Infrastructure Testing

Network Scan OpenVAS

Discover outdated network services, missing security patches, badly configured servers and many more vulnerabilities.

Sign up for a Pro Account to run in-depth scans and detect a wider range of security issues.

Scan type
  • Light scan

Network Scan OpenVAS

About this scanner

The Network Vulnerability Scanner with OpenVAS (Full Scan) is our solution for assessing the network perimeter and for evaluating the external security posture of a company. The scanner offers a highly simplified and easy-to-use interface over OpenVAS, the best open-source network security scanner. It performs an in-depth network vulnerability scan by using more than 57.000 plugins. See the Technical Details below.

The Light version of the scanner is a free and very fast online tool which detects the CVEs that affect the network services of a target system, based on their version (e.g. Apache 2.4.10). The scanner starts by detecting the open ports and services, and then continues by querying a database for known vulnerabilities which may affect the specific software versions. Start a Free Light Scan to see a sample output.

Reporting

Sample Report

Here is a Network Scan OpenVAS sample report that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Information at a glance

    The report includes a summary of the vulnerabilities found in your network, plus their risk rating and CVSS score.

  • Actionable advice

    Each report provides recommendations and insights on how to remediate the detected security flaws.

  • Sorted by risk rating

    Vulnerabilities are sorted by their risk rating, starting from the highest risk identified. This saves you manual work and time, freeing you up for other tasks.

Network Vulnerability Scan with OpenVAS Report Sample

How to use the pentesting tool

Use Cases for Network Scan OpenVAS

This powerful scanner helps you detect a wide range of vulnerabilities in network services, operating systems, and web servers. This makes it one of the strongest tools in any pentester’s arsenal.

  • Infrastructure Penetration Testing

    The Network Vulnerability Scanner gives you a full picture of the 'low hanging fruit' in your engagement, so you can concentrate on more advanced tests. Having it online and preconfigured makes it very easy to use and saves you invaluable time and effort.

  • Security Self-Assessment

    If you need a thorough infrastructure test, this is the right tool to use. From weak passwords to missing security patches and misconfigured web servers, you can easily detect vulnerabilities like these with our full network vulnerability assessment tool.

  • Third-Party Infrastructure Audit

    If you are an IT services company, you can use this report to prove to your clients that you have implemented proper security measures in the infrastructure you are managing.

Better vulnerability discovery. Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com Network Vulnerability Scan with OpenVAS Sample Report

Network Scan OpenVAS

Technical Details

What is a Network Vulnerability Scanner?

The network perimeter of a company is the "wall" that secures internal network assets from the outside world. Connecting from outside means accessing internal assets (e.g. a company's website). This way, the network perimeter exposes important network services such as FTP, VPN, DNS, HTTP, and more.

A Network Vulnerability Scanner maps all the services exposed on the network perimeter and checks for potential vulnerabilities.


Details about our scanner

The Light version of our Network Vulnerability Scanner performs a very fast security assessment with minimum interaction with the target system. It starts by running Nmap to detect open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to check if the specific versions of the services are affected by any issues. Although this detection method is faster, it can return false positives because it relies only on the version reported by the services (which may be inaccurate).

The Full version of the Network Vulnerability Scanner uses a mix of custom Sniper modules for high risk vulnerabilities and the well-known OpenVAS (the most advanced open source vulnerability scanner) as a scanning engine. It actively detects thousands of vulnerabilities in network services such as SMTP, DNS, VPN, SSH, RDP, VNC, HTTP, and many more. OpenVAS does vulnerability detection by connecting to each network service and sending crafted packets to make them respond in certain ways. Depending on the response, the scanner reports the service as vulnerable or not.

We have pre-configured and fine-tuned OpenVAS on our servers and have also added a very simple interface on top of its complex functionalities. The engine is running in a distributed environment and it can perform multiple parallel scans.

The Sniper modules are custom vulnerability checks developed by our team. They are added on top of the standard OpenVAS scan in order to provide rapid detection of the most critical vulnerabilities from high-profile software. This is the complete list of Sniper detection modules currently available in our Network Scanner:

Software typeVendorProductCVEVuln dateCodename
Monitoring SystemVisualToolsDVRCVE-2021-42071Oct 2021-
Web ServerApacheServerCVE-2021-42013Oct 2021-
Web ServerApacheServerCVE-2021-41773Oct 2021-
Asset ManagementManageEngineADSelfServiceCVE-2021-40539Sep 2021-
Azure CloudMicrosoftOpen Management Interface (OMI)CVE-2021-38647Sep 2021OMIGOD
Email serverMicrosoftExchange ServerCVE-2021-34473Aug 2021ProxyShell
Email serverMicrosoftExchange ServerCVE-2021-31195Aug 2021ProxyOracle
Collaboration SoftwareAtlassianConfluenceCVE-2021-26084Aug 2021-
Email serverMicrosoftExchange ServerCVE-2021-28480May 2021ProxyNotFound
VirtualizationVMwarevCenter ServerCVE-2021-21985May 2021-
Collaboration SoftwareGitLabServerCVE-2021-22205Apr 2021-
VPN GatewayF5BIG IPCVE-2021-22986Mar 2021-
Email serverMicrosoftExchange ServerCVE-2021-26855Mar 2021ProxyLogon
Email serverMicrosoftExchange ServerCVE-2021-26855Mar 2021ProxyLogon backdoor webshells
Web ServerSebastian HildebrandtSystem Information Library for Node.JSCVE-2021-21315Feb 2021-
VirtualizationVMwarevCenter ServerCVE-2021-21972Feb 2021-
Web serverNodeRedCVE-2021-3223Jan 2021-
VirtualizationVMWarevRealize Operations ManagerCVE-2021-21975Jan 2021-
Content Management SystemWordpressModern Events Calendar LiteCVE-2021-24146Jan 2021-
Web FrameworkApacheStrutsCVE-2020-17530Dec 2020-
Asset ManagementMicroFocusUCMDB Configuration ManagerCVE-2020-11853Oct 2020-
FirewallSophosSG Unified Threat ManagementCVE-2020-25223Sep 2020-
FirewallCitrixADC/GatewayCVE-2020-8194Jul 2020-
FirewallCitrixADC/GatewayCVE-2020-8193Jul 2020-
VPN GatewayCiscoASACVE-2020-3452Jul 2020-
VPN GatewayF5BIG IPCVE-2020-5902Jun 2020-
VPN GatewayCiscoASACVE-2020-3187May 2020-
Web serverApacheTomcatCVE-2020-1938Feb 2020Ghostcat
FirewallCitrixADCCVE-2019-19781Dec 2019-
VPN GatewayPulseConnect SecureCVE-2019-11510May 2019-
VPN GatewayFortinetFortiGateway SSL VPNCVE-2018-13379May 2019-
Web FrameworkApacheStrutsCVE-2017-9791Jul 2017S2-048
UtilityGNU ProjectBashCVE-2014-6271Sep 2014Shellshock

How the OpenVAS scanner works

OpenVAS is a fork of the old Nessus scanner, performed in 2005 when Nessus became a commercial product. OpenVAS is currently developed and maintained by Greenbone Networks with support from the community.

OpenVAS implements each test in a plugin called NVT (Network Vulnerability Test). It has more than 57000 active plugins to detect a large number of vulnerabilities for many services and applications.

For example, here is how a simple NVT looks like. It's called fortigate_detect.nasl and shows if the target device is a Fortigate Firewall:

#
#  This script was written by David Maciejak
#  This script is released under the GNU GPL v2
#

if(description)
{
  script_id(17367);
  script_name("Fortinet Fortigate console management detection");
  script_family("General");
  script_dependencies("http_version.nasl");
  script_require_ports(443);
  exit(0);
}

#
# The script code starts here
#
include("http_func.inc");

function https_get(port, request)
{
  if(get_port_state(port))
  {

    soc = open_sock_tcp(port, transport:ENCAPS_SSLv23);
    if(soc)
    {
      send(socket:soc, data:string(request,"\r\n"));
      result = http_recv(socket:soc);
      close(soc);
      return(result);
    }
  }
}

port = 443;

if(get_port_state(port))
{
  req1 = http_get(item:"/system/console?version=1.5", port:port);
  req = https_get(request:req1, port:port);
  #<title>Fortigate Console Access</title>

  if("Fortigate Console Access" >< req)
  {
    security_note(port);
  }
}

OpenVAS Scanning Policy

While OpenVAS has multiple predefined policies, our scanner uses the one called Full and Fast. This one includes most of the NVTs and is updated to use the data collected by the previous plugins. For example, if a previous plugin detects the FTP service running on port 2121, it will run all the FTP-related plugins on that port. Otherwise, it won't.


Open Ports Detection

We've configured OpenVAS to scan for a default list of ports including the most common 6000 ports (TCP and UDP). However, keep in mind that the scanner first attempts to detect if the host is alive or not before doing the port scan. If the host is not alive (e.g. does not respond to ICMP requests) it shows zero open ports found.

Note: If the scanner does not find any open ports even though you know there are, we recommend you re-running the scan with the option "Check if the host is alive" disabled. This will skip host discovery and just start the port scan.


How long does an OpenVAS scan take?

Since the OpenVAS scanner performs a considerable number of tests, the full scan can take from 30 minutes to several hours. It mostly depends on the number of open ports found on the target host. If the number is bigger, the scanning time increases because OpenVAS runs a higher number of NVTs.