OpenVAS Vulnerability Management Tutorial | Cybersecurity Homelab

Today I will be showing you a tutorial on how to use OpenVAS to run a vulnerability scan on a windows Virtual Machine created through Azure.

First off, what is OpenVAS? OpenVAS (Open Vulnerability Assessment System) is an open-source vulnerability scanner that helps identify security vulnerabilities in computer systems and networks. It is part of the larger Greenbone Security Manager (GSM) product, which includes a range of tools for vulnerability scanning, management, and reporting.

Here is what you will learn in this tutorial:

1. Deploying a Linux VM in Azure and installing OpenVAS.
2. Deploying a Windows VM in Azure, and installing very old software on it to make it vulnerable.
3. Configuring OpenVAS to run a unauthenticated & authenticated Scan agaisnt our Windows VM
4. Remediate Vulnerabilities and verify remediations

Let’s get started.

Prerequisites:

Before you can get started with this lab, you will need to create an azure account. If you do not have an active account, you can head over to https://azure.com/free.

For first time users, you will be able to take advantage of the $200 free credit offered by Microsoft. I would also recommend having some basic Cloud computing knowledge, as this will make it easier to follow along.

Important Tip: Do NOT use a school or work email to create your account. Doing so will add you to your school/Organization’s Active Directory Domain, and block you from being able to create anything in azure.

Step 1: Deploying a linux VM in Azure and installing OpenVAS.

1. Head over to https://portal.azure.com
2. Enter your e-mail (non-school/work) address and password.
3. You have 2 ways to create the Virtual Machine. You can head over to “Marketplace” and type “OpenVAS” in the search bar. You will be prompted with 2 options.

4. You can theoretically select the option on the left, “OpenVAS secured and supported by HOSSTED. This option would deploy a linux VM with OpenVAS automatically installed on it, and you would deploy the web server by SSH’ing into the linux VM. However, I ran into LOTS of troubleshooting issues later on, that did not allow me to run my vulnerability scans (I kid you not, I was stuck for 2 weeks). Therefore I decided to create my linux VM manually and then install OpenVAS on it separately. To create a VM, you can search “Virtual Machine” in the search bar, and then select “create”.

5. On the Basics tab, you will create a resource group, name your VM, select the region, image and size.

• Resource Group: You can name it whatever you want, I picked “Vulnerability Management”
• VM name: OpenVAS
• Region: Pick whatever region, I chose East US 2
• Image: select basic plan — x64 Gen 1

6. Select a username (azureuser)and a password. Make sure to write it down somewhere you will remember.

7. Go to the “Networking” tab and write down the Virtual Network name that is created automatically. You will need it later on when you create your second windows VM.

8. Go to “Monitoring” tab, and disable boot diagnostic.

9. You can now review and create your VM.

Step 2: SSH into linux VM

1. If you’re using a macbook, you can openup a terminal. If you’re using a windows machine (as I am), open up PowerShell and run it as an administrator.
2. Run the following command: ssh [username]@[linux VM IP]
3. Then you will type yes when prompted, and finally enter your password (the one created at the time of the linux VM creation).

4. Now we will install OpenVAS on the linux VM. Here is the link you can follow with the commands you will run to do so: https://www.geeksforgeeks.org/installing-openvas-on-kali-linux/

5. Run the following commands, as indicated in the link:

sudo apt update

sudo apt upgrade -y

sudo apt dist-upgrade -y

sudo apt install openvas

sudo gvm-setup

sudo gvm-check-setup

You can read more about each command in the link provided.

6. Eventually you will be prompted with a screen similar to what you see below. A username (usually “admin”) and long password will be indicated as well. Make sure to write those down, as you need them to login to the hosted web server. There will also be the link of the webserver which will look something similar to this: https://[linux VM IP].c.hossted.app

7. I suggest you wait around a day or so before logging into the web server, to make sure everything on the web server has been configured correctly. The page will look like this. You will enter the username and long password that was indicated on linux.

8. One of the main parameters you want to make sure is available, is the Scan Configs. Those are crutial to make sure you can run your scans. This is the part where I got stuck, when i initially deployed my VM through Marketplace instead of manually, as explained in step 1.3.

9. To check whether you have your scan configs, log into the webserver and hover your mouse over the “configuration” tab. Then, select Scan Configs. Make sure this page is not empty. If it is, go through Step 2.5 again. This is very important.

10. If you want to change the password on the web server, you have 2 ways to do so. You could run the following command through PowerShell/Linux:

sudo gvmd — — user=admin — — new-password=[new password];

Or, you can hover your mouse over the little man Icon and click on “my settings” and then select the pen and paper icon. This will allow you to select a new Password.

Step 3: Create Windows VM and make it vulnerable:

1. Create a second VM, this time a Windows 10 Pro VM. You can follow the image below:

2. Make sure to select the same region as the first VM. Once again, create a username and password for the windows VM. You can select the same one as the Linux VM.

3. Head to the “networking” tab. Make sure you select the same virtual network as the linux VM. This is important, as it will allow OpenVAS to scan the windows 10, given that they are both in the same private network.

4. Once the VM is created, you will RDP into it. If you are using a macbook, you can use the app “Microsoft Remote Desktop” (you have to install it if you don’t have it on your macbook). If you are using a windows PC, look up “remote Desktop Connection”. Enter the IP address from the windows VM (can be found by going to the VM in Azure portal, going to “Overview” and looking for the Public IP Address).

5. After clicking on “connect”, select “change option” and make sure to put the username you created when creating the windows VM.

6. Once logged in, you will disable the FW. type the Wf.msc command in the search bar → click on windows defender Firewall Properties → disable domain, public and private firewall state. Select “Apply” and “Ok”.

7. Next you will head to the internet browser, and open the following link: https://drive.google.com/drive/u/0/folders/1n83ilCjZWZulbDdYnUe9wQPK2buY47_U

8. Download and install each software. These are very old versions of Firefox, VLC player and Adobe. Old versions mean that they are more vulnerable, because newer versions usually come with patches and vulnerability remediation.

9. Once that is done, you can restart the VM and leave it alone for now.

Step 4: Configure and Perform Unauthenticated Scan on OpenVAS

1. Open an incognito tab and log into openVAS.
2. We need to add the client windows VM on openVAS so it can start scanning it. Go to “assets” and then “hosts”. Hover your mouse over little folder next to question mark that says “new host” and then click on it. You have to find the private IP for the windows machine (found in Azure Portal, in the “Overview” section), as we want to use it instead of the public. If we use the public IP, the vulnerability scan will be slow, and done over the internet. Since both VMs are in the same virtual network, they can communicate using the private IP. Once done, we click Save.

3. Then, we create a target from the host and Name it (You can leave everything else on the window as is, as long as you have named it). We go to the “Configuration” tab, select “Target” and then the “new target” icon in the top left, as shown below:

4. Make sure to click on save.

5. Now we need to create new task. Go to “scans” tab and then click on “tasks”. Then click on “new task”. Name it: Scan — Azure Vulnerable VMs. Pick target: Azure Vulnerable VMs. Save it. This part is very important, and you will not be able to do this step, if you haven’t made sure that your Scan Configs have shown up, as indicated in step 2.9.

6. Here is what you should now see:

7. Click on the play button to start the unauthenticated scan.

8. Wait for the status bar to go to 100%. Then you can click on the report link and analyze what you see.

9. Main takeaway from this unauthenticated scan: We do not see the list of the softwares we installed (adobe, VLC and firefox). That is normal. Since the scan is unauthenticated, it is not as detailed and precise as an authenticated scan.

Step 5: Configure your Windows VM to allow for authenticated scans.

1. Log into your windows VM. go to “User Acount Control” and disable it (scroll the blue switch down to “never notify”). Click on “Ok”.

2. Head over to “services.msc”. Look for “remote registry”. Double click it, then change startup type from “disabled” to “automatic”. Click on “apply” and then “start”.

3. Next, we have to set the Registry key. Head over to “Registry Editor”. Follow this path: Navigate to HKEY_LOCAL_MACHINE hive → Open SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System key.

4. Create a new DWORD (32-bit) value with the following properties:

Name: LocalAccountTokenFilterPolicy

Value: 1

5. Restart the VM.

Step 6: Configure OpenVAS for Authenticated Scan

1. Go to “Configuration” and “credential”. Create a new credential. Name it: Azure VM Credentials. Allow insecure use. Username and pw= same as what we have for our windows VM. Save it.

2. Next we need to clone our target. This allows us to have the same configurations but this time for a credentialed scan. Click on the little “sheep” icon. Then we rename our Cloned target to: Azure Vulnerable VMs — Credentialed Scan. For “credentials for authenticated checks”, go to SMB and select the Azure VM credentials we created.

Step 7: Execute Credentialed Scan

1. First we head to our tasks, and clone our current task, then rename it. Make sure to select the Azure Vulnerable VM — Credentialed scan for our “Scan Target”.

2. Run the scan again. This one might take a little longer as it will now use the credentials to log in and do a full scan of the windows VM. As you can see, there are a lot more results for vulnerabilities found.

3. The picture below confirms OpenVAS was able to connect to the windows VM with the credentials, using SMB. We also get a lot better details such as the Operating System used in windows, and all the CVE found.

4. For the sake of this lab and simplicity, we will simply remove all the old software we installed to remediate a lot of the vulnerabilities found. Head back to windows VM and uninstall the vulnerable software. Go to control panel, click on programs and then “uninstall a program”.

5. This is what it looks like after removal:

6. Now we run the scan again, and observe the results.

7. As we can observe, there are a lot less vulnerabilities found, and all the ones linked to the software we had installed are gone.

If you’ve made it this far, congratulations! You have performed vulnerability management. I hope this tutorial was useful!

If you have any questions, as always feel free to reach out on linkedin at: https://www.linkedin.com/in/marlontenga/