OpenVAS Authenticated Scan using Local Security Checks

An authenticated scan may provide more vulnerability details on the scanned system. During an authenticated scan the target is both scanned from the outside via the network and from the inside via a valid user login.

During an authenticated scan OpenVAS logs in to the target system in order to run local security checks (LSC). The scan therefore requires prior setup of user credentials. These credentials are used to authenticate to different services on the target system. In some circumstances the results could be limited by the permissions of the user account.

The NVTs in the corresponding NVT families (local security checks) will only be executed if the OpenVAS was able to log in to the target system. The local security check NVTs in the resulting scan are minimally invasive.

OpenVAS only determines the risk level but does not introduce any changes on the target system. However the login by OpenVAS is probably being logged by the target system.

OpenVAS can use different credentials based on the nature of the target. However, the most important ones are:

  • SMB

On Windows systems OpenVAS can check the patch level and locally installed software such as Adobe Acrobat Reader or the Java suite.

  • SSH

This access is used to check the patch level on UNIX and Linux systems.

  • ESXi

This access is used for testing of VMWare ESXi servers locally.

  • SNMP

Network components like routers and switches may be tested via SNMP.


Pros and Cons of Authenticated Scans

The extent and success of the testing routines for authenticated scans depend heavily on the permissions of the account used. On Linux systems an unprivileged user is sufficient and may access most interesting information while especially on Windows systems unprivileged users are very restricted and administrative users provide more results. An unprivileged user does not have access to the Windows registry, the Windows system folder \windows, which contains the information on updates and patchlevels, etc.

Local security checks are the most gentle method to scan for vulnerability details. While remote security checks try to be least invasive as well, they might have some impact.

Simply stated an authenticated scan is similar to a Whitebox approach. The OpenVAS has access to prior information and may access the target from within. Especially the registry, software versions and patchlevel are accessible.

A remote scan is similar to a Blackbox approach. Here the OpenVAS uses the same techniques and protocols as a potential attacker to access the target from the outside. The only information available was collected by the OpenVAS itself. During the test the OpenVAS may provoke malfunctions to extract any available information on the used software. The scanner might for example send a malformed request to a service to trigger a response containing further information on the deployed product.

During a remote scan using the scan configuration Full and Fast all remote checks are safe. The used NVTs might have some invasive components but none of the used NVTs try to trigger a defect of malfunction in the target (see example below). This is ensured by the scan preference safe_checks=yes in the scan configuration. All NVTs with very invasive components or which might trigger a denial of service (DoS) are automatically excluded from the test.

Referenced from

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.