English | Deutsch
Home » Try out OpenVAS

OpenVAS-8 DEMO Virtual Appliance

Version: 1.0 (up-to-date regarding base system, OpenVAS-8 and Feed as of 2015-05-20)

Download Sites for the OVA Image (3.2 GByte):

MD5SUM: b7604b49a1bf3080786be36965b055e9

Compatibility: VirtualBox >=4.3, ESXi >=4

Important Notes:

  • Security (it is highly recommended that you follow these steps immediately after first start):
    • You should change the default password for system account "root" (login as root and apply command "passwd").
    • You should change the default password for system account "openvas" (login as openvas and apply command "passwd").
    • You should change the default password for web account "admin" (login as admin via web interface and go to "Extras/My Settings". Via the Edit button, change the password - remind the checkbox to confirm password change).
    • You should upgrade the base system immediately to install all security updates published meanwhile. The base system is Debian Jessie, so you need to run as root the command apt-get update && apt-get upgrade (or other management tools you might prefer).
    • A self-signed SSL certificate is used. You need to allow an exception in your browser at first login.
      Exchange it if you don't want to share the same certificate with other OpenVAS DEMO installations.
    • Encryption of passwords: The first time you create a credential object, a new password encryption key will be generated.
    • TLS Ciphers: The services HTTPS and OMP can be configured regarding offered TLS ciphers. You need to start the corresponding daemons with the right parameters.
  • Usage:
    • If you don't know where to log into the web interface: The IP of the system should be displayed before the login prompt. Should it not be the case, press ENTER to request a new login prompt, in the meantime, the system should have acquired an IP and you should be able to use it.
  • GNU GPL: In compliance with GNU GPL, any sources are already pre-installed on the VM (under /root/sources)
  • Performance: After import it might make sense to increase resources (CPU, RAM), given your host can provide this
  • Updating OpenVAS: OpenVAS was built in /home/openvas/src. You need to download newest releases as tar.gz files and follow the usual scheme for building OpenVAS from source.
  • Web timeout: If you want to increase the web timeout to for example 1 hour, then you should create a systemd drop-in file under /etc/systemd/system/gsa.service.d/timeout.conf with the following content (refer to the systemd documentation for more details):
    [Service]
    ExecStart = /usr/local/bin/gsad --foreground --timeout=60
  • Alternative web interface ITS (IT-Schwachstellenampel, German only): As root enter switchface-its. Back with switchface-classic. Might help to force reload in browser after switch to get all decoration changes. This switch will be reset upon reboot of the system.
  • You can switch the keyboard layout as root by using the recommended method: dpkg --configure keyboard-configuration && service keyboard-setup restart. Alternatively, you can use the following shortcut: switchkbd de to switch to German layout. This shortcut might not work in all cases.

OpenVAS-7 DEMO Virtual Appliance

Version: 2.4 (up-to-date regarding base system, OpenVAS-7 and Feed as of 2015-01-19)

Download Sites for the OVA Image (3.6 GByte):

MD5SUM: 0f7440cf42b6b34eeaab7ff33d2a4296

Compatibility: VirtualBox >=4.3, ESXi >=4

Important Notes:

  • Security (it is highly recommended that you follow these steps immediately after first start):
    • You should change the default password for system account "root" (login as root and apply command "passwd").
    • You should change the default password for system account "openvas" (login as openvas and apply command "passwd").
    • You should change the default password for web account "admin" (login as admin via web interface and go to "Extras/My Settings". Via the Edit button, change the password - remind the checkbox to confirm password change).
    • You should upgrade the base system immediately to install all security updates published meanwhile. The base system is Debian Wheezy, so you need to run as "root" the command "apt-get dist-upgrade" (or other management tools you might prefer).
    • A self-signed SSL certificate is used. You need to allow an exception in your browser at first login.
      Exchange it if you don't want to share the same certificate with other OpenVAS DEMO installations.
    • Encryption of passwords: The passwords that you enter for Credentials (ssh/smb) and that are being used for authenticated scans are stored encrypted. A encryption key is pre-installed because the creation can take considerably long (up to 60 minutes).
      If you do not exchange this key, you share the same encryption key with other OpenVAS DEMO installations!
      This way you delete the key and create a new one (takes upto 60 minutes):
      gpg --homedir=/usr/local/etc/openvas/gnupg --delete-secret-keys 94094F5B
      gpg --homedir=/usr/local/etc/openvas/gnupg --delete-keys 94094F5B
      openvasmd --create-credentials-encryption-key
      /etc/init.d/openvas-manager restart
      You will find further details and hints about the key management in the file "/root/build/openvas-manager-5.0.*/INSTALL".
    • TLS Ciphers: The services HTTPS and OMP can be configured regarding offered TLS ciphers. Examples are prepared that should be configured more strict for production level. The are located here: "/etc/default/openvas-manager" and "/etc/default/greebone-security-assistant.*"
  • Usage:
    • If you don't know where to log into the web interface, then log in as system user "openvas" and the URL will be printed.
  • GNU GPL: In compliance with GNU GPL, any sources are already pre-installed on the VM (under /root/source)
  • Performance: After import it might make sense to increase resources (CPU, RAM), given your host can provide this
  • Updating OpenVAS: OpenVAS was built in /root/build. You need to download newest releases as tar.gz files and follow the usual scheme for building OpenVAS from source. The install prefix is "/usr/local".
  • Web timeout: If you want to increase the web timeout to for example 1 hour, then you should add "--timeout=60" to DAEMON_ARGS in "/etc/default/greenbone-security-assistant.*" and then restart.
  • Alternative web interface ITS (IT-Schwachstellenampel, German only): As root enter "./switchface-its". Back with "./switchface-classic". Might help to force reload in browser after switch to get all decoration changes.

Important note on these Virtual Appliances

Please note that these virtual appliances are for demonstration/testing purposes and not recommended for regular production uses, particularly for more than a few hosts depending on local system resources. The OpenVAS scanner is resource intensive and may take a long time to start on slower systems, especially when run as a VM on laptops.