Network Scan OpenVAS
Technical Details
What is a Network Vulnerability Scanner?
The network perimeter of a company is the "wall" that secures internal network assets from the outside world. Connecting from outside means accessing internal assets (e.g. a company's website). This way, the network perimeter exposes important network services such as FTP, VPN, DNS, HTTP, and more.
A Network Vulnerability Scanner maps all the services exposed on the network perimeter and checks for potential vulnerabilities.
Details about our scanner
The Light version of our Network Vulnerability Scanner performs a very fast security assessment with minimum interaction with the target system. It starts by running Nmap to detect open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to check if the specific versions of the services are affected by any issues. Although this detection method is faster, it can return false positives because it relies only on the version reported by the services (which may be inaccurate).
The Full version of the Network Vulnerability Scanner uses a mix of custom Sniper modules for high risk vulnerabilities and the well-known OpenVAS (the most advanced open source vulnerability scanner) as a scanning engine. It actively detects thousands of vulnerabilities in network services such as SMTP, DNS, VPN, SSH, RDP, VNC, HTTP, and many more. OpenVAS does vulnerability detection by connecting to each network service and sending crafted packets to make them respond in certain ways. Depending on the response, the scanner reports the service as vulnerable or not.
We have pre-configured and fine-tuned OpenVAS on our servers and have also added a very simple interface on top of its complex functionalities. The engine is running in a distributed environment and it can perform multiple parallel scans.
The Sniper modules are custom vulnerability checks developed by our team. They are added on top of the standard OpenVAS scan in order to provide rapid detection of the most critical vulnerabilities from high-profile software. This is the complete list of Sniper detection modules currently available in our Network Scanner:
Software type | Vendor | Product | CVE | Vuln date | Codename |
|---|---|---|---|---|---|
| VPN Gateway | F5 | BIG IP | May 2022 | - | |
| API Management | WSO2 | Platform | Apr 2022 | - | |
| Web Framework | Apache | Struts | Apr 2022 | S2-062 | |
| Web framework | Pivotal Software | Spring Framework | Mar 2022 | - | |
| Library | Pivotal Software | Spring Cloud Gateway | Mar 2022 | - | |
| Data store | Redis | Redis | Feb 2022 | - | |
| eCommerce | Adobe | Magento | Feb 2022 | - | |
| Monitoring solution | Zabbix | Zabbix | Jan 2022 | - | |
| Logging library | Apache | Log4j | Dec 2021 | Log4Shell | |
| Hypervisor | ManageEngine | Desktop Central | Dec 2021 | - | |
| Web Framework | Apache | Struts | Dec 2021 | Log4Shell | |
| Webserver | Apache | Tomcat | Dec 2021 | Log4Shell | |
| Logging library | Apache | Log4j | Dec 2021 | Log4Shell | |
| Enterprise Search Platform | Apache | Solr | Dec 2021 | Log4Shell | |
| Enterprise mobility management | MobileIron | Core Server | Dec 2021 | Log4Shell | |
| Data Stream | Apache | Flink | Dec 2021 | Log4Shell | |
| Virtualization | VMware | vCenter Server | Dec 2021 | Log4Shell | |
| Database | Apache | Druid | Dec 2021 | Log4Shell | |
| Database | Elastic | Elasticsearch | Dec 2021 | Log4Shell | |
| Hypervisor | ManageEngine | ServiceDesk, SupportCenter | Nov 2021 | - | |
| Monitoring solution | Grafana | Labs | Nov 2021 | - | |
| Webserver | Apache | Server | Oct 2021 | - | |
| Webserver | Apache | Server | Oct 2021 | - | |
| Webserver | Apache | Server | Oct 2021 | - | |
| Webserver | Apache | Server | Oct 2021 | - | |
| Webserver | Apache | Server | Sep 2021 | - | |
| Azure Cloud | Microsoft | Open Management Interface (OMI) | Sep 2021 | OMIGOD | |
| Virtualization | VMWare | vCenter Server | Sep 2021 | - | |
| Password Management | ManageEngine | ADSelfService Plus | Sep 2021 | - | |
| Email Server | Microsoft | Exchange Server | Sep 2021 | - | |
| Email Server | Microsoft | Exchange Server | Aug 2021 | ProxyShell | |
| Collaboration Software | Atlassian | Confluence | Aug 2021 | - | |
| Monitoring System | VisualTools | DVR | Jul 2021 | - | |
| Email Server | Microsoft | Exchange Server | May 2021 | ProxyOracle | |
| Virtualization | VMware | vCenter Server | May 2021 | - | |
| Virtualization | VMware | Workspace One | Apr 2021 | - | |
| Email Server | Microsoft | Exchange Server | Apr 2021 | ProxyNotFound | |
| Collaboration Software | GitLab | Server | Apr 2021 | - | |
| VPN Gateway | F5 | BIG IP | Mar 2021 | - | |
| Email Server | Microsoft | Exchange Server | Mar 2021 | ProxyLogon | |
| Email Server | Microsoft | Exchange Server | Mar 2021 | ProxyLogon Backdoor Webshells | |
| Wordpress Plugin | Webnus | Modern Events Calendar Lite Server | Mar 2021 | - | |
| Cloud Management | VMWare | vRealize Operations Manager Server | Mar 2021 | - | |
| Planning System | Apache | OFBiz | Mar 2021 | - | |
| Webserver | Sebastian Hildebrandt | System Information Library for Node.JS | Feb 2021 | - | |
| Virtualization | VMware | vCenter Server | Feb 2021 | - | |
| Webserver | Node | Red | Jan 2021 | - | |
| Web Framework | Laravel | Laravel | Jan 2021 | - | |
| Web Framework | Apache | Struts | Dec 2020 | - | |
| Project management | Atlassian | Jira | Oct 2020 | - | |
| Web Framework | Oracle | Weblogic | Oct 2020 | - | |
| Web Framework | Oracle | Weblogic | Oct 2020 | - | |
| Networking product | Netgear | Router | Oct 2020 | - | |
| Monitoring System | Micro Focus | Operations Bridge Manager | Oct 2020 | - | |
| Firewall | Sophos | SG UTM | Sep 2020 | - | |
| Web Framework | Apache | Struts | Aug 2020 | - | |
| Firewall | Citrix | ADC/Gateway | Jul 2020 | - | |
| Firewall | Citrix | ADC/Gateway | Jul 2020 | - | |
| VPN Gateway | Cisco | ASA | Jul 2020 | - | |
| VPN Gateway | Cisco | ASA | Jul 2020 | - | |
| VPN Gateway | F5 | BIG IP | Jun 2020 | - | |
| Webserver | Apache | Tomcat | Feb 2020 | Ghostcat | |
| Logging library | Apache | Log4j | Dec 2019 | - | |
| Firewall | Citrix | ADC | Dec 2019 | - | |
| Email service | Exim | Exim | Jul 2019 | - | |
| VPN Gateway | Fortinet | FortiGateway SSL VPN | May 2019 | - | |
| VPN Gateway | Pulse | Connect Secure | May 2019 | - | |
| Web Server | Adobe | Coldfusion | Sep 2018 | - | |
| Web Framework | Apache | Struts | Aug 2018 | - | |
| Web Server | Oracle | Weblogic | Jul 2018 | - | |
| CMS | Drupal | Drupal | Mar 2018 | Drupalgeddon2 | |
| Webserver | Apache | Tomcat | Oct 2017 | - | |
| Web Framework | Apache | Struts | Sep 2017 | - | |
| Web Framework | Apache | Struts | Jul 2017 | S2-048 | |
| Operating System | Microsoft | Windows | Mar 2017 | EternalBlue | |
| Utility | GNU Project | Bash | Sep 2014 | Shellshock |
How the OpenVAS scanner works
OpenVAS is a fork of the old Nessus scanner, performed in 2005 when Nessus became a commercial product. OpenVAS is currently developed and maintained by Greenbone Networks with support from the community.
OpenVAS implements each test in a plugin called NVT (Network Vulnerability Test). It has more than 57000 active plugins to detect a large number of vulnerabilities for many services and applications.
For example, here is how a simple NVT looks like. It's called fortigate_detect.nasl and shows if the target device is a Fortigate Firewall:
#
# This script was written by David Maciejak
# This script is released under the GNU GPL v2
#
if(description)
{
script_id(17367);
script_name("Fortinet Fortigate console management detection");
script_family("General");
script_dependencies("http_version.nasl");
script_require_ports(443);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
function https_get(port, request)
{
if(get_port_state(port))
{
soc = open_sock_tcp(port, transport:ENCAPS_SSLv23);
if(soc)
{
send(socket:soc, data:string(request,"\r\n"));
result = http_recv(socket:soc);
close(soc);
return(result);
}
}
}
port = 443;
if(get_port_state(port))
{
req1 = http_get(item:"/system/console?version=1.5", port:port);
req = https_get(request:req1, port:port);
#<title>Fortigate Console Access</title>
if("Fortigate Console Access" >< req)
{
security_note(port);
}
}
OpenVAS Scanning Policy
While OpenVAS has multiple predefined policies, our scanner uses the one called Full and Fast. This one includes most of the NVTs and is updated to use the data collected by the previous plugins. For example, if a previous plugin detects the FTP service running on port 2121, it will run all the FTP-related plugins on that port. Otherwise, it won't.
Open Ports Detection
We've configured OpenVAS to scan for a default list of ports including the most common 6000 ports (TCP and UDP). However, keep in mind that the scanner first attempts to detect if the host is alive or not before doing the port scan. If the host is not alive (e.g. does not respond to ICMP requests) it shows zero open ports found.
Note: If the scanner does not find any open ports even though you know there are, we recommend you re-running the scan with the option "Check if the host is alive" disabled. This will skip host discovery and just start the port scan.
How long does an OpenVAS scan take?
Since the OpenVAS scanner performs a considerable number of tests, the full scan can take from 30 minutes to several hours. It mostly depends on the number of open ports found on the target host. If the number is bigger, the scanning time increases because OpenVAS runs a higher number of NVTs.