Metasploit includes an OpenVAS module, which allow you to interact with an OpenVAS server to create targets, run scans, download reports, and import reports. Recently I had the opportunity to make some updates to the module and wanted to write a blog post to document how to use it. This blog post does not cover how to setup an OpenVAS server but you can find that info here and here.
To use the OpenVAS integration you need to load the openvas module within msfconsole. Do this by running the command load openvas. The updates to the openvas module were accepted in revision 13851, so you may need to use msfupdate to get the updated modules.
After the module is loaded, the work flow is very basic. Start by connecting to the server using the command openvas_connect. If you connect to a host other than localhost or 127.0.0.1, then you will need to pass an additional paramater of “ok” to the command. If you forget the “ok” parameter you will be warned that there is no SSL support and your interaction with the server is not secure. Also, you need to use the port for the OpenVAS manager server, openvasmd, which defaults to 9390.
msf > openvas_connect sbh sbh 127.0.0.1 9390 [*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username sbh... [+] OpenVAS connection successful
Next, create a target to scan using the command openvas_target_create. If you want spaces in the name or comment then make sure you place quotations around them.
msf > openvas_target_create "Local Machine" 192.168.70.128 "My Local Machine" [*] OK, resource created: db1175ac-b40b-4b13-9a80-24b68c2c6b40 [+] OpenVAS list of targets ID Name Hosts Max Hosts In Use Comment -- ---- ----- --------- ------ ------- 0 Localhost localhost 1 1 1 Local Machine 192.168.70.128 1 0 My Local Machine
Next, create a task by specifying a target and a configuration. Use the command openvas_config_list to get a list of configurations and the command openvas_target_list to get a list of targets.
msf > openvas_config_list [+] OpenVAS list of configs ID Name -- ---- 0 Full and fast 1 Full and fast ultimate 2 Full and very deep 3 Full and very deep ultimate 4 empty msf > openvas_task_create "Local Scan" "Scan My Local Machine" 0 1 [*] OK, resource created: 483c6f03-6490-4de2-bd81-c1c5b217d950 [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 0 Local Scan Scan My Local Machine New -1
Next, start the task with openvas_task_start and watch the progress using openvas_task_list.
msf > openvas_task_start 0 [*] OK, request submitted msf > openvas_task_list [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 0 Local Scan Scan My Local Machine Running 2 msf > openvas_task_list [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 0 Local Scan Scan My Local Machine Running 98 msf > openvas_task_list [+] OpenVAS list of tasks ID Name Comment Status Progress -- ---- ------- ------ -------- 0 Local Scan Scan My Local Machine Done -1
Once the scan is finished, the progress is -1, list the available reports using openvas_report_list.
msf > openvas_report_list [+] OpenVAS list of reports ID Task Name Start Time Stop Time -- --------- ---------- --------- 0 Example task Tue Aug 25 21:48:25 2009 Tue Aug 25 21:52:16 2009 1 testtask Fri Sep 16 14:21:31 2011 Fri Sep 16 14:23:09 2011 2 Local Scan Fri Oct 7 22:52:46 2011 Fri Oct 7 23:04:48 2011
Next, you can download (openvas_report_dowload) or import (openvas_report_import) the report. You must specify the report format with either command. You can get a list of formats using openvas_format_list. When importing a report you must use the NBE format. Also note, that when trying to download an ITG or PDF report my OpenVAS server returns an empty report, YMMV.
msf > openvas_format_list [+] OpenVAS list of report formats ID Name Extension Summary -- ---- --------- ------- 0 CPE csv Common Product Enumeration CSV table. 1 HTML html Single page HTML report. 2 ITG csv German "IT-Grundschutz-Kataloge" report. 3 LaTeX tex LaTeX source file. 4 NBE nbe Legacy OpenVAS report. 5 PDF pdf Portable Document Format report. 6 TXT txt Plain text report. 7 XML xml Raw XML report. msf > openvas_report_download 2 1 /root/ov/reports [*] Saving report to /root/ov/reports/report-d76434b0-38e6-462c-87e1-717622056e86.html msf > openvas_report_import 2 4 [*] Importing report to database.
You can see all the available commands using the command openvas_help. If you have any questions or find any bugs in the openvas module let me know at averagesecurityguy [at] gmail [dot] com so I can fix them. If you want to look at the code, it is in /opt/framework/msf3/plugins/openvas.rb and /opt/framework/msf3/lib/openvas/openvas-omp.rb. Enjoy.
Stephen has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional(CISSP), Offensive Security Certified Professional(OSCP), and GIAC Penetration Tester(GPEN).