Welcome back, fellow Hackers! Today we are talking about Vulnerability Scanning with Metasploit. You probably heard of OpenVAS before or even used it. It is the most popular, free Vulnerability Scanner out there and definitely worth a look on its own. We covered finding vulnerabilities with OpenVAS before on YouTube.
But did you know that you can run OpenVAS natively in Metasploit? I will show you how.
Before you can start using OpenVAS in Metasploit, you first have to install it if you haven’t already. Once you are done with the installation, we can start. Ignore all the Ruby Timeout Errors throughout the screenshots, they just appeared after upgrading my system, and I didn’t get to fix them yet.
Table of Contents
- Part 1 – Starting OpenVAS
- Part 2 – Loading OpenVAS in Metasploit
- Part 3 – Listing OpenVAS Commands
- Part 4 – Connecting OpenVAS to its service
- Part 5 – Creating a Target
- Part 6 – Checking available Scan Types & Target Lists
- Part 7 – Creating a Task
- Part 8 – Starting a Task
- Part 9 – Checking the Task Status
- Part 10 – Creating a Report
Part 1 – Starting OpenVAS
First, you need to make sure that the OpenVAS Service is actually running:
Part 2 – Loading OpenVAS in Metasploit
After starting Metasploit with:
You can load OpenVAS by running:
Part 3 – Listing OpenVAS Commands
Now we can get a quick overview of all of the available OpenVAS commands:
As you can already see, there are lots of fun commands to play with.
Part 4 – Connecting OpenVAS to its service
Next, we need to connect OpenVAS to its service using our credentials.
openvas_connect username password host port
We can see that the connection was successful.
Part 5 – Creating a Target
Now we are going to create a target for scanning. To do that run:
For this example, my target IP is the vulnerable VM Lampiao from Vulnhub with the IP of 192.168.56.101
Note that everything you do here will also be done in the OpenVAS Database itself. Hence you will be able to see the results in the Web GUI later. An example is the confirmation below, that is showing the Lampiao Initial Scan that we just created, plus all the other scans that I ran with OpenVAS before.
Also, take note of the long ID of our newly created scan. We will need that later.
Part 6 – Checking available Scan Types & Target Lists
To see what kind of Scan Types are available, run:
This shows us all of the available Scan Configurations. We need to specify this when creating a Task. Those are the same Scan Configs that are available through the Web GUI. At this point you might wonder, why would I prefer Vulnerability Scanning with Metasploit over just using the OpenVAS Web GUI? Well, some people like me who work a lot with Metasploit Workspaces, like to keep everything in one place.
This is why I prefer console over GUI in this context.
In case you forgot the Target ID of your Target, you can pull that information up again by typing:
We are going to need the IDs of the Target and of the Scan Config in the next step.
Part 7 – Creating a Task
Now we are going to create a new task. This is the same as creating a task in the Web GUI.
openvas_task_create [NameOfTask] [Comment] [ScanConfigID] [TargetID]Code language: CSS (css)
When successful, you can see the task in your list with the Status: New.
You can run the following command to pull up your task list again; you’ll need your Task ID in the next step.
Part 8 – Starting a Task
To start the task, simply run:
openvas_task_start [TaskID]Code language: CSS (css)
Now depending on how many targets you scan or which intensity level you choose, this can take a long time.
Part 9 – Checking the Task Status
To check our Task Status, we can simply run:
The number under Progress (48 in this example) is the percentage of the scan… Once it’s at -1, the scan is done. Just repeat the command by pressing the up-arrow key a couple of times until it finishes.
Part 10 – Creating a Report
As soon as the scan finishes, there are a couple of ways how to create a report. Although it’s possible to create all kinds of reports this way, I actually prefer pulling up the report through the Web GUI.
You probably have guessed it by now, to show the Report List run:
Now you have a couple of options for which format you would like to export your report with:
Exporting a Report
To finally export a report, choose what format you want and run:
openvas_report_download [report id] [format id] [path for saving the report] [report name]Code language: CSS (css)
But as I said. I don’t really like exporting via Terminal. The Web GUI works much better, for that matter. I recommend using this to pull your report.
Using OpenVAS natively in Metasploit can save you some time overusing the WebGUI once you are familiar with it. It also is able to post findings in Metasploit’s Database, although that doesn’t always work.
It definitely is a fun way to play with OpenVAS and learn more about how it works on a Command-Line Level.