OpenVAS - Vulnerability Assessment install on Kali Linux
This tutorial documents the process of installing OpenVAS 8.0 on Kali Linux rolling. OpenVAS is open source vulnerability assessment application that automates the process of performing network security audits and vulnerability assessments. Note, a vulnerability assessment also known as VA is not a penetration test, a penetration test goes a step further and validates the existence of a discovered vulnerability, see what is penetration testing for an overview of what pen testing consists of and the different types of security testing.
What is Kali Linux?
Kali Linux is a Linux penetration testing distribution. It's Debian based and comes pre-installed with many commonly used penetration testing tools such as Metasploit Framework and other command line tools typically used by penetration testers during a security assessment.
For most use cases Kali runs in a VM, you can grab the latest VMWare or Vbox image of Kali from here: https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/
Download the full version not Kali light, unless you have a specific reason for wanting a smaller virtual machine footprint. After the download finishes you will need to extract the contents and open the vbox or VMWare .vmx file, when the machine boots the default credentials are root / toor. Change the root password to a secure password.
Alternatively, you can download the ISO version and perform an installation of Kali on the bare metal.
Updating Kali Linux
After installation, perform a full update of Kali Linux.
Updating Kali:
apt-get update && apt-get dist-upgrade -y
The update process might take some time to complete. Kali is now a rolling release meaning you can update to the current version from any version of Kali rolling. However, there are release numbers but these are point in time versions of Kali rolling for VMWare snapshots. You can update to the current stable release from any of the VMWare images.
After updating perform a reboot.
Installing OpenVAS 8
apt-get install openvas
openvas-setup
During installation you'll be prompted about redis, select the default option to run as a UNIX socket.
Even on a fast connection openvas-setup takes a long time to download and update all the required CVE, SCAP definitions.
Pay attention to the command output during openvas-setup, the password is generated during installation and printed to console near the end of the setup.
Verify openvas is running:
netstat -tulpn
Start OpenVAS on Kali
To start the OpenVAS service on Kali run:
openvas-start
After installation, you should be able to access the OpenVAS web application at https://127.0.0.1:9392
Accept the self-signed certificate and login to the application using the credentials admin and the password displayed during openvas-setup.
After accepting the self-signed certificate, you should be presented with the login screen:
After logging in you should be presented with the following screen:
From this point you should be able to configure your own vulnerability scans using the wizard.
It's recommended to read the documentation. Be aware of what a vulnerability assessment conductions (depending on configuration OpenVAS could attempt exploitation) and the traffic it will generate on a network as well as the DOS effect it can have on services / servers and hosts / devices on a network.
