How to Use OpenVAS in Metasploit- OpenVAS & Metasploit Integration
Metasploit includes an OpenVAS module, which allow you to interact with an OpenVAS server to create targets, run scans, download reports, and import reports. Recently I had the opportunity to make some updates to the module and wanted to write a blog post to document how to use it. This blog post does not cover how to setup an OpenVAS server but you can find that info here and here.
To use the OpenVAS integration you need to load the openvas module within msfconsole. Do this by running the command load openvas
. The updates to the openvas module were accepted in revision 13851, so you may need to use msfupdate
to get the updated modules.After the module is loaded, the work flow is very basic. Start by connecting to the server using the command
openvas_connect
. If you connect to a host other than localhost or 127.0.0.1, then you will need to pass an additional paramater of “ok” to the command. If you forget the “ok” parameter you will be warned that there is no SSL support and your interaction with the server is not secure. Also, you need to use the port for the OpenVAS manager server, openvasmd, which defaults to 9390.msf > openvas_connect sbh sbh 127.0.0.1 9390
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username sbh...
[+] OpenVAS connection successful
Next, create a target to scan using the command openvas_target_create
. If you want spaces in the name or comment then make sure you place quotations around them.msf > openvas_target_create "Local Machine" 192.168.70.128 "My Local Machine"
[*] OK, resource created: db1175ac-b40b-4b13-9a80-24b68c2c6b40
[+] OpenVAS list of targets
ID Name Hosts Max Hosts In Use Comment
-- ---- ----- --------- ------ -------
0 Localhost localhost 1 1
1 Local Machine 192.168.70.128 1 0 My Local Machine
Next, create a task by specifying a target and a configuration. Use the command openvas_config_list
to get a list of configurations and the command openvas_target_list
to get a list of targets.msf > openvas_config_list
[+] OpenVAS list of configs
ID Name
-- ----
0 Full and fast
1 Full and fast ultimate
2 Full and very deep
3 Full and very deep ultimate
4 empty
msf > openvas_task_create "Local Scan" "Scan My Local Machine" 0 1
[*] OK, resource created: 483c6f03-6490-4de2-bd81-c1c5b217d950
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
0 Local Scan Scan My Local Machine New -1
Next, start the task with openvas_task_start
and watch the progress using openvas_task_list
.msf > openvas_task_start 0
[*] OK, request submitted
msf > openvas_task_list
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
0 Local Scan Scan My Local Machine Running 2
msf > openvas_task_list
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
0 Local Scan Scan My Local Machine Running 98
msf > openvas_task_list
[+] OpenVAS list of tasks
ID Name Comment Status Progress
-- ---- ------- ------ --------
0 Local Scan Scan My Local Machine Done -1
Once the scan is finished, the progress is -1, list the available reports using openvas_report_list
.msf > openvas_report_list
[+] OpenVAS list of reports
ID Task Name Start Time Stop Time
-- --------- ---------- ---------
0 Example task Tue Aug 25 21:48:25 2009 Tue Aug 25 21:52:16 2009
1 testtask Fri Sep 16 14:21:31 2011 Fri Sep 16 14:23:09 2011
2 Local Scan Fri Oct 7 22:52:46 2011 Fri Oct 7 23:04:48 2011
Next, you can download (openvas_report_dowload
) or import (openvas_report_import
) the report. You must specify the report format with either command. You can get a list of formats using openvas_format_list
. When importing a report you must use the NBE format. Also note, that when trying to download an ITG or PDF report my OpenVAS server returns an empty report, YMMV.msf > openvas_format_list
[+] OpenVAS list of report formats
ID Name Extension Summary
-- ---- --------- -------
0 CPE csv Common Product Enumeration CSV table.
1 HTML html Single page HTML report.
2 ITG csv German "IT-Grundschutz-Kataloge" report.
3 LaTeX tex LaTeX source file.
4 NBE nbe Legacy OpenVAS report.
5 PDF pdf Portable Document Format report.
6 TXT txt Plain text report.
7 XML xml Raw XML report.
msf > openvas_report_download 2 1 /root/ov/reports
[*] Saving report to /root/ov/reports/report-d76434b0-38e6-462c-87e1-717622056e86.html
msf > openvas_report_import 2 4
[*] Importing report to database.
You can see all the available commands using the command openvas_help
. If you have any questions or find any bugs in the openvas module let me know at averagesecurityguy [at] gmail [dot] com so I can fix them. If you want to look at the code, it is in /opt/framework/msf3/plugins/openvas.rb and /opt/framework/msf3/lib/openvas/openvas-omp.rb. Enjoy.About the Author
Stephen has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional(CISSP), Offensive Security Certified Professional(OSCP), and GIAC Penetration Tester(GPEN).
Stephen has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional(CISSP), Offensive Security Certified Professional(OSCP), and GIAC Penetration Tester(GPEN).
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.