Raspberry Pi Network Vulnerability Scanner OpenVas!

OpenVAS is a full-featured vulnerability scanner. Its capabilities include unauthenticated and authenticated testing, various high-level and low-level internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test.

Today's story will not talk about what raspberry Pi is, and how to install OS on it, due to probably you already know how to do it. I will show you how to install OpenVas as docker container and how to run vulnerability assessment. As addition I will show you how to automate e.g. monthly vulnerability assessment, get notification about start and finish of assessment and how to send report over email.

For the purpose of this tutorial I was using Raspbery Pi4 4GB with the ‘bullseye’ release of Raspberry Pi OS.

For start you need to have installed docker on your raspberry Pi. If you do not have do it on following way.

sudo apt update && sudo apt upgrade
sudo curl -sSL https://get.docker.com | sh
sudo usermod -aG docker pi

After that you can install OpenVas docker container.

sudo docker pull pensivesecurity/rpi-scanner

Now you can run vulnerability assessment. I usually use this command/options:

docker run --rm -v /tmp/:/reports/:rw pensivesecurity/rpi-scanner:latest python3 -u scan.py "192.168.1.0/24" --debug --update --format="PDF" --output rpi-openvas-report.pdf --profile="Full and fast"

But you can modify it on many ways. Below are listed all options you can use in single command. So, you can fit it to your needs.

docker run --rm -v /tmp/:/reports/:rw pensivesecurity/rpi-scanner:latest python3 -u scan.py <target> [options]

Target

Target can be a single IP or CIDR or a comma separated list of IP addresses or CIDRs.

Output

It is possible to specify output filename with -o or — output argument.

By default report is saved as openvas.report.

Formats

1. Anonymous XML
2. CSV Results
3. ITG
4. PDF
5. TXT
6. XML

You can select what report format will be used with -f or — format argument with one of the available profiles.

By default XML format is used to generate the report.

Profiles

1. Base
2. Discovery
3. Empty
4. Full and fast
5. Host Discovery
6. System Discovery
7. GaussDB 100 V300R001C00 Security Hardening Guide (Standalone)
8. EulerOS Linux Security Configuration
9. Huawei Datacom Product Security Configuration Audit Guide
10. IT-Grundschutz

You can select scan profile by adding -p or — profile argument with one of the available profiles.

By default Full and fast profile is used.

Alive Tests

1. Scan Config Default
2. ICMP, TCP-ACK Service & ARP Ping
3. TCP-ACK Service & ARP Ping
4. ICMP & ARP Ping
5. ICMP & TCP-ACK Service Ping
6. ARP Ping
7. TCP-ACK Service Ping
8. TCP-SYN Service Ping
9. ICMP Ping
10. Consider Alive

You can select scan alive tests by adding -t or — tests argument with one of the available tests.

By default ICMP, TCP-ACK Service & ARP Ping alive tests are used.

Port Lists

1. All IANA Assigned TCP
2. All IANA Assigned TCP and UDP
3. All TCP and Nmap top 100 UDP

You can select scan alive tests by adding -P or — ports argument with one of the available tests.

By default All TCP and Nmap top 100 UDP port list is used. Note that using All TCP and Nmap top 100 UDP will significantly increase the scan time.

Exclude Hosts

You can exclude hosts from specified target by adding -e or — exclude argument with list of IPs.

By default list of excluded hosts is empty.

Max Hosts

It is possible to override max_hosts variable in OpenVAS config which specify maximum number of simultaneous hosts tested. Just add -m or — max argument with wanted numeric value.

By default 10 is used as max_hosts variable value.

Max Checks

It is possible to override max_checks variable in OpenVAS config which specify maximum number of simultaneous checks against each host tested. Just add -c or — checks argument with wanted numeric value.

By default 3 is used as max_checks variable value.

Debug

You can enable printing command responses by adding — debug argument.

Update

You can also add — update argument to force update.

This will synchronize OpenVAS feeds before making the scan.

Feeds update is quite slow, so it will take significantly more time.

Now, after installation, trying, testing and modifcation of command you can create script which will run vulnerability assessment, so you do not need to remember this long command and typing it each time .

I also like to be informed when the vulnerability assessment has start and finish, and to receive report on email. I am sending emails with python. For this purpose I made two scripts. One is for notification about start and another one about finish. Let’s check how I did it.

First create new folder openvas, where all following files will be stored.

sudo mkdir /home/pi/openvas
cd openvas

After that, create file start_email.py, and do not forget to change credentials and recipient email.

Also cereate finish_email.py which will notify you about end of vulnerability assessment, and send you report as an attachment.

And finaly, modify scan.sh file with this new scripts and add command to move report to home/pi/openvas directory.

For the end I created cronjob, which runs vulnerability assessment every first day of the month.

crontab -e
0 0 1 * * /bin/bash /home/pi/openvas/scan_final.sh

conclusion

Now we created OpenVas vulnerability scanner on raspberry pi, which run assessment once per month, and which notify us about start and finish of assessment, and also send us reprot on email.

That’s all for now
Share the word about this article
Follow me @cybersamarth
By,
J Sai Samartha
Ethical Hacker & Security Researcher

Cheers, Happy Hunting 👍
Email: saisamarth98@gmail.com