Home Pentest-Tools.com Logo
Infrastructure Testing

Network Scan OpenVAS

Discover outdated network services, missing security patches, badly configured servers and many more vulnerabilities.

Sign up for a Pro Account to run in-depth scans and detect Log4Shell and a wide range of critical CVEs and other security issues.

Scan type
  • Light scan

Network Scan OpenVAS

About this scanner

The Network Vulnerability Scanner with OpenVAS (Full Scan) is our solution for assessing the network perimeter and for evaluating the external security posture of a company. The scanner offers a highly simplified and easy-to-use interface over OpenVAS, the best open-source network security scanner. It performs an in-depth network vulnerability scan by using more than 57.000 plugins. See the Technical Details below.

The Light version of the scanner is a free and very fast online tool which detects the CVEs that affect the network services of a target system, based on their version (e.g. Apache 2.4.10). The scanner starts by detecting the open ports and services, and then continues by querying a database for known vulnerabilities which may affect the specific software versions. Start a Free Light Scan to see a sample output.


Sample Report

Here is a Network Scan OpenVAS sample report that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Information at a glance

    The report includes a summary of the vulnerabilities found in your network, plus their risk rating and CVSS score.

  • Actionable advice

    Each report provides recommendations and insights on how to remediate the detected security flaws.

  • Sorted by risk rating

    Vulnerabilities are sorted by their risk rating, starting from the highest risk identified. This saves you manual work and time, freeing you up for other tasks.

Network Vulnerability Scan with OpenVAS Report Sample

How to use the pentesting tool

Use Cases for Network Scan OpenVAS

This powerful scanner helps you detect a wide range of vulnerabilities in network services, operating systems, and web servers. This makes it one of the strongest tools in any pentester’s arsenal.

  • Infrastructure Penetration Testing

    The Network Vulnerability Scanner gives you a full picture of the 'low hanging fruit' in your engagement, so you can concentrate on more advanced tests. Having it online and preconfigured makes it very easy to use and saves you invaluable time and effort.

  • Security Self-Assessment

    If you need a thorough infrastructure test, this is the right tool to use. From weak passwords to missing security patches and misconfigured web servers, you can easily detect vulnerabilities like these with our full network vulnerability assessment tool.

  • Third-Party Infrastructure Audit

    If you are an IT services company, you can use this report to prove to your clients that you have implemented proper security measures in the infrastructure you are managing.

Better vulnerability discovery. Faster pentest reporting.

Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

Pentest-Tools.com Network Vulnerability Scan with OpenVAS Sample Report

Network Scan OpenVAS

Technical Details

What is a Network Vulnerability Scanner?

The network perimeter of a company is the "wall" that secures internal network assets from the outside world. Connecting from outside means accessing internal assets (e.g. a company's website). This way, the network perimeter exposes important network services such as FTP, VPN, DNS, HTTP, and more.

A Network Vulnerability Scanner maps all the services exposed on the network perimeter and checks for potential vulnerabilities.

Details about our scanner

The Light version of our Network Vulnerability Scanner performs a very fast security assessment with minimum interaction with the target system. It starts by running Nmap to detect open ports and services. Then, based on the results returned by Nmap, our network scanner interrogates a database with known vulnerabilities to check if the specific versions of the services are affected by any issues. Although this detection method is faster, it can return false positives because it relies only on the version reported by the services (which may be inaccurate).

The Full version of the Network Vulnerability Scanner uses a mix of custom Sniper modules for high risk vulnerabilities and the well-known OpenVAS (the most advanced open source vulnerability scanner) as a scanning engine. It actively detects thousands of vulnerabilities in network services such as SMTP, DNS, VPN, SSH, RDP, VNC, HTTP, and many more. OpenVAS does vulnerability detection by connecting to each network service and sending crafted packets to make them respond in certain ways. Depending on the response, the scanner reports the service as vulnerable or not.

We have pre-configured and fine-tuned OpenVAS on our servers and have also added a very simple interface on top of its complex functionalities. The engine is running in a distributed environment and it can perform multiple parallel scans.

The Sniper modules are custom vulnerability checks developed by our team. They are added on top of the standard OpenVAS scan in order to provide rapid detection of the most critical vulnerabilities from high-profile software. This is the complete list of Sniper detection modules currently available in our Network Scanner:

Software type
Vuln date
VPN Gateway F5 BIG IP May 2022 -
API Management WSO2 Platform Apr 2022 -
Web Framework Apache Struts Apr 2022 S2-062
Web framework Pivotal Software Spring Framework Mar 2022 -
Library Pivotal Software Spring Cloud Gateway Mar 2022 -
Data store Redis Redis Feb 2022 -
eCommerce Adobe Magento Feb 2022 -
Monitoring solution Zabbix Zabbix Jan 2022 -
Logging library Apache Log4j Dec 2021 Log4Shell
Hypervisor ManageEngine Desktop Central Dec 2021 -
Web Framework Apache Struts Dec 2021 Log4Shell
Webserver Apache Tomcat Dec 2021 Log4Shell
Logging library Apache Log4j Dec 2021 Log4Shell
Enterprise Search Platform Apache Solr Dec 2021 Log4Shell
Enterprise mobility management MobileIron Core Server Dec 2021 Log4Shell
Data Stream Apache Flink Dec 2021 Log4Shell
Virtualization VMware vCenter Server Dec 2021 Log4Shell
Database Apache Druid Dec 2021 Log4Shell
Database Elastic Elasticsearch Dec 2021 Log4Shell
Hypervisor ManageEngine ServiceDesk, SupportCenter Nov 2021 -
Monitoring solution Grafana Labs Nov 2021 -
Webserver Apache Server Oct 2021 -
Webserver Apache Server Oct 2021 -
Webserver Apache Server Oct 2021 -
Webserver Apache Server Oct 2021 -
Webserver Apache Server Sep 2021 -
Azure Cloud Microsoft Open Management Interface (OMI) Sep 2021 OMIGOD
Virtualization VMWare vCenter Server Sep 2021 -
Password Management ManageEngine ADSelfService Plus Sep 2021 -
Email Server Microsoft Exchange Server Sep 2021 -
Email Server Microsoft Exchange Server Aug 2021 ProxyShell
Collaboration Software Atlassian Confluence Aug 2021 -
Monitoring System VisualTools DVR Jul 2021 -
Email Server Microsoft Exchange Server May 2021 ProxyOracle
Virtualization VMware vCenter Server May 2021 -
Virtualization VMware Workspace One Apr 2021 -
Email Server Microsoft Exchange Server Apr 2021 ProxyNotFound
Collaboration Software GitLab Server Apr 2021 -
VPN Gateway F5 BIG IP Mar 2021 -
Email Server Microsoft Exchange Server Mar 2021 ProxyLogon
Email Server Microsoft Exchange Server Mar 2021 ProxyLogon Backdoor Webshells
Wordpress Plugin Webnus Modern Events Calendar Lite Server Mar 2021 -
Cloud Management VMWare vRealize Operations Manager Server Mar 2021 -
Planning System Apache OFBiz Mar 2021 -
Webserver Sebastian Hildebrandt System Information Library for Node.JS Feb 2021 -
Virtualization VMware vCenter Server Feb 2021 -
Webserver Node Red Jan 2021 -
Web Framework Laravel Laravel Jan 2021 -
Web Framework Apache Struts Dec 2020 -
Project management Atlassian Jira Oct 2020 -
Web Framework Oracle Weblogic Oct 2020 -
Web Framework Oracle Weblogic Oct 2020 -
Networking product Netgear Router Oct 2020 -
Monitoring System Micro Focus Operations Bridge Manager Oct 2020 -
Firewall Sophos SG UTM Sep 2020 -
Web Framework Apache Struts Aug 2020 -
Firewall Citrix ADC/Gateway Jul 2020 -
Firewall Citrix ADC/Gateway Jul 2020 -
VPN Gateway Cisco ASA Jul 2020 -
VPN Gateway Cisco ASA Jul 2020 -
VPN Gateway F5 BIG IP Jun 2020 -
Webserver Apache Tomcat Feb 2020 Ghostcat
Logging library Apache Log4j Dec 2019 -
Firewall Citrix ADC Dec 2019 -
Email service Exim Exim Jul 2019 -
VPN Gateway Fortinet FortiGateway SSL VPN May 2019 -
VPN Gateway Pulse Connect Secure May 2019 -
Web Server Adobe Coldfusion Sep 2018 -
Web Framework Apache Struts Aug 2018 -
Web Server Oracle Weblogic Jul 2018 -
CMS Drupal Drupal Mar 2018 Drupalgeddon2
Webserver Apache Tomcat Oct 2017 -
Web Framework Apache Struts Sep 2017 -
Web Framework Apache Struts Jul 2017 S2-048
Operating System Microsoft Windows Mar 2017 EternalBlue
Utility GNU Project Bash Sep 2014 Shellshock

How the OpenVAS scanner works

OpenVAS is a fork of the old Nessus scanner, performed in 2005 when Nessus became a commercial product. OpenVAS is currently developed and maintained by Greenbone Networks with support from the community.

OpenVAS implements each test in a plugin called NVT (Network Vulnerability Test). It has more than 57000 active plugins to detect a large number of vulnerabilities for many services and applications.

For example, here is how a simple NVT looks like. It's called fortigate_detect.nasl and shows if the target device is a Fortigate Firewall:

#  This script was written by David Maciejak
#  This script is released under the GNU GPL v2

  script_name("Fortinet Fortigate console management detection");

# The script code starts here

function https_get(port, request)

    soc = open_sock_tcp(port, transport:ENCAPS_SSLv23);
      send(socket:soc, data:string(request,"\r\n"));
      result = http_recv(socket:soc);

port = 443;

  req1 = http_get(item:"/system/console?version=1.5", port:port);
  req = https_get(request:req1, port:port);
  #<title>Fortigate Console Access</title>

  if("Fortigate Console Access" >< req)

OpenVAS Scanning Policy

While OpenVAS has multiple predefined policies, our scanner uses the one called Full and Fast. This one includes most of the NVTs and is updated to use the data collected by the previous plugins. For example, if a previous plugin detects the FTP service running on port 2121, it will run all the FTP-related plugins on that port. Otherwise, it won't.

Open Ports Detection

We've configured OpenVAS to scan for a default list of ports including the most common 6000 ports (TCP and UDP). However, keep in mind that the scanner first attempts to detect if the host is alive or not before doing the port scan. If the host is not alive (e.g. does not respond to ICMP requests) it shows zero open ports found.

Note: If the scanner does not find any open ports even though you know there are, we recommend you re-running the scan with the option "Check if the host is alive" disabled. This will skip host discovery and just start the port scan.

How long does an OpenVAS scan take?

Since the OpenVAS scanner performs a considerable number of tests, the full scan can take from 30 minutes to several hours. It mostly depends on the number of open ports found on the target host. If the number is bigger, the scanning time increases because OpenVAS runs a higher number of NVTs.