OpenVAS (Open Vulnerability Assessment System) is the scanning engine behind Greenbone Community Edition (GCE), one of the most capable free vulnerability scanners available. While commercial alternatives like Nessus Professional exist, OpenVAS covers a broad range of CVEs, misconfigurations, and service vulnerabilities suitable for home labs, internal assessments, and pentesting practice. This guide walks through setup and running your first authenticated scan.
The terminology can be confusing. Here’s the breakdown:
- OpenVAS — the underlying scanning engine (NASL-based scanner)
- Greenbone Vulnerability Management (GVM) — the management layer (daemons, database, task scheduler)
- Greenbone Community Edition (GCE) — the free, open-source distribution that bundles all of the above
- GSA (Greenbone Security Assistant) — the web-based UI
When people say “OpenVAS,” they usually mean the whole GCE stack.
Installation on Kali Linux
The easiest way to get OpenVAS running is on Kali Linux:
sudo apt update && sudo apt install -y gvm
sudo gvm-setup
gvm-setup takes 20–30 minutes on first run — it downloads the NVT (Network Vulnerability Tests) feed, which contains tens of thousands of vulnerability checks. When it completes, it prints a randomly generated admin password. Save this immediately.
Start the services:
sudo gvm-start
Access the web UI at https://127.0.0.1:9392. Accept the self-signed certificate warning.
Updating the Vulnerability Feed
Keeping feeds updated is critical. NVTs are updated frequently as new CVEs are published:
sudo gvm-feed-update
Schedule this weekly via cron for a lab setup:
0 2 * * 0 /usr/bin/sudo /usr/sbin/gvm-feed-update >> /var/log/gvm-feed-update.log 2>&1
Navigating the Web Interface
After logging in to https://127.0.0.1:9392:
- Scans → Tasks — create and manage scan tasks
- Configuration → Targets — define what to scan
- Configuration → Scan Configs — choose scan depth/intensity
- Reports — view and export vulnerability results
Creating a Scan Target
Go to Configuration → Targets → New Target:
- Name: Lab Network Scan
- Hosts: Enter IP or range (e.g.,
192.168.1.0/24 or 192.168.1.10-192.168.1.50)
- Port List: Select “All IANA assigned TCP” or “OpenVAS Default” for a balanced scan
- SSH Credentials: (for authenticated scans — covered below)
- SMB Credentials: (for authenticated Windows scans)
Click Save.
Scan Configurations
Greenbone provides several built-in scan configs:
| Config | Description |
|---|
| Full and Fast | Comprehensive, optimized for speed |
| Full and Deep | Exhaustive, can be slow and noisy |
| System Discovery | Host discovery only, no vulnerability checks |
| Host Discovery | Ping-based host enumeration |
For most purposes, Full and Fast is the right choice.
Running an Unauthenticated Scan
Go to Scans → Tasks → New Task:
- Name: Unauthenticated Lab Scan
- Scan Config: Full and Fast
- Target: Your saved target
Click Save, then click the Play button to start the scan.
A typical network scan against a handful of hosts takes 15–60 minutes. Watch progress under Scans → Tasks.
Setting Up Authenticated Scanning
Authenticated scans are dramatically more accurate — they log in to targets and check installed package versions, missing patches, registry settings, and local configurations rather than relying only on banners and service detection.
SSH Credentials (Linux Targets)
Go to Configuration → Credentials → New Credential:
- Type: Username + Password (or SSH private key for better security)
- Login: root (or a privileged user with sudo)
- Password: target password
Then assign this credential to your scan target’s SSH Credentials field.
SMB Credentials (Windows Targets)
Create a Windows credential with a local administrator account:
- Type: Username + Password
- Login: Administrator
- Password: target password
Assign to the target’s SMB Credentials field. OpenVAS will use this to check Windows registry keys, installed software, and patch levels.
Reading the Report
When the scan completes, go to Scans → Reports → Latest Report:
Findings are color-coded by severity:
- 🔴 Critical (9.0–10.0) — exploitable, high impact
- 🟠 High (7.0–8.9) — significant risk
- 🟡 Medium (4.0–6.9) — notable but less urgent
- 🔵 Low (0.1–3.9) — informational
Each finding includes:
- CVE identifier
- CVSS score
- Affected host and port
- Description of the vulnerability
- Solution/remediation steps
Exporting Reports
Export findings in multiple formats:
- PDF — good for sharing with stakeholders
- XML — for importing into other tools
- CSV — for spreadsheet analysis
- HTML — for offline browsing
Export XML reports and import into tools like:
- Metasploit — use
db_import openvas_report.xml after connecting Metasploit to a PostgreSQL database
- Faraday — vulnerability management platform that aggregates OpenVAS with Nmap, Burp, etc.
- DefectDojo — open source vulnerability management system
Tips for Better Scans
- Scan in small batches — scanning /24 networks at once can be slow and cause false negatives if targets are rate-limiting
- Use authenticated scanning whenever possible — unauthenticated scans miss 60–70% of findings
- Schedule regular scans — vulnerability landscapes change as software is updated
- Correlate with Nmap — run an Nmap scan first to identify open ports, then target OpenVAS at those services for faster results
- Check for false positives — mark findings as false positives in GVM to keep reports clean
OpenVAS is a powerful tool that — when run with proper credentials — rivals commercial scanners for internal network assessments. Regular scanning against your lab or home network builds both familiarity with the tool and genuine security awareness about your environment’s exposure.