After this lesson, you will be able to: Run OpenVAS in Docker against a deliberately vulnerable VM and walk through the full scan-to-remediation cycle.
OpenVAS (now Greenbone Community Edition) is the leading open-source vulnerability scanner. It's what real security teams use when budget rules out Nessus or Qualys, and it's the single best free way to learn enterprise scanning workflows. This lesson walks you through stand-up, scanning, triage, and reporting.
OpenVAS ships with tens of thousands of vulnerability checks (NVTs, Network Vulnerability Tests) that probe a target's services for known weaknesses. It detects open ports, identifies running software versions, then matches those versions against its CVE database. The output is a prioritised report with CVSS scores, affected hosts, and remediation guidance, the same shape you'd get from Tenable or Qualys.
The Greenbone Community Edition Docker image is the fastest path to a working scanner.
Install Docker Desktop if you haven't already
Clone the official compose file: git clone https://github.com/greenbone/greenbone-community-container.git
cd greenbone-community-container && docker compose -f docker-compose-22.4.yml -p greenbone-community-edition up -d
Wait for the feed sync (first run, 30-60 min). Watch progress with: docker compose -p greenbone-community-edition logs -f
Once ready, open https://127.0.0.1:9392 and log in with the default admin/admin (CHANGE THIS PASSWORD immediately)
Create a scan target pointing at a vulnerable VM (next step) and kick off a Full and Fast scan
Metasploitable 2 is an intentionally vulnerable Linux VM, the canonical scan target.
Download Metasploitable 2 from sourceforge.net/projects/metasploitable, extract the .vmdk
Import into VirtualBox as a new VM (Linux, Ubuntu 32-bit, attach the .vmdk)
Set the network to Host-only so it cannot reach the internet (this VM is unpatched, do NOT bridge it)
Boot it, log in (msfadmin/msfadmin), run ifconfig to note its IP
From your OpenVAS host, ping that IP to confirm reachability
In OpenVAS UI: Configuration > Targets > New Target > Hosts: <metasploitable-IP>
This is where real vulnerability management lives.
Scans > Tasks > New Task > pick your Metasploitable target and the 'Full and Fast' scan config
Start the task. A Metasploitable scan takes ~15-30 min in Full and Fast mode
Open the report when complete. Sort by severity. Note CVEs that show CVSS >= 9.0
For each Critical finding, write: what the vulnerability is in plain language, who's affected, and the recommended fix (upgrade, configuration change, or workaround)
Group findings by remediation, e.g., 'apt upgrade openssh-server' may resolve 4 CVEs at once
Export the report as PDF, this is the artefact you'd hand to a sysadmin
Authenticated vs unauthenticated scans return wildly different results. Always run both; the authenticated scan finds local-only issues (missing patches, weak configs). Scanning production at peak hours can knock services over. Schedule scans for low-traffic windows or use lighter scan configs. Treating every Medium severity as ignorable. Some Medium-CVSS bugs are chained into critical exploits in the wild; check CISA KEV. Not rescanning after remediation. The 'fix it and forget it' loop never closes; verification is the discipline that separates real VM programs from theatre.
Credentialed scans return MORE accurate results than unauthenticated. Why?
Sign in and purchase access to unlock this lesson.