█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Vulnerability Management/Hands-on: OpenVAS in Docker
60 minIntermediate

Hands-on: OpenVAS in Docker

After this lesson, you will be able to: Run OpenVAS in Docker against a deliberately vulnerable VM and walk through the full scan-to-remediation cycle.

OpenVAS (now Greenbone Community Edition) is the leading open-source vulnerability scanner. It's what real security teams use when budget rules out Nessus or Qualys, and it's the single best free way to learn enterprise scanning workflows. This lesson walks you through stand-up, scanning, triage, and reporting.

Prerequisites:Continuous Vulnerability Management

What OpenVAS actually does

OpenVAS ships with tens of thousands of vulnerability checks (NVTs, Network Vulnerability Tests) that probe a target's services for known weaknesses. It detects open ports, identifies running software versions, then matches those versions against its CVE database. The output is a prioritised report with CVSS scores, affected hosts, and remediation guidance, the same shape you'd get from Tenable or Qualys.

Spin up OpenVAS in Docker

The Greenbone Community Edition Docker image is the fastest path to a working scanner.

  1. 1

    Install Docker Desktop if you haven't already

  2. 2

    Clone the official compose file: git clone https://github.com/greenbone/greenbone-community-container.git

  3. 3

    cd greenbone-community-container && docker compose -f docker-compose-22.4.yml -p greenbone-community-edition up -d

  4. 4

    Wait for the feed sync (first run, 30-60 min). Watch progress with: docker compose -p greenbone-community-edition logs -f

  5. 5

    Once ready, open https://127.0.0.1:9392 and log in with the default admin/admin (CHANGE THIS PASSWORD immediately)

  6. 6

    Create a scan target pointing at a vulnerable VM (next step) and kick off a Full and Fast scan

Stand up Metasploitable 2 as a target

Metasploitable 2 is an intentionally vulnerable Linux VM, the canonical scan target.

  1. 1

    Download Metasploitable 2 from sourceforge.net/projects/metasploitable, extract the .vmdk

  2. 2

    Import into VirtualBox as a new VM (Linux, Ubuntu 32-bit, attach the .vmdk)

  3. 3

    Set the network to Host-only so it cannot reach the internet (this VM is unpatched, do NOT bridge it)

  4. 4

    Boot it, log in (msfadmin/msfadmin), run ifconfig to note its IP

  5. 5

    From your OpenVAS host, ping that IP to confirm reachability

  6. 6

    In OpenVAS UI: Configuration > Targets > New Target > Hosts: <metasploitable-IP>

Run the scan and triage the report

This is where real vulnerability management lives.

  1. 1

    Scans > Tasks > New Task > pick your Metasploitable target and the 'Full and Fast' scan config

  2. 2

    Start the task. A Metasploitable scan takes ~15-30 min in Full and Fast mode

  3. 3

    Open the report when complete. Sort by severity. Note CVEs that show CVSS >= 9.0

  4. 4

    For each Critical finding, write: what the vulnerability is in plain language, who's affected, and the recommended fix (upgrade, configuration change, or workaround)

  5. 5

    Group findings by remediation, e.g., 'apt upgrade openssh-server' may resolve 4 CVEs at once

  6. 6

    Export the report as PDF, this is the artefact you'd hand to a sysadmin

💡 Scanners lie. So do scan reports.

Every scanner produces false positives. A scanner that says vsftpd 2.3.4 has a backdoor when the running binary is actually patched 2.3.5 is a false positive you must verify before raising the alarm. Always validate at least the high-severity findings by checking the actual running version (apt list --installed, rpm -qa, banner grabbing). Scanner-as-truth is the #1 mistake new vulnerability analysts make.

Common mistakes only experienced analysts catch

Authenticated vs unauthenticated scans return wildly different results. Always run both; the authenticated scan finds local-only issues (missing patches, weak configs). Scanning production at peak hours can knock services over. Schedule scans for low-traffic windows or use lighter scan configs. Treating every Medium severity as ignorable. Some Medium-CVSS bugs are chained into critical exploits in the wild; check CISA KEV. Not rescanning after remediation. The 'fix it and forget it' loop never closes; verification is the discipline that separates real VM programs from theatre.

Quick Check

Why scan with credentials?

Credentialed scans return MORE accurate results than unauthenticated. Why?

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Continuous Vulnerability Management
Back to Vulnerability Management
Reading CVEs and Writing the Report→