bility scanning, is to improve the security posture of your target. If the organization is
getting your recommendations and then not doing anything with them, that’s worse
than not running the scans at all. What happens when
you present a report to the
organization you are working for is that they become aware of the vulnerabilities you
have identified. This information can then be used against them if they don’t do any‐
thing with what you have told them.
OpenVAS Reports
The report is the most important aspect of your work. You will be writing your own
report
when you are complete, but the report that is issued from the vulnerability
scanner is helpful for you to understand where you might start looking. There are
two things to be aware of when we start to look at vulnerability scanner reports. First,
the vulnerability scanner uses specific signatures to determine whether the vulnera‐
bility is there. This may be something like banner grabbing to compare version num‐
bers. You can’t be sure that the vulnerability exists because
a tool like OpenVAS does
not exploit the vulnerability. Second, and this is related, you can get false positives.
Since the vulnerability scanner does not exploit the vulnerability, the best it can do is
get a probability.
If you are not running
a scan with credentials, you are going to miss detecting a lot of
vulnerabilities. You will also have a higher potential for getting false positives. A
false
positive
is an indication that the vulnerability exists when it doesn’t. This is why a
report from OpenVAS or any other scanner isn’t sufficient. Since there is no guaran‐
tee that the
vulnerability actually exists, you need to be able to validate the reports so
your final report presents legitimate vulnerabilities that need to be remediated.
However, enough with the remonstration. Let’s get on with looking at the reports so
we can start determining what is legitimately troubling and what may be less con‐
cerning. The first thing we need to do is go back to the
OpenVAS web interface after
the scan is complete, and scans of large networks with a lot of services can be very
time-consuming, especially if you are doing deep scans.
In the Scans menu, you will
find the item Reports. From there, you get to the Report dashboard.
That will give
you a list of all the scans you have done as well as some graphs of the severity of the
findings from your scans. You can see the Report dashboard in
Figure 4-12
.
