Hello everyone!
I really need help understanding Greenbone scanning mechanisms.
I use Greenbone with Greenbone Security Assistant version 22.9.1.
The thing is that at the moment I have a task to minimize the impact of scanning on web services. How I check this: I set up a web server on nginx, published a simple page on port 80, and scan this server using various combinations of NVTs. After each scan, I analyze the access.log file to understand how many requests were received by the server during the scan, and compare this with the settings of vulnerability families and individual vulnerabilities within these families used in this scan.
In addition, specially made vulnerable databases are also active on my server to clearly see the result of vulnerability detection. List of ports bound to scan target: 80, 135, 443, 1433, 1434, 1521, 1522, 3306, 4022, 5432, 5601, 6379, 9042, 9142, 9160, 9200, 9300, 27017, 27018, 27019.
I noticed that enabling some vulnerabilities in Greenbone scan settings significantly increases the number of requests to the web server. For example, during the first check I selected the following vulnerabilities:
- from the Databases family: PostgreSQL Trust Authentication Enabled (PostgreSQL Protocol) 1.3.6.1.4.1.25623.1.0.145872, Redis Server No Password 1.3.6.1.4.1.25623.1.0.105291 and Unprotected MongoDB Service 1.3.6.1.4.1.25623.1.0.105235;
- from the Default Accounts family: Microsoft SQL (MSSQL) Server Blank Password (TCP/IP Listener) 1.3.6.1.4.1.25623.1.0.10673, MySQL / MariaDB Default Credentials (MySQL Protocol) 1.3.6.1.4.1.25623.1.0.103551, PostgreSQL Default Credentials (PostgreSQL Protocol) 1.3.6.1.4.1.25623.1.0.103552, PostgreSQL No Password Protection (PostgreSQL Protocol) 1.3.6.1.4.1.25623.1.0.103798 and Redis Server Default Password (Redis Protocol) 1.3.6.1.4.1.25623.1.0.105289;
- in the Port scanners settings, OpenVAS TCP scanner is selected.
A check with these settings yielded only 75 entries in the web server log (although it is unclear why the web server was accessed at all when performing the above-described checks).
I performed the second check by adding to the configuration above only one vulnerability from the Default Accounts family: Zabbix Default Guest Account (HTTP) 1.3.6.1.4.1.25623.1.0.106180, after which I received 5364 requests to the web server.
I also noticed that adding such vulnerabilities as, for example, database server EOL detection to the check also causes an inexplicably large volume of requests to the web server.
Initially, I expected that Greenbone would perform only those checks that I noted, but now it seems to me that it performs some additional checks that I do not need.
Why is this happening? How do I know which check will cause Greenbone to contact the web server and which won’t?