How to Use OpenVAS in Metasploit- OpenVAS & Metasploit Integration

Metasploit includes an OpenVAS module, which allow you to interact with an OpenVAS server to create targets, run scans, download reports, and import reports. Recently I had the opportunity to make some updates to the module and wanted to write a blog post to document how to use it. This blog post does not cover how to setup an OpenVAS server but you can find that info here and here. 

To use the OpenVAS integration you need to load the openvas module within msfconsole. Do this by running the command load openvas. The updates to the openvas module were accepted in revision 13851, so you may need to use msfupdate to get the updated modules.
After the module is loaded, the work flow is very basic. Start by connecting to the server using the command openvas_connect. If you connect to a host other than localhost or 127.0.0.1, then you will need to pass an additional paramater of “ok” to the command. If you forget the “ok” parameter you will be warned that there is no SSL support and your interaction with the server is not secure. Also, you need to use the port for the OpenVAS manager server, openvasmd, which defaults to 9390.

msf > openvas_connect sbh sbh 127.0.0.1 9390
[*] Connecting to OpenVAS instance at 127.0.0.1:9390 with username sbh...
[+] OpenVAS connection successful

Next, create a target to scan using the command openvas_target_create. If you want spaces in the name or comment then make sure you place quotations around them.

msf > openvas_target_create "Local Machine" 192.168.70.128 "My Local Machine"
[*] OK, resource created: db1175ac-b40b-4b13-9a80-24b68c2c6b40
[+] OpenVAS list of targets

ID  Name           Hosts           Max Hosts  In Use  Comment
--  ----           -----           ---------  ------  -------
0   Localhost      localhost       1          1
1   Local Machine  192.168.70.128  1          0       My Local Machine

Next, create a task by specifying a target and a configuration. Use the command openvas_config_list to get a list of configurations and the command openvas_target_list to get a list of targets.

msf > openvas_config_list
[+] OpenVAS list of configs

ID  Name
--  ----
0   Full and fast
1   Full and fast ultimate
2   Full and very deep
3   Full and very deep ultimate
4   empty

msf > openvas_task_create "Local Scan" "Scan My Local Machine" 0 1
[*] OK, resource created: 483c6f03-6490-4de2-bd81-c1c5b217d950
[+] OpenVAS list of tasks

ID  Name        Comment                Status  Progress
--  ----        -------                ------  --------
0   Local Scan  Scan My Local Machine  New     -1

Next, start the task with openvas_task_start and watch the progress using openvas_task_list.

msf > openvas_task_start 0
[*] OK, request submitted
msf > openvas_task_list
[+] OpenVAS list of tasks

ID  Name        Comment                Status   Progress
--  ----        -------                ------   --------
0   Local Scan  Scan My Local Machine  Running  2

msf > openvas_task_list
[+] OpenVAS list of tasks

ID  Name        Comment                Status   Progress
--  ----        -------                ------   --------
0   Local Scan  Scan My Local Machine  Running  98

msf > openvas_task_list
[+] OpenVAS list of tasks

ID  Name        Comment                Status  Progress
--  ----        -------                ------  --------
0   Local Scan  Scan My Local Machine  Done    -1

Once the scan is finished, the progress is -1, list the available reports using openvas_report_list.

msf > openvas_report_list
[+] OpenVAS list of reports

ID  Task Name     Start Time                Stop Time
--  ---------     ----------                ---------
0   Example task  Tue Aug 25 21:48:25 2009  Tue Aug 25 21:52:16 2009
1   testtask      Fri Sep 16 14:21:31 2011  Fri Sep 16 14:23:09 2011
2   Local Scan    Fri Oct  7 22:52:46 2011  Fri Oct  7 23:04:48 2011

Next, you can download (openvas_report_dowload) or import (openvas_report_import) the report. You must specify the report format with either command. You can get a list of formats using openvas_format_list. When importing a report you must use the NBE format. Also note, that when trying to download an ITG or PDF report my OpenVAS server returns an empty report, YMMV.

msf > openvas_format_list
[+] OpenVAS list of report formats

ID  Name   Extension  Summary
--  ----   ---------  -------
0   CPE    csv        Common Product Enumeration CSV table.
1   HTML   html       Single page HTML report.
2   ITG    csv        German "IT-Grundschutz-Kataloge" report.
3   LaTeX  tex        LaTeX source file.
4   NBE    nbe        Legacy OpenVAS report.
5   PDF    pdf        Portable Document Format report.
6   TXT    txt        Plain text report.
7   XML    xml        Raw XML report.

msf > openvas_report_download 2 1 /root/ov/reports
[*] Saving report to /root/ov/reports/report-d76434b0-38e6-462c-87e1-717622056e86.html

msf > openvas_report_import 2 4
[*] Importing report to database.

You can see all the available commands using the command openvas_help. If you have any questions or find any bugs in the openvas module let me know at averagesecurityguy [at] gmail [dot] com so I can fix them. If you want to look at the code, it is in /opt/framework/msf3/plugins/openvas.rb and /opt/framework/msf3/lib/openvas/openvas-omp.rb. Enjoy.

About the Author
Stephen has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional(CISSP), Offensive Security Certified Professional(OSCP), and GIAC Penetration Tester(GPEN).

Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.