Ethical Hacking Lesson 18 – Nessus & OpenVAS | Dataplexa

Ethical Hacking

I. Foundations & Hacking Mindset
1. What is Ethical Hacking 2. Hacker Types & Motivations 3. Legal & Ethical Considerations 4. Hacking Methodologies 5. Cyber Kill Chain 6. Footprinting & Reconnaissance 7. Passive vs Active Recon 8. Information Gathering Tools 9. Hacking Lab Setup 10. Kali Linux Overview
II. Reconnaissance & Scanning
11. DNS Enumeration 12. Whois & Network Enumeration 13. Google Dorking 14. Nmap Scanning 15. Port Scanning 16. Service Enumeration 17. Vulnerability Scanning 18. Nessus & OpenVAS 19. Banner Grabbing 20. Recon Best Practices
III. System & Network Attacks
21. Password Cracking 22. Brute Force Attacks 23. Credential Harvesting 24. Exploiting Misconfigurations 25. Linux System Attacks 26. Windows System Attacks 27. Privilege Escalation 28. Malware Concepts 29. Backdoors & Trojans 30. Network Sniffing 31. MITM Attacks 32. DoS Attacks 33. Wireless Attacks 34. Covering Tracks 35. Attack Mitigation
IV. Web Hacking & Real World
36. Web Architecture 37. OWASP Top 10 38. SQL Injection 39. Cross-Site Scripting (XSS) 40. Authentication Attacks 41. Session Hijacking 42. File Upload Vulnerabilities 43. API Security 44. Tools Summary 45. Mini Project – Ethical Hacking Lab
Reconnaissance & Scanning · Lesson 18

Nessus & OpenVAS

Nmap scripts are sharp and targeted. But when a client wants their entire infrastructure assessed systematically — every host, every port, every known CVE checked against every detected service — you need a dedicated vulnerability scanner. This lesson covers the two that matter most in professional practice.

Two tools, one job, very different contexts

Nessus and OpenVAS do broadly the same thing — scan a network, identify running services, cross-reference them against a vulnerability database, and produce a prioritised list of findings. The difference is licensing, cost, and where they are typically deployed.

Nessus is produced by Tenable and has been the industry standard for commercial vulnerability scanning since the late 1990s. Its plugin database — the collection of checks it runs — is the most comprehensive available. Large enterprises, managed security providers, and most professional pen testing firms use it. There is a free tier called Nessus Essentials that allows scanning up to 16 IP addresses, which is enough for lab work and small assessments.

OpenVAS — Open Vulnerability Assessment System — is the open-source alternative, maintained by Greenbone Networks. It is free, capable, and ships pre-installed on Kali Linux. The plugin coverage is not quite as deep as Nessus but it is genuinely useful for lab practice and for engagements where budget does not extend to a commercial licence. Most pen testers learn on OpenVAS and work with Nessus professionally.

NESSUS vs OPENVAS — side by side
Nessus OpenVAS
Cost Free (Essentials, 16 IPs) or commercial licence Free and open source
Plugin database 180,000+ plugins — most comprehensive available 80,000+ NVTs — solid coverage, updated regularly
Interface Web-based GUI — polished, well-documented Web-based GUI — functional, steeper learning curve
Authenticated scans Yes — SSH, Windows, database credentials supported Yes — SSH and SMB credential support
Kali Linux Install manually from Tenable's website Pre-installed — start with one command
Best for Professional engagements, enterprise compliance scans Lab practice, learning, budget-constrained assessments

Starting OpenVAS on Kali — the first run

OpenVAS takes a few minutes to initialise the first time — it downloads and updates its vulnerability database, sets up internal services, and generates SSL certificates for its web interface. Run the setup command once, wait for it to finish, then access the dashboard through your browser. Every subsequent start is much faster.

One thing that catches people out: OpenVAS runs several background services simultaneously. If you start scanning before all of them are ready, scans will fail silently or return incomplete results. The setup command below handles all of that automatically — it checks, starts, and confirms each service is ready before handing control back to you.

# Step 1 — initial setup (run only once, or after a long period of non-use)
# gvm-setup downloads the vulnerability database and configures all services
# This can take 10–30 minutes on first run — the database is large
# It will print the auto-generated admin password at the end — write it down

sudo gvm-setup

# Step 2 — start all OpenVAS services
# gvm-start launches the scanner, manager, and web interface simultaneously
# Wait until all three services report as running before opening the browser
sudo gvm-start

# Step 3 — verify everything is running correctly
# gvm-check-setup confirms each component is properly configured
# If anything failed to start it will tell you which service and why
sudo gvm-check-setup

Breaking it down:

86,432 NVTs
NVT stands for Network Vulnerability Test — OpenVAS's term for its individual check scripts. Each one targets a specific vulnerability or configuration issue. 86,000+ means OpenVAS is checking your target against a very large database of known issues. Keeping this database updated with gvm-feed-update before each engagement ensures you are checking against the most recently disclosed vulnerabilities.
Generated password — write it down
The setup generates a random admin password and prints it exactly once. If you miss it or forget it, resetting requires running the setup again which is time-consuming. As soon as setup completes, log in and change the password to something you will remember — or store it in a password manager.
https://127.0.0.1:9392
The web interface runs locally on your Kali machine — it is not exposed to the network. Your browser will show a certificate warning because the SSL cert is self-signed. This is expected — click through and proceed. Do not install OpenVAS on a machine with a public IP without securing the web interface behind authentication and a firewall rule.

Configuring and running a scan against Metasploitable

Once inside the dashboard, the scan configuration process takes about two minutes. OpenVAS uses the concept of scan configs — pre-built profiles that define which checks to run and at what depth. The right config depends on what you are trying to achieve.

OPENVAS SCAN CONFIGS — which to use and when
Full and Fast
Runs the full set of NVTs but skips checks that are excessively slow or known to cause service disruption. The best starting point for most engagements. Balances thoroughness with practicality.
Full and Deep
Everything — including slow, thorough checks that can be intrusive. Takes significantly longer and generates more traffic. Use when you have a wide testing window and need maximum coverage, typically on internal assessments.
System Discovery
Host and service discovery only — no vulnerability checks. Useful for building an inventory before deciding where to focus deeper scanning. Fast and low-impact.
Empty
A blank config you build from scratch by adding individual NVT families. Only useful if you know exactly which checks you want and need to minimise scan footprint — advanced usage.

For lab practice against Metasploitable, "Full and Fast" is the right choice. It will find everything worth finding without running so long that it disrupts your session.

The scenario: You are setting up an OpenVAS scan against Metasploitable — 192.168.56.101 — to get a full vulnerability picture before the exploitation phase. The scan config is "Full and Fast" and the target is configured with no credentials (unauthenticated scan). The command below shows how to launch and monitor the scan from the terminal rather than the GUI — useful when working in an automated pipeline or over SSH.

# OpenVAS can also be controlled via its command line interface (gvm-cli)
# This is useful for scripting scans or running them remotely over SSH
# Active scanning — this sends thousands of probes to the target
# Only run within your authorised scope and testing window

# First update the vulnerability database to get the latest NVT definitions
# Do this before every engagement — new vulnerabilities are added daily
sudo gvm-feed-update

# List available scan configurations to find the Full and Fast config ID
# Each config has a unique UUID that you need to reference when creating a scan
gvm-cli --gmp-username admin --gmp-password YOUR_PASSWORD \
  socket --xml ""

# Create a scan target pointing at Metasploitable
# Replace the UUID with the actual Full and Fast config ID from the list above
gvm-cli --gmp-username admin --gmp-password YOUR_PASSWORD \
  socket --xml "
    Metasploitable Lab Target
    192.168.56.101
  "

Breaking it down:

459 new NVTs since last update
Nearly 500 new vulnerability checks added since the previous feed update. That is not unusual — the security community publishes new vulnerability disclosures daily. An outdated feed means missing recently disclosed issues. Running gvm-feed-update before an engagement is not optional if you want results you can stand behind.
UUIDs for scan configurations
OpenVAS uses UUIDs — long unique identifiers — to reference every object it manages: targets, configs, tasks, reports. They look unwieldy but they are precise. When scripting scans via gvm-cli, you reference the UUID of the scan config and target rather than their human-readable names. Copy them carefully — a single wrong character breaks the reference.
Target ID returned after creation
The UUID returned after creating a target is what you use when creating the actual scan task. Think of it as OpenVAS confirming "I have saved this target and here is its reference number." Save this UUID — you will need it in the next step when you create and start the scan task.

Reading an OpenVAS report — separating signal from noise

A full OpenVAS scan against a target like Metasploitable will return dozens of findings — sometimes over a hundred. The immediate temptation is to start at the top and work down. Resist it. Start by looking at the shape of the results first.

If a scanner returns forty critical findings on a single host, one of two things is true: either the host is genuinely in terrible shape (which Metasploitable is, by design), or the scan has a large number of false positives. Learning to tell the difference is something that comes with experience — but two quick checks help immediately. Are multiple findings pointing at the same service with the same version? That is likely one real vulnerability being reported by several different NVTs. Are findings for services you already know are not running on that host? That is a false positive.

The structure below shows what a partial OpenVAS findings summary looks like after a scan completes — and how to read it critically rather than just accepting the numbers at face value.

OPENVAS RESULTS SUMMARY — 192.168.56.101 Scan complete

Unprotected VNC Service

Port 5900/tcp — VNC protocol 3.3 — no authentication required

CVSS 9.8 Critical

Samba Remote Code Execution (CVE-2007-2447)

Port 445/tcp — Samba 3.0.20 — unauthenticated RCE via username field

CVSS 10.0 Critical

MySQL Unpassworded Account

Port 3306/tcp — root account accepts login without password

CVSS 9.8 Critical

Telnet Unencrypted Service

Port 23/tcp — credentials transmitted in plaintext over the network

CVSS 8.1 High

Apache Server Version Disclosure

Port 80/tcp — Server header exposes Apache 2.2.8 version string

CVSS 5.3 Medium

Missing Security Headers (X-Frame-Options, CSP)

Port 80/tcp — several recommended browser security headers absent

CVSS 3.1 Low

A few things worth noticing in those results. The Apache version disclosure is medium severity — but we already confirmed from the curl headers in Lesson 16 that the server is also running PHP 5.2.4, which is a much more serious finding than a version string in a header. OpenVAS flagged the header; a manual check found the worse problem underneath it.

The missing security headers finding at CVSS 3.1 is real but low priority. On Metasploitable it gets buried under critical findings. On a hardened production server that has otherwise patched everything else, it might deserve more attention — because it is the kind of thing that gets left unfixed for years precisely because it is never urgent enough to prioritise.

Exporting results for the report

Both Nessus and OpenVAS can export scan results in multiple formats. The formats you will use most often are PDF for executive summaries, XML for importing into other tools like Metasploit's database, and CSV for building custom tables in a client report.

OpenVAS exports are managed through the web interface — navigate to the completed scan, click the download icon, and choose the format. The XML export in particular is useful because Metasploit's db_import command can ingest it directly, adding all discovered hosts and vulnerabilities to the Metasploit database for use during the exploitation phase.

# Import an OpenVAS XML export into the Metasploit database
# This gives Metasploit context about which hosts exist and what is running
# Making the scan data available inside msfconsole speeds up the exploitation phase

# First start the Metasploit database service (PostgreSQL)
sudo systemctl start postgresql

# Launch Metasploit console
msfconsole

# Inside msfconsole — connect to the database
db_connect

# Import the OpenVAS XML export file
# Replace the path with wherever you saved your exported scan file
db_import /root/openvas_scan_metasploitable.xml

# Verify the import worked — list all hosts found in the database
hosts

# List all services discovered across all imported hosts
services

Breaking it down:

41 vulnerabilities imported
All 41 findings from the OpenVAS scan are now inside the Metasploit database and searchable from within msfconsole. When you search for exploits against specific services in the next phase, Metasploit can automatically match against what is already known about the target from the scan data.
Why this workflow matters
The import connects the scanning phase to the exploitation phase cleanly. Instead of maintaining separate notes about what Nmap found, what OpenVAS reported, and what services exist — it all lives in one database. The exploitation phase picks up exactly where scanning left off, with the full context already in place.

Teacher's Note: Nessus Essentials is free for 16 IPs and worth installing alongside OpenVAS. Running both against the same target and comparing results is one of the best ways to understand what each scanner is good at and where each one's blind spots are. Discrepancies between the two are always worth investigating manually.

Practice questions

Scenario:

A pen tester is about to start a vulnerability scan using OpenVAS against a client's network. The last time they used OpenVAS was three weeks ago. Their team lead reminds them that the vulnerability database may be missing hundreds of newly disclosed CVEs added in the past three weeks — and that scanning with an outdated feed means the results cannot be trusted to represent the current threat landscape. Which OpenVAS command should the pen tester run before starting the scan?


Scenario:

A pen tester needs to run an OpenVAS scan against a production web server during a narrow four-hour testing window. They need thorough coverage of all known vulnerabilities but cannot afford to run checks that are excessively slow or known to cause service disruption — the server must remain available throughout the testing window. Which OpenVAS scan configuration is the most appropriate for these requirements?


Scenario:

After completing an OpenVAS scan, a pen tester exports the results as an XML file. They want to load the scan data — all discovered hosts, open ports, and identified vulnerabilities — into the Metasploit Framework's database so that the exploitation phase can reference the scanning context directly from within msfconsole. Which msfconsole command imports the OpenVAS XML export into the Metasploit database?


Quiz

Scenario:

A compliance team runs a monthly unauthenticated vulnerability scan against their Windows server infrastructure and consistently gets a clean bill of health — very few findings, all low severity. An external pen tester is brought in and runs an authenticated scan using domain admin credentials. The authenticated scan returns 23 critical findings including missing patches, insecure local group policy settings, and cleartext credentials cached in memory. How do you explain the discrepancy to the compliance team?

Scenario:

A junior pen tester runs an OpenVAS scan and receives 67 findings against a single host. Looking closer, they notice three separate critical findings all related to OpenSSH — each with a slightly different title, but all pointing at port 22, the same OpenSSH version, and all referencing CVE-2023-38408. Their report draft lists all three as separate critical findings. A senior tester asks them to revise the report. What is the correct interpretation of these three findings?

Scenario:

A pen tester's OpenVAS report includes a low-severity finding — CVSS 3.1 — for missing HTTP security headers on a web server. The same report contains four critical findings including unauthenticated remote code execution. A client asks whether they should even bother addressing the missing headers given how low the score is compared to the critical issues. What is the correct guidance?

Up Next · Lesson 19

Banner Grabbing

A deeper look at manual service interrogation — the techniques professionals use when automated tools are not enough and every byte of the response matters.

← Previous Course Index Next →