Network Scan OpenVAS
Technical Details
What is a Network Vulnerability Scanner?
The network perimeter of a company is the "wall" that secures internal network assets from the outside world. Connecting from outside means accessing internal assets (e.g. a company's website). This way, the network perimeter exposes important network services such as FTP, VPN, DNS, HTTP, and more.
A Network Vulnerability Scanner maps all the services exposed on the network perimeter and checks for potential vulnerabilities.
Details about our scanner
The Light version of our Network Vulnerability Scanner performs a very fast security assessment with minimum interaction with the target system. It starts by running Nmap to detect open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to check if the specific versions of the services are affected by any issues. Although this detection method is faster, it can return false positives because it relies only on the version reported by the services (which may be inaccurate).
The Full version of the Network Vulnerability Scanner uses a mix of custom Sniper modules for high risk vulnerabilities and the well-known OpenVAS (the most advanced open source vulnerability scanner) as a scanning engine. It actively detects thousands of vulnerabilities in network services such as SMTP, DNS, VPN, SSH, RDP, VNC, HTTP, and many more. OpenVAS does vulnerability detection by connecting to each network service and sending crafted packets to make them respond in certain ways. Depending on the response, the scanner reports the service as vulnerable or not.
We have pre-configured and fine-tuned OpenVAS on our servers and have also added a very simple interface on top of its complex functionalities. The engine is running in a distributed environment and it can perform multiple parallel scans.
The Sniper modules are custom vulnerability checks developed by our team. They are added on top of the standard OpenVAS scan in order to provide rapid detection of the most critical vulnerabilities from high-profile software. This is the complete list of Sniper detection modules currently available in our Network Scanner:
| Software type | Vendor | Product | CVE | Vuln date | Codename |
|---|---|---|---|---|---|
| Monitoring System | VisualTools | DVR | CVE-2021-42071 | Oct 2021 | - |
| Web Server | Apache | Server | CVE-2021-42013 | Oct 2021 | - |
| Web Server | Apache | Server | CVE-2021-41773 | Oct 2021 | - |
| Asset Management | ManageEngine | ADSelfService | CVE-2021-40539 | Sep 2021 | - |
| Azure Cloud | Microsoft | Open Management Interface (OMI) | CVE-2021-38647 | Sep 2021 | OMIGOD |
| Email server | Microsoft | Exchange Server | CVE-2021-34473 | Aug 2021 | ProxyShell |
| Email server | Microsoft | Exchange Server | CVE-2021-31195 | Aug 2021 | ProxyOracle |
| Collaboration Software | Atlassian | Confluence | CVE-2021-26084 | Aug 2021 | - |
| Email server | Microsoft | Exchange Server | CVE-2021-28480 | May 2021 | ProxyNotFound |
| Virtualization | VMware | vCenter Server | CVE-2021-21985 | May 2021 | - |
| Collaboration Software | GitLab | Server | CVE-2021-22205 | Apr 2021 | - |
| VPN Gateway | F5 | BIG IP | CVE-2021-22986 | Mar 2021 | - |
| Email server | Microsoft | Exchange Server | CVE-2021-26855 | Mar 2021 | ProxyLogon |
| Email server | Microsoft | Exchange Server | CVE-2021-26855 | Mar 2021 | ProxyLogon backdoor webshells |
| Web Server | Sebastian Hildebrandt | System Information Library for Node.JS | CVE-2021-21315 | Feb 2021 | - |
| Virtualization | VMware | vCenter Server | CVE-2021-21972 | Feb 2021 | - |
| Web server | Node | Red | CVE-2021-3223 | Jan 2021 | - |
| Virtualization | VMWare | vRealize Operations Manager | CVE-2021-21975 | Jan 2021 | - |
| Content Management System | Wordpress | Modern Events Calendar Lite | CVE-2021-24146 | Jan 2021 | - |
| Web Framework | Apache | Struts | CVE-2020-17530 | Dec 2020 | - |
| Asset Management | MicroFocus | UCMDB Configuration Manager | CVE-2020-11853 | Oct 2020 | - |
| Firewall | Sophos | SG Unified Threat Management | CVE-2020-25223 | Sep 2020 | - |
| Firewall | Citrix | ADC/Gateway | CVE-2020-8194 | Jul 2020 | - |
| Firewall | Citrix | ADC/Gateway | CVE-2020-8193 | Jul 2020 | - |
| VPN Gateway | Cisco | ASA | CVE-2020-3452 | Jul 2020 | - |
| VPN Gateway | F5 | BIG IP | CVE-2020-5902 | Jun 2020 | - |
| VPN Gateway | Cisco | ASA | CVE-2020-3187 | May 2020 | - |
| Web server | Apache | Tomcat | CVE-2020-1938 | Feb 2020 | Ghostcat |
| Firewall | Citrix | ADC | CVE-2019-19781 | Dec 2019 | - |
| VPN Gateway | Pulse | Connect Secure | CVE-2019-11510 | May 2019 | - |
| VPN Gateway | Fortinet | FortiGateway SSL VPN | CVE-2018-13379 | May 2019 | - |
| Web Framework | Apache | Struts | CVE-2017-9791 | Jul 2017 | S2-048 |
| Utility | GNU Project | Bash | CVE-2014-6271 | Sep 2014 | Shellshock |
How the OpenVAS scanner works
OpenVAS is a fork of the old Nessus scanner, performed in 2005 when Nessus became a commercial product. OpenVAS is currently developed and maintained by Greenbone Networks with support from the community.
OpenVAS implements each test in a plugin called NVT (Network Vulnerability Test). It has more than 57000 active plugins to detect a large number of vulnerabilities for many services and applications.
For example, here is how a simple NVT looks like. It's called fortigate_detect.nasl and shows if the target device is a Fortigate Firewall:
#
# This script was written by David Maciejak
# This script is released under the GNU GPL v2
#
if(description)
{
script_id(17367);
script_name("Fortinet Fortigate console management detection");
script_family("General");
script_dependencies("http_version.nasl");
script_require_ports(443);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
function https_get(port, request)
{
if(get_port_state(port))
{
soc = open_sock_tcp(port, transport:ENCAPS_SSLv23);
if(soc)
{
send(socket:soc, data:string(request,"\r\n"));
result = http_recv(socket:soc);
close(soc);
return(result);
}
}
}
port = 443;
if(get_port_state(port))
{
req1 = http_get(item:"/system/console?version=1.5", port:port);
req = https_get(request:req1, port:port);
#<title>Fortigate Console Access</title>
if("Fortigate Console Access" >< req)
{
security_note(port);
}
}
OpenVAS Scanning Policy
While OpenVAS has multiple predefined policies, our scanner uses the one called Full and Fast. This one includes most of the NVTs and is updated to use the data collected by the previous plugins. For example, if a previous plugin detects the FTP service running on port 2121, it will run all the FTP-related plugins on that port. Otherwise, it won't.
Open Ports Detection
We've configured OpenVAS to scan for a default list of ports including the most common 6000 ports (TCP and UDP). However, keep in mind that the scanner first attempts to detect if the host is alive or not before doing the port scan. If the host is not alive (e.g. does not respond to ICMP requests) it shows zero open ports found.
Note: If the scanner does not find any open ports even though you know there are, we recommend you re-running the scan with the option "Check if the host is alive" disabled. This will skip host discovery and just start the port scan.
How long does an OpenVAS scan take?
Since the OpenVAS scanner performs a considerable number of tests, the full scan can take from 30 minutes to several hours. It mostly depends on the number of open ports found on the target host. If the number is bigger, the scanning time increases because OpenVAS runs a higher number of NVTs.