This project is a demonstration for using OpenVAS by creating a Vulnerability Management Lab on Azure. I will be creating a OpenVAS configured VM and a client VM. To simulate vulnerability detection of OpenVAS tool, I will scan Client after it creation on default settings than intentionally make it vulnerable by installing multiple outdated application which are very common then do another scan and try to fix the vulnerabilities shown on OpenVAS by updating system and removing outdated applications. I will do another final scan to show you how many vulnerabilities gets fixed.
Prepare Vulnerability Management Scanner Create Client Virtual Machine and Make it Vulnerable Perform Unauthenticated Scan Make Configurations for Authenticated Scans (VM) Make Configurations for Authenticated Scans (OpenVAS) Perform Authenticated Scan against our Vulnerable Windows VM Remediate Vulnerabilities Verify Remediation
- No special requirement just internet and browser to access Azure Portal.
- Azure VM
- OpenVAS on Azure
- Microsoft Windows 11
- OpenVAS - https://openvas.org/
- Azure Portal - https://portal.azure.com/
The goal of the lab is to configure and explore the platform, not to practice remediation. I will perform some minor vulnerability remediation, but only to test how the scans change in response.
Prepare Vulnerability Management Scanner From the Azure Portal → Go to the Marketplace → “OpenVAS secured and supported by HOSSTED” and proceeded to create a "Vulnerability-Management" resource group and VM.
Selecting OpenVAS from the Azure Marketplace:
Creating the OpenVAS VM in Azure:
OpenVAS VM Overview:
After the VM was created, I used the PuTTy to SSH into the server and allowed the initial configuration to complete.
OpenVAS connection via PuTTy:
Back in the Azure Portal → Virtual Machines → Create In the same resource group and the same VNet as OpenVAS.
Vulnerable client VM in Azure
After the VM was created, I RDP'd into the machine to make it vulnerable by disabling the firewall and installing the following very old versions of software (with known vulnerabilities):
-FireFox: Firefox Setup 97.0b5
-VLC Player: vlc-1.1.7-win32
-Adobe Reader: 10.0_AdbeRdr1000_en_US_1_
Disabled Firewall in Windows 10 VM:
Installing insecure software on Windows 10 VM:
Login to OpenVAS with the URL and credentials provided during initial config → Assets → Hosts → New Host
Login to OpenVAS:
Private IP of client VM:
Created a new host by adding client VM private IP Address
Host in Greenbone:
Created a New Target from the Host, name it “Azure Vulnerable VM”.
Creating a new target:
Created a new Task - “Scan - Azure Vulnerable VMs”
New Task:
Initiated the first scan of the Windows 10 VM client
Scan Completed:
Port scan results:
Found CVEs:
Found Closed CVEs:
TLS scan results:
Disabled User Account Control
Disable UAC:
To allow OpenVAS to authenticate, I made the following registry changes:
-Enabled Remote Registry (services.msc)
-Launching Registry Editor (regedit.exe - as Admin)
-Navigated to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Navigated to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
-Set the registry key by creating a new DWORD (32-bit) value with the following properties:
Name: LocalAccountTokenFilterPolicy Value: 1
Enable Remote Registry:
Creating new DWORD:
Setting the Registry Key):
Make Configurations for Credentialed Scans (OpenVAS)
Created a new credential under, Configuration → Credentials → New Credential → Added username & password for Windows 10 VM client under "Azure VM Credentials"
Created a new target, and attached the new credentials
Add credentials to new target:
In OpenVAS, Scans → Tasks
To create the credentialed scan, I cloned the “Scan - Azure Vulnerable VMs” Task, then changed it to update the scan name and target.
Initialized the credentialed scan and reviewed the results.
Credentialed Scan Results Now we can see the insecure software installed earlier, flagged for remediation in the scan results.
<Creating credentialed scan:
The SMB results show that OpenVAS was able to authenticate successfully.
Successful SMB authentication:
Credentialed scan - ports results:
Credentialed scan - CVEs:
Credentialed scan - closed CVE results:
Credentialed scan - applications results:
Additionally, I attempted to activate the firewall, but it negatively impacted OpenVAS' scanning capability. Worried that reverting the UAC might have a similar effect, I opted to modify the Network Security Group (NSG). Specifically, I changed it from allowing all inbound RDP connections to permitting connections solely from my IP address. In the Win10-Vulnerable VM, I ensured that all available updates were applied.
Windows 10 VM client NSG before:
Windows 10 VM client NSG after:
Completed Windows Update:
Post Remediation Results page:
Analyzing how we manage vulnerabilities in Azure with Greenbone OpenVAS is interesting. While fixing critical issues seems effective, it's curious that applying system updates didn't change the scan much. I'm wondering if the timing of scans matters – maybe waiting some time after updates could make a difference?
I'm keen on setting up a local version of this lab and adding Nessus and Qualys scanners for comparison. Seeing how different scanners report vulnerabilities could give us a better understanding. The plan is to check if these scanners find issues that others might miss.
Sharing the process and findings while setting up the lab could help others, and it's a good way to contribute to the cybersecurity community.