Hello everyone,
Anyone can explain the mechanism of OpenVAS scanning with full and fast?
My microtik detect log with brute force and the ip is my sever with OpenVAS has installed, i scanning the server with other endpoint secure tools and i got some detected threat/malware.
The threat/malware list i got after scanning complete:
I’m trying to scanning again microtik ip with OpenVAS, and the logs show brute force again.
Thanks.
First, OpenVAS runs an Nmap scan to determine the port configuration. The open ports identified are then fed into the NVT (Network Vulnerability Tests, using NASL scripts). Yes, this activity can appear on network devices as brute force, malware, or viruses, and this is completely normal.
Eero
@Eero
Thanks for explaining poin 1.
How about secretsdump.py, pnscan, RegTool-x86.bin? Can you explain that?
Them located on /var/lib/docker/overlay2/…
Your device is simply low-quality and interprets the situation in its own way. This is still completely normal. OpenVAS may appear as an attack tool because the traffic it generates is very similar.
Eero
Quoting parts from GSM Manual: 2 Read Before Use:
Be aware of the following general side effects:
- Log and alert messages may show up on the target systems.
- Log and alert messages may show up on network devices, monitoring solutions, firewalls and intrusion detection and prevention systems.
- Firewall rules and other intrusion prevention measures may be triggered.
- Scans may increase latency on the target and/or the scanned network. In extreme cases, this may result in situations similar to a denial-of-service (DoS) attack.
- Scans may trigger bugs in fragile or insecure applications resulting in faults or crashes.
- Embedded systems and elements of operational technology with weak network stacks are especially subject to possible crashes or even broken devices.
- Logins (for example via SSH or FTP) are done against the target systems for banner-grabbing purposes.
- Probes via different protocols (for example, HTTP, FTP) are done to all exposed services for service detection.
- Scans may result in user accounts being locked due to the testing of default user name/password combinations.
Those tools are not part of any software shipped by Greenbone, most likely included in e.g. the underlying Kali installation or similar.
@Eero Thanks for explaining that.
@cfi But im not using Kali, my os is Ubuntu and its installed with docker (docker-compose.yml)
the 4 file i listed, have same directory /var/lib/docker/overlay2/… no one out of directory
A Docker base image is built on top of some Linux distribution and includes various tools. Maybe we should just stop here if the basics aren’t clear — we can spend our time more wisely than explaining the fundamentals in painstaking detail.
Eero