We value your privacy

We use cookies to enhance your browsing experience and analyze traffic anonymously for internal statistical purposes. By clicking “Accept all,” you consent to the use of cookies.

Tech Deep Dive

OpenVAS: What is it and how to use the software for vulnerability analysis

Learn what OpenVAS is, how to install it on Linux, and how to use it for vulnerability scanning.

Open Vulnerability Assessment System

4 July 2025

Table of contents

  • What is OpenVAS?
  • Installing OpenVAS on Linux
  • Configuring OpenVAS after Installation
  • OpenVAS Security and Limitations
  • When to use OpenVAS

In the Cyber Security field, performing regular vulnerability scans on systems is one of the key practices to prevent cyberattacks.

Among the most powerful and complete open-source tools for this task is OpenVAS, which stands for Open Vulnerability Assessment System. In this article, you’ll learn what OpenVAS is, how to install and configure it, and how to use it in real scenarios to analyze the security of networks and systems.

We’ll walk through the steps to install OpenVAS on Linux systems (focusing on Debian/Ubuntu), set it up, and understand how to read and act upon scan results. Practical examples, use cases, and even a short automation script are included.

What is OpenVAS?

OpenVAS (Open Vulnerability Assessment System) is a powerful open-source vulnerability scanning frameworkdesigned to help security professionals detect and assess potential security flaws in IT infrastructure, including networks, operating systems, applications, and servers.

It is part of the broader Greenbone Vulnerability Management (GVM) project — a modular system that includes:

  • GVMD (Greenbone Vulnerability Manager) – manages scan tasks, users, and results.
  • OpenVAS Scanner – the core engine that runs thousands of vulnerability tests.
  • GSA (Greenbone Security Assistant) – a web-based GUI to manage everything visually.
  • GVM-Tools – CLI and scripting tools to automate scans and reporting.

How does OpenVAS work?

At its core, OpenVAS executes NVTs (Network Vulnerability Tests), which are small scripts written in NASL (Nessus Attack Scripting Language). These scripts simulate a variety of attack techniques, such as:

  • Banner grabbing to identify exposed versions of services
  • Checking for outdated software versions
  • Testing default or weak credentials
  • Identifying SSL/TLS misconfigurations

Here’s a basic example of an NVT logic in NASL:

if (port = 80 && service == "http") {

  if (server_header contains "Apache/2.2.15") {

    report = "Detected Apache 2.2.15, which has multiple known vulnerabilities.";

    security_warning(port, report);

  }

}

This script checks if a web server is running an old Apache version and reports the issue.

Strengths of OpenVAS

  • Fully free and open-source, unlike commercial tools like Nessus or Rapid7.
  • Includes a user-friendly web interface (GSA).
  • Supports authenticated scans (via SSH/SMB).
  • Integrates with SIEM platforms like Splunk or ELK.
  • Updated regularly through the Greenbone Community Feed, which includes NVTs for the latest CVEs.

Practical usage example

Imagine you manage a production web server and want to identify any vulnerabilities:

  • Define the target: 203.0.113.10
  • Choose the scan profile: “Full and fast”
  • Run the scan and receive a detailed report:
    • CVE identifiers and CVSS scores
    • Risk level: low/medium/high/critical
    • Suggested remediations like patching or configuration changes

For example, you might find a vulnerability of the SSL POODLE type (CVE-2014-3566) and read in the report: “The server supports SSLv3 which is subject to POODLE. It is recommended to disable SSLv3 and enable only TLS 1.2 or higher.”

Installing OpenVAS on Linux

Installation of OpenVAS may differ by distribution, but for Ubuntu/Debian systems, it’s fairly straightforward using official repositories or setup scripts.

Installing on Ubuntu 22.04 or Debian 12

sudo apt update

sudo apt install -y openvas gvm

After installing, initialize the system with:

sudo gvm-setup

This will:

  • Set up the PostgreSQL database
  • Download the vulnerability feeds
  • Configure SSL certificates
  • Create a web login user

Start the service with:

sudo gvm-check-setup
sudo gvm-start

Once setup is complete, access the GUI from your browser at:

https://localhost:9392

The default credentials will be shown at the end of the setup process.

Network Vulnerability Tests

Configuring OpenVAS after Installation

Once OpenVAS is installed and initialized, the next essential step is proper configuration.

Without updating the vulnerability feeds (NVTs), many checks will be unavailable, and the scans will be incomplete or unreliable.

Checking and updating the vulnerability feeds

The NVTs (Network Vulnerability Tests) are the scripts that power OpenVAS’s scanning capabilities. Updating them regularly ensures coverage of the latest CVEs and threats.

To manually update the NVT feed, run:

sudo greenbone-feed-sync --type NVT

You can also sync other important feeds:

sudo greenbone-feed-sync --type SCAP

sudo greenbone-feed-sync --type CERT

Check that everything is in place with:

sudo gvm-check-setup

This utility checks for missing components, outdated feeds, or permission issues.

Using the Web GUI for configuration

Access the web interface (GSA) at https://localhost:9392 with your admin credentials. You can now start tailoring the setup to your security assessment goals.

Key actions include:

1. Creating custom targets

Go to “Configuration > Targets” and define:

  • Target name (e.g., “DMZ Web Server”)
  • IP address or network range (192.168.1.100 or 10.0.0.0/24)
  • Port list (e.g., “All TCP” or custom ports)
  • Advanced options like timeouts and reverse DNS

2. Setting up authentication credentials

For authenticated scans, you can provide:

  • SSH access for Linux systems
  • SMB/Windows access
  • Credentials in the form of username/password or private keys

Example: to deeply scan an internal Ubuntu server, create an SSH credential using the root user’s private key. This enables OpenVAS to detect outdated packages, misconfigurations, and permissions issues.

3. Creating a scan task

Under “Scans > Tasks”, you can define a scheduled task:

  • Name it (e.g., “Weekly LAN scan”)
  • Assign a target
  • Choose the scan profile (e.g., “Full and fast”)
  • Enable recurring schedules for automation

4. Exporting results

Once a scan is completed, view results in the “Scans > Reports” section. You can export them as:

  • PDF (readable reports)
  • HTML (interactive viewing)
  • XML/CSV (for integration with SIEM or other analysis tools)

Practical example

Scenario: You want to assess a corporate network with both Windows and Linux hosts.

  1. Create two targets: “Windows LAN” (10.0.0.0/24) and “Linux Servers” (192.168.10.0/24)
  2. Provide SSH and SMB credentials
  3. Schedule tasks: weekly scans on Saturday (Windows) and Wednesday (Linux)
  4. Set up report auto-export and email delivery

This setup enables consistent and automated security posture monitoring across environments.

Running a Scan with OpenVAS

Here’s an example of how to run a full vulnerability scan on a server.

Step 1: Create the target

From the “Targets” menu:

  • Name: Internal Web Server
  • Hosts: 192.168.1.10
  • Port list: All IANA assigned TCP

Step 2: Create a new task

From the “Scan Tasks” menu:

  • Name: Full scan of internal server
  • Target: Internal Web Server
  • Scanner: OpenVAS Default
  • Scan Config: Full and fast

Launch the scan and wait for it to complete. Duration depends on network and target complexity.

Step 3: Analyze results

Once finished, open the report:

  • Review vulnerabilities sorted by severity (CVSS score)
  • Read technical details and suggested fixes
  • Export the report in PDF or CSV

Practical example: automate weekly scans

You can use gvmd-cli (or omp) and cron to automate recurring scans. Here’s a sample script:

#!/bin/bash

# Start GVM

sudo gvm-start

# Wait 30 seconds for services to be ready

sleep 30

# Launch scan using gvm-cli

gvm-cli socket --xml "<start_task task_id='ID_TASK'/>"

# Stop GVM

sudo gvm-stop

Save this script and create a cron job to run every Monday at 2 AM:

0 2 * * 1 /path/to/scan_weekly.sh

OpenVAS Security and Limitations

Despite being a robust and comprehensive open-source vulnerability scanner, OpenVAS is not flawless.

Its effectiveness largely depends on correct setup, regular maintenance, and secure deployment practices. Understanding its limitations helps avoid false confidence and promotes better usage.

1. False positives and false negatives

OpenVAS, like any automated scanner, may:

  • Produce false positives
    It may report a vulnerability that doesn’t truly exist or isn’t exploitable.
  • Miss false negatives
    It might fail to detect an actual vulnerability, especially zero-days or misconfigured services.

Example: OpenVAS might flag an old Apache version, but if it’s custom-compiled with patches, the risk may be overstated.

To mitigate these limitations, it is essential to:

  • Critically analyze each result
  • Combine OpenVAS with manual tests or tools like Metasploit for verification.

2. Ongoing maintenance required

OpenVAS is not a fire-and-forget tool. It requires:

  • Frequent feed updates (NVT, CERT, SCAP), ideally via automated cron jobs
  • Careful management of users and roles
  • Updating certificates and rotating credentials regularly

Example of a daily update script via cron:

#!/bin/bash
/usr/bin/greenbone-feed-sync --type NVT
/usr/bin/greenbone-feed-sync --type CERT
/usr/bin/greenbone-feed-sync --type SCAP

3. Performance and resource usage

The OpenVAS scanner is resource-hungry, especially during active scans:

  • Needs high CPU power (multi-threaded scans)
  • Consumes lots of RAM (4 GB minimum, 8+ recommended)
  • Generates heavy disk I/O (scan logs, feed data)

Running it on low-tier VPS or shared environments may cause timeouts, slow scans, or even crashes. Ideal setup:

  • Dedicated server or VM
  • 4+ CPUs, 8 GB+ RAM
  • Limit targets and ports in large scans

Hardening OpenVAS itself

OpenVAS has a web interface and remote APIs, which makes it a potential attack surface if not properly secured. Here are best practices:

Enforce HTTPS only

Use a valid TLS certificate. Use the built-in tool:

sudo gvm-manage-certs -a

Disable external access

Use firewalls or reverse proxies to restrict access to port 9392 to internal IPs or VPNs only.

Regularly rotate credentials

Avoid using default admin accounts. Create separate users with role-based access control. Change passwords periodically.

Example command to change admin password:

sudo gvmd --user=admin --new-password='StrongSecurePassw0rd!'

When to use OpenVAS

OpenVAS is a powerful asset in a structured cyber security strategy. While it does not replace manual penetration testing, it provides an automated foundation to detect known vulnerabilities across networks and systems using a wide and continuously updated feed of CVEs.

Here are the most effective scenarios for deploying OpenVAS:

1. Internal network audits

In enterprise environments with many devices (servers, routers, workstations, printers), having a clear picture of your exposure is vital.

Example: An IT administrator scans the entire 192.168.0.0/16 subnet monthly to:

  • Identify Windows machines with SMBv1 enabled
  • Detect undocumented open ports
  • Check for outdated firmware on IoT devices

2. Compliance assessments

Security standards like ISO 27001, GDPR, and PCI-DSS often require proof of vulnerability management.

OpenVAS helps by:

  • Generating readable and archivable reports
  • Exporting scan results in XML, CSV, PDF
  • Demonstrating proactive security controls during audits

3. Pre-penetration test preparation

Before a manual penetration test, OpenVAS can:

  • Eliminate obvious vulnerabilities
  • Allow ethical hackers to focus on advanced logic or privilege escalation
  • Reduce costs by narrowing the scope of external consultancy

4. Continuous infrastructure monitoring

By scheduling recurrent tasks, OpenVAS can be part of a passive monitoring system, detecting:

  • New vulnerabilities from software updates
  • Changes in service configuration
  • Unauthorized devices with exposed ports

Example: Weekly scans with email alerts for vulnerabilities scored as “High” or “Critical” (CVSS 7.0+).

Final note

While OpenVAS won’t replace a skilled penetration tester, it complements their work. Think of it as an automated radar system, always on, alerting you to known threats, while manual pentests dig deeper into logic flaws and zero-day conditions.

In a defense-in-depth strategy, OpenVAS should be combined with:

  • Firewalls, IDS/IPS
  • Behavioral analytics
  • SIEM platforms
  • Backup and incident response plans

Questions and answers

  1. Is OpenVAS free?
    Yes, it’s a fully open-source and free solution.
  2. Can I use it on Windows?
    No, it’s designed for Linux systems, though you can run it in a VM or Docker on Windows.
  3. What are NVTs?
    Network Vulnerability Tests — the scripts used by OpenVAS to scan systems.
  4. How long does a scan take?
    It depends on the scan profile, number of hosts, and ports scanned.
  5. Can I scan external systems?
    Only with explicit permission. Unauthorized scanning is illegal.
  6. Can I export scan results?
    Yes, to formats like PDF, CSV, and XML.
  7. What’s the difference between OpenVAS and GVM?
    GVM is the full framework; OpenVAS is the scanning engine within it.
  8. Does OpenVAS require a lot of RAM?
    At least 4 GB is recommended. Larger setups may need more.
  9. How do I update OpenVAS?
    Via greenbone-feed-sync and standard package updates.
  10. Can it integrate with SIEM systems?
    Yes, using logs export and API integration.
3
To top