> scanning_target 10.0.0.0/24 —— authenticated —— nvt_feed_current —— 78,000+ tests<span class="cursor-blink">_</span>_
OpenVAS — the Open Vulnerability Assessment Scanner — is the world's most widely deployed open-source vulnerability scanner. Originally forked from Nessus when Tenable moved to a proprietary licence in 2005, OpenVAS has grown into a comprehensive scanning engine backed by over 180,000 Network Vulnerability Tests (NVTs) and maintained by Greenbone Networks under the Greenbone Vulnerability Management (GVM) framework.
Where Nmap tells you what is running, OpenVAS tells you what is wrong with it. It probes discovered services against a continuously updated database of known vulnerabilities, misconfigurations, default credentials, missing patches, and policy violations — then produces structured results that map directly to CVEs, vendor advisories, and compliance frameworks.
For penetration testers, OpenVAS serves a specific and important role: it provides broad, automated coverage across large target sets, identifies the low-hanging fruit that every competent attacker would find, and — critically — frees the tester to spend their limited engagement time on the manual exploitation, chain analysis, and business-context work that no scanner can replicate. It is not a replacement for manual testing. It is the foundation that makes manual testing efficient.
Vulnerability scanning generates significant network traffic and probes services in ways that may cause disruption. Only ever scan systems you own or have explicit, written authorisation to test. Unauthorised scanning is a criminal offence under the Computer Misuse Act 1990 and equivalent legislation worldwide. In a professional engagement, scanning scope and methods must be documented in the rules of engagement before any scanner is launched.
OpenVAS is not a single binary. It is one component within the Greenbone Vulnerability Management (GVM) framework — a collection of services that work together to manage feeds, schedule scans, store results, and present findings. Understanding this architecture matters because most troubleshooting — scans that hang, feeds that fail to update, results that seem incomplete — traces back to a misconfigured or unhealthy component in this stack.
| Component | Role | Detail |
|---|---|---|
| openvas-scanner | The scanning engine | Executes NVT scripts against targets. Written in C. Communicates with the manager via the OSP (Open Scanner Protocol). This is the component that generates network traffic and probes services. |
| gvmd | The Greenbone Vulnerability Manager daemon | The central management service. Manages scan tasks, configurations, targets, schedules, users, permissions, and results. Stores everything in a PostgreSQL database. Communicates with the scanner via OSP and with the web interface via GMP (Greenbone Management Protocol). |
| gsad | The Greenbone Security Assistant daemon | The web server that provides the browser-based management interface. Communicates with gvmd via GMP. Default port 9392. |
| ospd-openvas | The OSP wrapper for the scanner | Bridges gvmd and the openvas-scanner process. Manages scanner lifecycle, feeds scan parameters, and returns results. Runs as a Unix socket or TCP listener. |
| PostgreSQL | The result database | Stores all scan results, NVT metadata, configurations, schedules, and historical data. Performance-critical — a slow database means slow scans and slow UI. |
| Redis | The in-memory data store | Used by the scanner during execution as a fast key-value store for NVT data, intermediate results, and inter-script communication. Misconfigured Redis is one of the most common causes of scan failures. |
| greenbone-feed-sync | The feed updater | Downloads the latest NVT, SCAP, CERT, and GVMD data feeds from Greenbone's servers. Without current feeds, the scanner is testing against yesterday's knowledge. |
The data flow is straightforward: you create a scan task via the GSA web interface (or the gvm-cli command line tool). gvmd receives the task, passes it to ospd-openvas, which launches the openvas-scanner process. The scanner loads NVTs from its feed, pulls runtime data from Redis, probes the targets, and writes results back through ospd-openvas to gvmd, which stores them in PostgreSQL. The web interface queries gvmd to display results.
OpenVAS can be installed from source, from distribution packages, or — most commonly for professional use — via Docker containers provided by Greenbone. The containerised deployment is strongly recommended: it manages the complex inter-service dependencies, ensures compatible versions, and simplifies feed updates. For Ubuntu, the installation workflow uses Docker Compose.
Change the default admin password immediately. Restrict GSA access to management VLANs or VPN interfaces only — it should never be exposed to the internet. Configure TLS certificates for the web interface. If running outside Docker, ensure Redis is bound to localhost with requirepass set and Unix socket permissions restricted to the GVM service account. The scanning engine runs as root by design — isolate it on a dedicated host or container.
OpenVAS relies on four distinct data feeds, each serving a different purpose. A scanner running stale feeds is worse than useless — it provides false confidence. Feed currency should be verified before every engagement.
| Feed | Content | Update Frequency |
|---|---|---|
| NVT Feed | Network Vulnerability Tests — the NASL scripts that perform the actual vulnerability checks. Over 180,000 tests covering CVEs, misconfigurations, default credentials, and policy violations. | Daily. Greenbone publishes updates as new CVEs are disclosed and vendor patches released. |
| SCAP Feed | Security Content Automation Protocol data — CVE definitions, CPE (Common Platform Enumeration) dictionaries, and CVSS scoring data used to enrich scan results with standardised vulnerability metadata. | Daily. Tracks the NVD (National Vulnerability Database) and MITRE CVE publications. |
| CERT Feed | CERT-Bund and DFN-CERT advisories providing additional context, affected product lists, and remediation guidance beyond what the CVE entry alone provides. | Daily. Tracks German CERT publications — useful for European compliance contexts. |
| GVMD Data Feed | Scan configurations, port lists, report formats, compliance policies, and other management data that gvmd uses to orchestrate scans. | Periodically. Less frequent than vulnerability feeds but essential for new scan configurations and compliance policies. |
The Greenbone Community Feed is free and comprehensive but updates are delayed by approximately two weeks compared to the Greenbone Enterprise Feed. For professional engagements where the latest CVEs matter — and they always matter — this delay should be understood and communicated to clients. If a critical CVE was published last week, the Community Edition may not yet have a check for it.
OpenVAS ships with several pre-built scan configurations that control which NVTs are executed. Choosing the correct configuration is one of the most important decisions in any scanning engagement — too light and you miss vulnerabilities, too aggressive and you risk service disruption or spend days scanning when the engagement window is measured in hours.
| Scan Configuration | NVT Selection | Use Case |
|---|---|---|
| Full and Fast | All NVTs that do not require credentials and are unlikely to cause service disruption. Excludes denial-of-service and brute-force modules. | The default for most penetration testing engagements. Best balance of coverage and safety. Start here unless you have a specific reason not to. |
| Full and Fast Ultimate | All NVTs including those that may cause service disruption — denial-of-service checks, aggressive brute-forcing, and destructive tests. | Only for lab environments or when the rules of engagement explicitly permit disruptive testing. Never use against production systems without written authorisation and a rollback plan. |
| Full and Deep | All safe NVTs with increased thoroughness — additional connection attempts, longer timeouts, more comprehensive enumeration. | When accuracy matters more than speed. Suitable for smaller target sets where scan duration is less constrained. |
| Full and Deep Ultimate | Maximum coverage including disruptive tests with deep scanning parameters. | Lab and isolated environments only. The most comprehensive scan possible — and the most likely to cause collateral disruption. |
| Host Discovery | ICMP, ARP, and TCP discovery only. No vulnerability testing. | Scope validation. Run this first to confirm which hosts are alive and responsive before committing to a full vulnerability scan. |
| System Discovery | Host discovery plus OS detection and basic service enumeration. | Asset inventory. Useful as a precursor to understand the target environment before choosing a full scan configuration. |
Beyond the pre-built configurations, professional testers frequently create custom scan configurations. This is done through Configuration → Scan Configs → Clone (clone an existing config, then modify). Common customisations include disabling NVT families irrelevant to the target (there is no value running Windows checks against a Linux-only environment), enabling specific brute-force modules against in-scope authentication services, adjusting concurrent host and NVT limits based on target network capacity, and adding custom NASL scripts for organisation-specific checks.
An unauthenticated scan examines a target from the outside — it can see open ports, identify services, detect remotely exploitable vulnerabilities, and check for misconfigurations visible to an anonymous connection. A credentialed scan logs into the target with valid credentials and examines it from the inside — installed software versions, missing patches, local privilege escalation paths, configuration file contents, registry settings, and file permissions.
The difference in coverage is dramatic. An unauthenticated scan of a typical Windows server might identify 5–15 findings. A credentialed scan of the same server routinely identifies 50–200. This is not because the scanner is inventing problems — it is because the vast majority of vulnerabilities are not visible from the network. They require local access to detect: a missing KB patch, an outdated third-party application, a weak registry setting, a world-readable credential file.
| Credential Type | Configuration | What It Enables |
|---|---|---|
| SSH (Linux/Unix) | Username and password, or SSH private key. Configure in Configuration → Credentials. The account needs sudo or root-equivalent access for full coverage — without privilege, the scanner cannot read /etc/shadow, inspect kernel parameters, or check package versions comprehensively. |
Package version auditing, kernel vulnerability checks, configuration file analysis, local privilege escalation detection, file permission auditing, active process enumeration, installed service configuration review. |
| SMB (Windows) | Domain or local administrator credentials. Requires SMB access (TCP 445) and remote registry service. Best practice: use a dedicated service account with local admin rights across targets — avoids credential reuse of a real administrator's password. | Windows Update audit (missing KBs), registry configuration checks, installed software enumeration, local user and group membership, Windows Firewall policy, service configuration and permissions, file system ACL auditing. |
| SNMP | Community string (v1/v2c) or USM credentials (v3). Often overlooked but critical for network infrastructure — routers, switches, firewalls, printers, and IoT devices that do not support SSH or SMB. | Firmware version identification, running configuration extraction, interface enumeration, routing table analysis, ARP table harvesting, device-specific vulnerability checks. |
| ESXi | VMware ESXi root or administrative credentials. Requires HTTPS API access (TCP 443). | Hypervisor patch level, virtual machine inventory, vSwitch configuration, host firewall rules, SSH enablement status, NTP configuration. |
| Database | PostgreSQL, MySQL, Oracle, or MSSQL credentials. Connect to database services directly. | Database version and patch level, user privilege enumeration, default account detection, configuration parameter auditing (e.g. log_connections, ssl mode), stored procedure review. |
Credentials configured in OpenVAS are stored in gvmd's PostgreSQL database. For professional engagements: use dedicated scan accounts created specifically for the engagement, disable or delete them when testing is complete, rotate any credentials that were transmitted during the scan, and document all credential usage in the engagement record. Never use production administrator passwords. Never store client credentials beyond the engagement window.
The operational workflow in OpenVAS follows a consistent pattern: define targets, select or create a scan configuration, optionally attach credentials, create a task that binds these together, and execute the task. Each element is reusable — you can run the same configuration against different targets, or the same targets with different configurations.
Scan duration depends on target count, port range, scan configuration, network latency, and concurrency settings. A Full and Fast credentialed scan of a /24 network (approximately 254 hosts) with default concurrency settings typically takes 4–8 hours. Increasing Max Hosts reduces wall-clock time but increases network load — on shared production networks, aggressive concurrency can trigger IDS alerts, overwhelm switches, or cause service degradation. For production environments, start conservative and increase only after confirming network stability.
The GSA web interface is effective for interactive use, but professional engagements often require automation — scheduled scans, API-driven workflows, integration with ticketing systems, or batch operations across multiple targets. The gvm-cli tool communicates directly with gvmd via the Greenbone Management Protocol (GMP), providing full programmatic control over every function available in the web interface.
The Python API (python-gvm) is particularly powerful for engagement workflows. Common automations include: creating targets and tasks from a scope spreadsheet, launching scans at the start of an engagement window, polling for completion and automatically exporting results, parsing XML results into custom report templates, and feeding confirmed vulnerabilities into Metasploit's database for exploitation planning.
A typical credentialed scan of a /24 network produces hundreds to thousands of individual findings. Not all of them are real, not all of them matter, and understanding the difference is what separates a useful vulnerability assessment from a data dump. OpenVAS categorises each finding with a severity score, a quality of detection (QoD) rating, and detailed technical information that the tester must evaluate.
| Severity | CVSS Range | Interpretation |
|---|---|---|
| Critical | 9.0 – 10.0 | Remotely exploitable with high impact — typically remote code execution, authentication bypass, or direct data access. Investigate immediately: confirm the finding is genuine, verify the affected service version, and attempt manual exploitation if within scope. |
| High | 7.0 – 8.9 | Significant risk — may require authenticated access or specific conditions to exploit. Still warrants manual verification and likely inclusion in the report as an individual finding. |
| Medium | 4.0 – 6.9 | Moderate risk in isolation. However, medium-severity findings frequently appear in attack chains. Assess in context: a medium LLMNR poisoning finding becomes critical when it leads to credential capture and lateral movement. |
| Low | 0.1 – 3.9 | Limited direct impact but may indicate systemic issues — information disclosure, verbose error messages, missing security headers. Report as grouped findings or recommendations. |
| Log / Info | 0.0 | Informational data — open ports, detected services, software versions. Not vulnerabilities but essential context for the engagement. Service versions feed directly into manual exploitation research. |
The Quality of Detection (QoD) rating is equally important and frequently overlooked. It indicates how confident the scanner is in the finding. A QoD of 100% means the scanner exploited the vulnerability or confirmed it definitively. A QoD of 70% means the scanner detected a potentially vulnerable version but could not confirm exploitability. A QoD of 30% means the detection is based on banner information alone — and banners can be misleading. Findings with QoD below 70% require manual verification before reporting.
OpenVAS is not limited to vulnerability detection. Through its compliance auditing capabilities, it can evaluate systems against defined security policies — checking configuration baselines, required settings, installed software, and security controls. This is particularly valuable for organisations operating under regulatory frameworks where demonstrable compliance is a requirement.
| Audit Policy | What It Checks | Relevant Frameworks |
|---|---|---|
| CIS Benchmarks | Centre for Internet Security hardening baselines — password policies, service configurations, file permissions, registry settings, audit policies, network configurations. | Cyber Essentials, ISO 27001, PCI DSS, NIST 800-53, SOC 2. CIS benchmarks are the de facto standard for system hardening verification. |
| IT-Grundschutz | German BSI baseline protection checks — comprehensive organisational and technical security measures. | IT-Grundschutz certification, German federal agency compliance, EU institutional requirements. |
| PCI DSS | Payment Card Industry requirements — vulnerability scanning, default credentials, encryption standards, access controls, logging requirements. | PCI DSS (requirement 11.2 mandates quarterly vulnerability scans by an approved scanning vendor — OpenVAS can supplement but not replace ASV scans). |
| Custom Policies | Organisation-specific checks written as custom NASL scripts or OVAL definitions — internal password policies, required software versions, prohibited services, mandatory configurations. | Any internal standard. Particularly useful for verifying that remediation from previous penetration tests has been implemented correctly. |
Compliance audits require credentialed access to the target systems. The audit results appear alongside vulnerability scan results but are categorised separately, showing pass/fail/error status for each policy check rather than vulnerability severity ratings. For penetration testing engagements, compliance audit results add valuable context: a system that fails CIS benchmark checks for password complexity, account lockout, and audit logging is far more likely to be compromised through the credential-based attack paths the tester is evaluating.
OpenVAS does not operate in isolation during a penetration test. It is one tool in a coordinated workflow that begins with Nmap for discovery, uses OpenVAS for broad vulnerability identification, feeds confirmed targets into Metasploit for exploitation, and produces results that are combined with manual findings into the final report. The integration points between these tools determine how efficiently the engagement runs.
The key insight is phasing: OpenVAS runs during downtime (overnight, during Nmap enumeration) so that its results are available when the tester begins manual work. Running OpenVAS on day three of a five-day engagement wastes time. Running it on day one — while the tester is still mapping the environment — ensures that vulnerability data is ready precisely when it is needed.
OpenVAS scan performance is determined by four factors: scanner concurrency settings, Redis configuration, PostgreSQL performance, and network conditions. Tuning these correctly can reduce scan times from hours to minutes for small networks, or from days to hours for large estates.
| Parameter | Default | Tuning Guidance |
|---|---|---|
| max_hosts | 20 | Maximum concurrent hosts being scanned. Increase for large networks with adequate bandwidth. Each host consumes scanner memory and network connections — monitor resource usage. For /16 networks, values of 30–50 are common on dedicated scanning appliances. |
| max_checks | 4 | Maximum concurrent NVTs per host. Increasing beyond 4–6 rarely improves speed and can cause false negatives as services become overwhelmed by parallel probes. Leave at 4 for production networks. |
| Redis maxmemory | 512MB | The scanner stores NVT data and intermediate results in Redis during execution. For large scans (500+ hosts), increase to 2–4GB. If Redis runs out of memory, scans fail silently with incomplete results. |
| PostgreSQL shared_buffers | 128MB | gvmd queries PostgreSQL heavily during scan execution and result retrieval. Increase to 25% of system RAM (e.g., 4GB on a 16GB system). Add appropriate work_mem and effective_cache_size settings. |
| network_timeout | varies | Per-NVT connection timeout. On high-latency networks or when scanning across WAN links, increase timeouts to avoid false negatives from dropped connections. On local networks, default timeouts are appropriate. |
OpenVAS competes with commercial vulnerability scanners — primarily Nessus (Tenable), Qualys VMDR, and Rapid7 InsightVM. Understanding its strengths and limitations relative to these tools helps testers choose the right scanner for the right engagement.
| Consideration | OpenVAS (Community) | Commercial Alternatives |
|---|---|---|
| Cost | Free and open source. Greenbone Enterprise available for commercial support and faster feeds. | Nessus Professional from ~£3,000/year. Qualys and InsightVM enterprise pricing. Cost scales with asset count. |
| Feed Currency | Community feed delayed ~14 days behind Enterprise. Adequate for most engagements. May miss very recent CVEs. | Same-day or next-day NVT coverage for critical CVEs. Faster coverage of zero-day disclosures. |
| NVT Coverage | 180,000+ tests. Comprehensive for infrastructure, network devices, and common platforms. Weaker on niche commercial appliances. | Comparable or larger test libraries. Better coverage of commercial and proprietary systems — SAP, Oracle, Cisco IOS-specific checks. |
| Ease of Use | GSA interface functional but dated. Installation requires Linux expertise. Troubleshooting demands understanding of the full stack. | Polished interfaces, cloud-hosted options, managed updates. Lower barrier to entry for non-specialist users. |
| Customisation | Full access to source code and NASL scripts. Custom NVTs, custom policies, API-driven automation. No vendor lock-in. | Limited customisation. Vendor-controlled plugin ecosystem. API access varies by licence tier. |
| Reporting | Built-in reports in XML, CSV, PDF. Functional but basic. Most professional testers export raw results and integrate with custom reporting pipelines. | Polished reporting with executive dashboards, trend analysis, compliance mapping, and integration with GRC platforms. |
For penetration testing firms, the practical answer is often: use both. OpenVAS provides comprehensive coverage at zero marginal cost — especially valuable when scanning large networks where per-asset commercial licensing becomes prohibitive. Commercial scanners supplement with faster feeds, better reporting, and broader coverage of niche platforms. The scanner results are inputs to the tester's work, not the deliverable — the tool matters less than the skill interpreting its output.
If your organisation has deployed detection and monitoring capabilities, vulnerability scans — whether authorised or not — should be visible. Understanding what OpenVAS looks like on the wire helps defenders validate that their monitoring is working and helps testers understand what footprint they are leaving.
| Detection Point | Indicator | Response |
|---|---|---|
| Network IDS/IPS | High-volume connection attempts from a single source across many ports and hosts. Signature matches for known NVT probe patterns — specific HTTP requests, SNMP community string brute-forcing, SMB negotiation sequences. | Alert on scanning patterns. During authorised testing, whitelist the scanner IP to avoid alert fatigue — but verify the whitelist is removed after testing completes. |
| Firewall Logs | Thousands of connection attempts from the scanner IP, many to closed ports (denied/dropped). Connection patterns show systematic port sweeping rather than normal application traffic. | Log analysis should flag systematic port access patterns. Correlate scanner IP with the authorised testing window — scanning outside the agreed window is a finding. |
| Windows Event Logs | Event ID 4625 (failed logon attempts) from the scanner during credentialed scan authentication. Event ID 4624 (successful logon, type 3 — network) when credentials work. Remote Registry service access events. | Correlate authentication events with the testing window. Multiple 4625 events outside the window indicate either unauthorised scanning or misconfigured credentials from an old scan task. |
| Linux Auth Logs | SSH authentication attempts in /var/log/auth.log. Successful connections from the scanner IP using the scan service account. sudo usage if the scan account requires privilege escalation. |
Monitor for scan account usage outside the testing window. Ensure the scan account is disabled or removed after the engagement completes. |
| Web Application Logs | Rapid-fire HTTP requests probing for known vulnerable paths — /manager/html, /wp-admin, /phpmyadmin, /.env. User-Agent strings identifying the scanner. |
WAF rules should detect and log automated scanning patterns. During authorised testing, the scanner may need WAF exceptions to ensure comprehensive coverage — document this in the rules of engagement. |
OpenVAS is the most capable open-source vulnerability scanner available. It provides broad, automated coverage that identifies known vulnerabilities, misconfigurations, default credentials, and compliance deviations across large network estates. For penetration testing engagements, it serves as the foundation layer — identifying the attack surface that manual testing then explores, exploits, and chains into the business-risk narratives that define a professional report.
Its limitations are real and important: it detects known vulnerabilities, not unknown ones. It identifies individual issues, not attack chains. It tests what the feed knows about, not what has been published since the last sync. It reports what it finds, not what it means. Every finding requires human judgement — verification, contextualisation, and prioritisation based on the specific organisation's architecture, threat model, and risk appetite.
The difference between a vulnerability scan report and a penetration test report is the human intelligence applied after the scanner finishes. OpenVAS generates the data. The tester generates the insight. Used correctly, it is the most cost-effective way to ensure that no engagement misses the obvious — leaving the tester's time and expertise for the work that actually matters.
Our engagements combine automated scanning with manual exploitation, chain analysis, and business-context reporting. If you want to know what an attacker can actually do — not just what a scanner can find — let's talk.