1. Introduction

2. Analysis Tools

3. Scan Settings

3.1. Nessus Scanning Parameters

3.2. OpenVAS Scanning Parameters

4. Analysis Process

4.1. Running the Scan with Nessus

4.2. Running the Scan with OpenVAS

5. Comparison of Results

6. Conclusions

Introduction Link to heading

The purpose of this report is to examine the security of a system through specialized tools for detecting vulnerabilities. To do this, exhaustive scans have been carried out using Nessus and OpenVAS on the Metasploitable3 virtual machine (Linux). After data collection, the findings will be analyzed and a detailed comparison of both tools will be made.

Analysis Tools Link to heading

To carry out the audit, the following tools were selected:

  • Nessus: Developed by Tenable, it is an advanced scanner that allows vulnerabilities in networks and systems to be identified through a constantly updated database.
  • OpenVAS (Greenbone Vulnerability Management): An open-source solution designed for identifying security flaws and misconfigurations in operating systems and applications.

Scan Settings Link to heading

Nessus Scanning Parameters Link to heading

Illustration 1. Nessus interface

A new policy has been defined using the “Advanced Scan” profile, with the following options to make the scan as thorough as possible:

  • On the Discovery -> Host Discovery tab, ARP, ICMP, all TCP ports, and all UDP scans are checked.
  • In the Discovery-> Port Scanning perstana, the Syn options are marked in aggressive mode and UDP.
  • On the Discovery -> Identity tab, check the box for “Collect data from Active DIrectory identities.
  • In the Assessment -> Web Applications tab, the “Scan web applications” box is checked, and all the boxes under “Application Test Settings” except “Abort web application tests if HTTP login fails” so that the scan does not stop in the event of a failed HTTP login attempt.
  • On the Assessment -> Databases tab, check the “Use detected SIDs” box.
  • On the Advanced tab, check the “Scan for unpatched vulnerabilities” box to scan for unpatched vulnerabilities.
  • All plugins have been used in their most aggressive mode.

OpenVAS Scanning Parameters Link to heading

Illustration 2. OpenVAS Interface

A new policy was defined using the “Full and Fast” profile, with the following options to make the scan as thorough as possible:

  • Previous update of NVTs (Network Vulnerability Tests) to have the latest exploits.
  • Scanning of all open and closed ports for a more complete evaluation.
  • Detection of exposed software and service versions.

Analysis Process Link to heading

Running the Scan with Nessus Link to heading

First, a “basic” scan has been run with the default options of Nessus. A total of 16 vulnerabilities have been found in a scan time of 11 minutes:

Illustration 3. Results of the basic scan of Nessus.

Nessus makes a distinction between Critical-High-Medium and Low vulnerabilities, and finally INFO. The INFO category should not be treated as vulnerabilities since it is information. For example: “Determined your operating system is <the operating system>”. This is not a vulnerability. You can also report a finding that needs to be evaluated if it is a vulnerability or not. For example: “Found port 22 is open”. This is not really a vulnerability either, as SSH is a protocol normally enabled on *NIX systems that runs on port 22. However, if port 22 should not be open, this must be corrected by the security team.

2 critical vulnerabilities have been found, including an RCE vulnerability without authentication, with a CVSS score of 10. Several types of reports can be made, by host, by plugin, detailed vulnerabilities and vulnerability operations. The attached reports will be those of vulnerabilities detailed by host, where each vulnerability and how to remediate them are explained in detail.

The advanced and aggressive scan has found a total of 56 vulnerabilities, in a scan time of 40 minutes, considerably longer than the basic one:

Illustration 4. Advanced Nessus scanning.

In this case, 10 critical vulnerabilities have been found, including those found by the basic scanner.

Nessus allows you to export reports in various formats, including PDF if Java is installed. In this case, the reports are in HTML.

Illustration 5. Types of reports that Nessus can generate.

The most detailed reports are called “Detailed Vulnerabilites by Host” and “Detailed Vulnerabilites by Host Plugin”. These reports contain key information about these vulnerabilities, including:

  • Synopsis
  • Description
  • Solution
  • CVSS v3 score
  • CVSS v2 score
  • Associated references / CVEs
  • Output of the plugin that detected the vulnerability

Illustration 6. Example of a vulnerability report exported from Nessus.

Running the Scan with OpenVAS Link to heading

2 different scans have been run, first with the default “Full and Fast” policy. A total of 19 vulnerabilities have been found with a scanning time of 29 minutes:

Illustration 7. Full and Fast scan results.

The report details the filters it performs for its collection: Incidents marked as “Debug”, “Log” or false positives with a confidence rate of 70% are not shown.

5 critical vulnerabilities have been detected, one of them being the same RCE without Drupal authentication with a CVSS score of 10.

The second scan has found a total of 21 vulnerabilities, with a runtime of 31 minutes.

Illustration 8. Results obtained from optimized scanning in OpenVAS.

A total of 7 critical vulnerabilities are found, including the RCE found in all previous scanners.

OpenVAS excels in the quality of its reports, which are highly professional and detailed. They treat each vulnerability in detail, including a summary of each vulnerability, the confidence of the finding, the result of the detection, the possible impact of the vulnerability, the possible solutions, the tests that can be carried out to detect the vulnerability, the references of said vulnerability, associated CVEs… In short, a more complete report than Nessus’s.

Comparison of Results Link to heading

The data obtained in the scans with the strictest Nessus and OpenVAS policies were compared according to several key criteria:

CriterionNessusOpenVAS
Total vulnerabilities found5621
Identified critical vulnerabilities107
ReportingGraphical visualization with key ideasDetailed professional report

Conclusions Link to heading

  • It was observed that Nessus presented a greater ability to identify critical vulnerabilities compared to OpenVAS.
  • OpenVAS excelled in providing detailed recommendations on insecure system configurations.
  • Both tools offer complementary advantages and can be used together to improve coverage in security audits.
  • The use of both scanners is recommended in test and audit environments for a more accurate and complete assessment of the vulnerabilities present.