So you want to build a Security Program? Part 1 - Vulnerability Scanning

IRJ

How to start your first scan

Ok so step one is to go to Configuration > Targets

Click the Star (top left) to Add A new Target

Let's just use one target for now. Name it whatever you want and just type in IP in manually

Otherwise I would use a text file

Then go to Configuration > Credentials

Add a credential and save it

Now go back to Configuration > Targets and edit the one you already made and go to SMB and select the credential you just made

Next go to Scan Management > Tasks

Then click the star to create a new task

Name it whatever you want and select the scan target you just created

Once you are finished with the task click the green play button to start the scan

Note: Added to the OP as well.

stacksofplates

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

Is OpenVAS intuitive to use and pickup? Does it have built in scans and reporting that are easily assessed (read).

The GUI and reporting are not good. In fact the GUI is one of the ugliest GUIs I have ever seen, but you will get the same data as you would with paid solutions.

You don't like the lady?

IRJ

@stacksofplates said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

Is OpenVAS intuitive to use and pickup? Does it have built in scans and reporting that are easily assessed (read).

The GUI and reporting are not good. In fact the GUI is one of the ugliest GUIs I have ever seen, but you will get the same data as you would with paid solutions.

You don't like the lady?

Maybe if I had a 4k monitor I could appreciate her more!

hobbit666

Is this more for finding Vulnerability's internally not say through your external ip(s)?

DustinB3403

@hobbit666 Internal assessments only, you shouldn't be scanning the open internet. . .

IRJ

It can work for either. There are plenty of people who have VPS setup with OpenVAS to do their external scans.

https://www.digitalocean.com/community/tutorials/how-to-use-openvas-to-audit-the-security-of-remote-systems-on-ubuntu-12-04

This is a full hosted external security solution, but you can build all the included tools in your own VPS
https://hackertarget.com

IRJ

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

you shouldn't be scanning the open internet. . .

You most certainly should be. What do you think hackers are doing every minute on large networks?

DustinB3403

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

IRJ

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

No they wont. It's like walking or driving up to a house and looking and casing it out for a robbery. You aren't doing anything illegal until you breach the house.

DustinB3403

@IRJ Sure they can, it's called premeditation.

Planning to break in is as illegal as breaking in so long as you are committed to it.

StrongBad

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ Sure they can, it's called premeditation.

Planning to break in is as illegal as breaking in so long as you are committed to it.

But there is no way to know if someone is premeditating breaking it or doing a school report on safety concerns in the neighborhood.

NDC

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

IRJ

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

I see about 10 scans a minute from all over the world on our external servers on a slow day!

IRJ

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

Exactly and if US law cannot do anything then what are countries like China and Russia going to do? lol

scottalanmiller

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

Exactly and if US law cannot do anything then what are countries like China and Russia going to do? lol

Execute you?

IRJ

@scottalanmiller said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

Exactly and if US law cannot do anything then what are countries like China and Russia going to do? lol

Execute you?

Yeah I am sure China's focus is to find everyone running nmap scans on American servers so they can execute them.

scottalanmiller

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@scottalanmiller said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

Exactly and if US law cannot do anything then what are countries like China and Russia going to do? lol

Execute you?

Yeah I am sure China's focus is to find everyone running nmap scans on American servers so they can execute them.

You never know.

IRJ

@scottalanmiller said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@scottalanmiller said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@NDC said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

They have neither the resources nor the inclination to go after everyone that runs a simple scan. They don't in fact have the resources to go after all the people who have committed significantly damaging illegal acts let alone anything else.

Exactly and if US law cannot do anything then what are countries like China and Russia going to do? lol

Execute you?

Yeah I am sure China's focus is to find everyone running nmap scans on American servers so they can execute them.

You never know.

They could always build another ghost city.

Dashrender

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

No they wont. It's like walking or driving up to a house and looking and casing it out for a robbery. You aren't doing anything illegal until you breach the house.

actually this is now illegal in some country - not this exactly, but I can't recall where, some country (Japan maybe) just passed a law where it's illegal to plan something illegal.

IRJ

@Dashrender said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@DustinB3403 said in So you want to build a Security Program? Part 1 - Vulnerability Scanning:

@IRJ As in, you shouldn't be scanning everything on the open internet.

The FBI, NSA and other 3 letter government agency's will come knocking down your door.

No they wont. It's like walking or driving up to a house and looking and casing it out for a robbery. You aren't doing anything illegal until you breach the house.

actually this is now illegal in some country - not this exactly, but I can't recall where, some country (Japan maybe) just passed a law where it's illegal to plan something illegal.

It's impossible to police