Vulnerability Scanning tools

This documentation has been made using Hackthebox Academy


Download and install

  • Download it here

  • Request an activation code here

  • Install the package dpkg -i Nessus-X.XX.X-ubuntu910_amd64.deb

  • Start Nessus sudo systemctl start nessusd.service

  • Access it on https://localhost:8834

  • Select Nessus Essentials

  • Set a password

Launch a scan

  • Click on New Scan and select which scan you want

  • Official description of each scan here

  • Enter the ip in Targets

  • Scanning devices such as network printers often result in them printing out reams of paper with garbage text, leaving the devices unusable (this is set up in option to enable scanning for fragile devices)

  • In the Advanced tab, safe checks are enabled by default. This prevents Nessus from running checks that may negatively impact the target device or network.

Scanning with creds

Nessus reports

Once a scan is completed we can choose to export a report in .pdf, .html, or .csv formats.

Note: These scan reports should only be shared as either an appendix or supplementary data to a custom penetration test/vulnerability assessment report. They should not be given to a client as the final deliverable for any assessment type.

Exporting Nessus Scans

Nessus also gives the option to export scans into two formats Nessus (scan.nessus) or Nessus DB (scan.db). The .nessus file is an .xml file and includes a copy of the scan settings and plugin outputs. The .db file contains the .nessus file and the scan's KB, plugin Audit Trail, and any scan attachments. More information about the KB and Audit Trail can be found here.

Nessus resources


Install OpenVAS

sudo apt-get update && apt-get -y full-upgrade
sudo apt-get install gvm && openvas
  • gvm-setup begin installation process

  • gvm-start start OpenVAS

  • Access it on https://localhost:8080


OpenVAS has various scan configurations to choose from for scanning a network. We recommend only leveraging the ones below, as other options could cause system disruptions on a network:

  • Base: This scan configuration is meant to enumerate information about the host's status and operating system information. This scan configuration does not check for vulnerabilities.

  • Discovery: This scan configuration is meant to enumerate information about the system. The configuration identifies the host's services, hardware, accessible ports, and software being used on the system. This scan configuration also does not check for vulnerabilities.

  • Host Discovery: This scan configuration solely tests whether the host is alive and determines what devices are active on the network. This scan configuration does not check for vulnerabilities as well. OpenVAS leverages ping to identify if the host is alive.

  • System Discovery: This scan enumerates the target host further than the 'Discovery Scan' and attempts to identify the operating system and hardware associated with the host.

  • Full and fast: This configuration is recommended by OpenVAS as the safest option and leverages intelligence to use the best NVT checks for the host(s) based on the accessible ports.

Export results

There are various export formats for reporting purposes, including XML, CSV, PDF, ITG, and TXT. We can use this tool to generate an Excel doc out of the xml exported file. python3 -m openvasreporting -i report-2bf466b5-627d-4659-bea6-1758b43235b1.xml -f xlsx

Last updated