Vulnerability Scanning With Metasploit

Welcome back, fellow Hackers! Today we are talking about Vulnerability Scanning with Metasploit. You probably heard of OpenVAS before or even used it. It is the most popular, free Vulnerability Scanner out there and definitely worth a look on its own. We covered finding vulnerabilities with OpenVAS before on YouTube.

But did you know that you can run OpenVAS natively in Metasploit? I will show you how.

Before you can start using OpenVAS in Metasploit, you first have to install it, if you haven’t already. Once you are done with the installation we can start.

Ignore all the Ruby Timeout Errors throughout the screenshots, they just appeared after upgrading my system and I didn’t get to fix it yet.

 

 

Part 1 – Starting OpenVAS

First, you need to make sure that the OpenVAS Service is actually running:

openvas-start

Part 2 – Loading OpenVAS in Metasploit

After starting Metasploit with:

msfconsole

You can load OpenVAS by running:

load openvas

 

Part 3 – Listing OpenVAS Commands

Now we can get a quick overview of all of the available OpenVAS commands:

openvas_help

 

As you can already see, lots of fun commands to play with.

 

Part 4 – Connecting OpenVAS to it’s service

Next we need to connect OpenVAS to it’s service using our credentials.

openvas_connect username password host port

We can see that the connection was successful.

 

 

Part 5 – Creating a Target

Now we are going to create a target for scanning. To do that run:

openvas_target_create "TargetName" IPOfTarget "NameOfScan"

For this example, my target IP is the vulnerable VM Lampiao from Vulnhub with the IP of 192.168.56.101

Note that everything you do here will also be done in the OpenVAS Database itself, hence you will be able to see the results in the Web GUI later. An example is the confirmation below, that is showing the Lampiao Initial Scan that we just created plus all the other scans that I run with OpenVAS before.

Also, take note of the long ID of our newly created scan. We will need that later.

 

Part 6 – Checking available Scan Types & Target Lists

To see what kind of Scan Types are available, run:

openvas_config_list

 

This shows us all of the available Scan Configurations. We need to specify this when creating a Task. Those are the same Scan Configs that are available through the Web GUI. At this point you might wonder, why would I prefer Vulnerability Scanning with Metasploit over just using the OpenVAS Web GUI? Well, some people like me who work a lot with Metasploit Workspaces, like to keep everything in one place.

This is why I prefer console over GUI in this context.

In case you forgot the Target ID of your Target, you can pull that information up again by typing:

openvas_target_list

We are going to need the ID’s of the Target and of the Scan Config in the next step.

 

Part 7 – Creating a Task

Now we are going to create a new task. This is the same as creating a task in the Web GUI.

openvas_task_create [NameOfTask] [Comment] [ScanConfigID] [TargetID]

 

When successful, you can see the task in your list with the Status: New.

You can run the following command to pull up your task list again, you’ll need your Task ID in the next step.

openvas_task_list

 

Part 8 – Starting a Task

To start the task simply run:

openvas_task_start [TaskID]

 

Now depending on how many targets you scan or which intensity level you chose, this can take a long time.

 

Part 9 – Checking the Task Status

To check our Task Status we can simply run:

openvas_task_list

The number under Progress (48 in this example) is the percentage of the scan… Once it’s at -1, the scan is done. Just repeat the command by pressing the up-arrow key a couple of times until it finishes.

 

 

Part 10 – Creating a Report

As soon as the scan finishes, there are a couple of ways on how to create a report. Although it’s possible to create all kinds of reports this way, I actually prefer pulling up the report through the Web GUI.

You probably have guessed it by now, to show the Report List run:

openvas_report_list

Now you have a couple of options of which format you would like to export your report with:

openvas_format_list

Exporting a Report

To finally export a report, choose what format you want and run:

openvas_report_download [report id] [format id] [path for saving the report] [report name]

 

But as I said. I don’t really like the exporting via Terminal. The Web GUI works much better for that matter. I recommend using this to pull your report.

 

Conclusion

Using OpenVAS natively in Metasploit can save you some time over using the WebGUI once you are familiar with it. It also is able to post findings in Metasploit’s Database, although that doesn’t always work.

It definitely is a fun way to play with OpenVAS and learn more about how it works on a Command Line Level.

Tell us what you think!

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: