → Targets → New Target

    • Name: lab-target
    • Hosts: IP of your vulnerable VM (Metasploitable2/3, DVWA host).
    • Port list: All IANA assigned TCP and UDP.
  2. (Optional) Credentials — add SSH/SMB creds for an authenticated scan, which finds far more (config drift, missing patches).


Step 3 — Run the scan

  1. Scans → Tasks → New Task
    • Target: lab-target
    • Scan Config: Full and fast (default).
  2. Start the task. Refresh Scans → Tasks to see progress.

Step 4 — Triage the report

Open the finished task → Reports → latest. Filter results:

  • Severity ≥ 7 → focus first.
  • Sort by QoD (Quality of Detection) — 95% or higher = high-confidence.
  • Click each finding for the NVT details, references and remediation.

For each High/Critical, validate manually:

Reported finding Validation method Outcome
MS17-010 SMB nmap --script smb-vuln-ms17-010 True positive
Apache 2.4.49 path traversal curl http://target/cgi-bin/.%2e/.%2e/etc/passwd True positive
Generic "outdated PHP" Banner only, app behind WAF False positive — note in report

Step 5 — Export

Reports → Download in PDF, XML or CSV. Attach the XML to your engagement folder (it parses nicely into Dradis from Lab 5).


Step 6 — Quick CLI alternative

sudo gvm-cli socket --xml="<get_tasks/>"

Use gvm-cli to launch scans from CI/CD pipelines.


Step 7 — Compare scan types

Scan type Strength Weakness
Network (unauth) No creds needed, attacker view Lots of false positives on banner-only checks
Authenticated Patch-level accuracy Needs creds, more invasive
Host-based agent (e.g. Nessus Agent) Continuous Requires deployment
Container scan (Lab 17) Image-level Only as good as the SBOM

What you learned

  • How to deploy Greenbone CE locally via Docker.
  • How to run unauthenticated and authenticated scans.
  • How to triage findings using severity, QoD and manual validation.