This project is a demonstration for using OpenVAS by creating a Vulnerability Management Lab on Azure. I will be creating a OpenVAS configured VM and a client VM. To simulate vulnerability detection of OpenVAS tool, I will scan Client after it creation on default settings than intentionally make it vulnerable by installing multiple outdated application which are very common then do another scan and try to fix the vulnerabilities shown on OpenVAS by updating system and removing outdated applications. I will do another final scan to show you how many vulnerabilities gets fixed.
Prepare Vulnerability Management Scanner
Create Client Virtual Machine and Make it Vulnerable
Perform Unauthenticated Scan
Make Configurations for Authenticated Scans (VM)
Make Configurations for Authenticated Scans (OpenVAS)
Perform Authenticated Scan against our Vulnerable Windows VM
Remediate Vulnerabilities
Verify Remediation
- No special requirement just internet and browser to access Azure Portal.
- Azure VM
- OpenVAS on Azure
- Microsoft Windows 11
- OpenVAS - https://openvas.org/
- Azure Portal - https://portal.azure.com/
The goal of the lab is to configure and explore the platform, not to practice remediation. I will perform some minor vulnerability remediation, but only to test how the scans change in response.
Prepare Vulnerability Management Scanner From the Azure Portal → Go to the Marketplace → “OpenVAS secured and supported by HOSSTED” and proceeded to create a "Vulnerability-Management" resource group and VM.
# OpenVAS CyberSecurity Vulnerability Management Project
In Microsoft Azure, access the marketplace and search for "OpenVAS secured and supported by HOSSTED".
Click on "Start with a pre-set configuration" and choose the weakest one.
Proceed through creating a virtual machine process.
Note: I will need to put the Vulnerability Scanner and VMs in the same region. Also under the Monitoring tab, I disable "boot diagnostics" because I won't need it.
After a couple of minutes, my OpenVAS VM deployed!
After the VM is created, I copy the public IP of the machine from Azure and SSH into it using PowerShell because I am using a Windows machine. MAC users will use Terminal.
This will take a while. Take note of the username and password.
Copy and paste this URL into a new tab and this will bring me to the OpenVAS webserver where I log in and perform vulnerability management.
After logging in, I changed the password to something easier to remember for this lab.
Navigate back to the Azure portal and create a new VM. I make sure to create it in the same Resource Group and Region.
Under the Networking tab make sure it's in the same Virtual Network "OpenVAS-vnet".
After the VM is created, I ensure I can RDP into the VM using the credentials I created.
Success!
Next, I make the VM vulnerable by disabling the Windows Firewall and installing old versions of software like Firefox, VLC, and Adobe Reader.
To disable Windows Firewall, navigate to Windows Defender Firewall and Advanced Security. Click on Windows Defender Firewall properties and turn off the Firewall state under the Domain, Private, and Public Profile tabs.
Now to install some old software, copy and paste this link, https://drive.google.com/drive/u/2/folders/1n83ilCjZWZulbDdYnUe9wQPK2buY47_U into the browser on the VM. Download and install the software.
After installation, I will restart the VM and leave it for now.
Login to the OpenVAS webserver that I accessed earlier. Click Assets -> Hosts -> New Hosts
Add the Client VM's Private IP Address. I got this from the Azure Portal.
Create a New Target from the Host and name it "Azure Vulnerable VMs".
Next, Create a new Task. Under the Scans tab click Tasks and the create a new task icon.
Name it "Scan - Azure Vulnerable VMs", select Azure VUlnerable VMs from the Scan Targets dropdown, and Save the Task.
Start the "Scan - Azure Vulnerable VMs" Task by clicking on the play button under Actions. This will take a while.
Take note of the Status throughout the scan.
Once the scan is finished, click the date under "Last Report" to see the results. Take note of Tabs, specifically the "Results" tab.
Even though I installed super old software, it does not show up here. This is because I'm not running a credentialed scan so the scanner could not discover it. I will configure credential scans next.
You can see more results by clicking the X, a remove filter button.
Navigate back to the Windows VM. Disable User Account Control by clicking start and typing "user account control". Then drag the meter down.
Next, enable Remote Registry by clicking start and searching for "services.msc". Look for Remote Registry and click it.
Change Startup Type to "Automatic" click Apply and then Start.
Next, set the Registry Key.
- First launch the Registry Editor (regedit.exe) in "Run as administrator" mode.
- Navigate to HKEY_LOCAL_MACHINE hive
- Open SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System key
- Create a new DWORD (32-bit) value with the following properties: Name: LocalAccountTokenFilterPolicy Value: 1 (after creating the DWORD, right-click and click Modify to change the value)
- Close Registry Editor
- Restart the VM
Navigate back to the OpenVAS webserver. Click on the Configuration tab -> Credentials -> New Credential
Name it "Azure VM Credentials". Change Allow Insecure Use to "Yes". I will enter the username and password I used for the Windows 10 VM.
Go to Configuration -> Targets -> CLONE the Target I made before (the little sheep icon)
Edit and Rename it “Azure Vulnerable VMs - Credentialed Scan”. Ensure the Private IP is still accurate. Under "Credentials for authenticated checks" click the SMB dropdown and select "Azure VM Credentials" that I just created. Save it.
Within OpenVAS, go to Scans -> Tasks
CLONE the "Windows Scan" Task, then Edit it:
- Rename the clone to "Scan - Azure Vulnerable VMs - Credentialed"
- Targets: Azure Vulnerable VMs - Credentialed Scan
- and Save
Click the Play button to launch the new Credentialed Scan and wait for it to finish. This will take longer than last time.
After the credentialed scan finishes, I immediately see the difference in findings.
Remove the filter. Check SMB login under "Results".
Further, inspect the individual vulnerabilities and see all the Criticals from the out-of-date Firefox.
You can see each vulnerability in more detail by clicking on them.
Navigate back to the Windows 10 Vulnerable VM. Instead of taking the time to update each software, I'm just going to uninstall them. I could automate this process, but since it's just a couple of programs on one VM, I will just do it manually.
After uninstalling, restart the VM.
To check if the VM has restarted you can navigate to the Azure portal.
Looks like both VMs are up and running.
Navigate back to the OpenVAS webserver and re-initiate the “Scan - Azure Vulnerable VMs - Credentialed” scan and observe the results.
After the scan, I can see that compared to before vulnerabilities went down from the "Trend" column.
There are still several vulnerabilities, but I can see that uninstalling the old software cleared vulnerabilities they may have created.
I can see that many vulnerabilities left are from Microsoft Defender which may be related to disabling the Firewalls and User Account Controls on the Client VM.
To sum up this project, this is what I did
- Set up a secure Azure network with an OpenVAS Vulnerability Management Scanner VM.
- Developed a vulnerable Windows 10 VM, featuring outdated software and disabled security controls.
- Performed unauthenticated and credentialed vulnerability scans using OpenVAS
- Analyzed scan results, highlighting the difference between unauthenticated and credentialed scans.
- Remediated identified vulnerabilities, and verified successful remediation through subsequent scans.
- Created a list of remediable vulnerabilities to simulate realistic vulnerability remediation scenarios.
Analyzing how we manage vulnerabilities in Azure with Greenbone OpenVAS is interesting. While fixing critical issues seems effective, it's curious that applying system updates didn't change the scan much. I'm wondering if the timing of scans matters – maybe waiting some time after updates could make a difference?
I'm keen on setting up a local version of this lab and adding Nessus and Qualys scanners for comparison. Seeing how different scanners report vulnerabilities could give us a better understanding. The plan is to check if these scanners find issues that others might miss.
Sharing the process and findings while setting up the lab could help others, and it's a good way to contribute to the cybersecurity community.