Scan is only finding ICMP Timestamp

What am I doing wrong. I mean I know I patch my machines but there is no chance this is right. Why isn’t a single vulnerability other than this being found?

That is a fairly impossible question to answer not knowing the infrastructure you are scanning. What vulnerabilities are you expecting to see?

For example, when I conduct an unauthenticated scan against a freshly installed CentOS 9 Stream VPS hosting a LAMP stack website with a hardened TLS configuration, that would be the only vulnerability I see as well.

You can check which scan configuration you are using, and verify that all the desired VT families are enabled in it. You can also enable verbose VT logging in the /etc/openvas/openvas_log.conf file which will allow you to monitor the logs to see each of the VTs being executed if you are concerned that some are not being executed. Finally use Wireshark on your scanning host or target host to monitor all the packets being transmitted.

You may also want to check the Applications tab of the scan results to verify that all the exposed software has been detected or for an authenticated scan, that all the internal applications have been detected. These CPEs which identify the software applications can also be checked to identify any applicable CVEs manually.

To do this, you can manually verify any missing vulnerability detection. Although Greenbone doesn’t directly map CPE to CVE, you can use NIST’s website for that. If you submit a CPE you can see the “View CVEs” link such as this page for Ubuntu 16.04.

1 Like

I am very new to this. I am also very much a novice at Ubuntu.

I do know how to turn on verbose logging, so I will do that Can you tell me where the logs are and how I view them after a scan. I do not know how to do that.

I can tell you that 0 applications where detected. So something is not working right.

Again, all the machines being scanned are windows servers or desktops…

Thanks for your help!

It sounds like the issue is likely some other problem reaching the host such as a firewall, or if DoS attacks are enabled in your scan config, then possibly something like Windows Defender is terminating connections? :thinking: I would do an nmap scan of the same host to see which services are reachable with that tool.

nmap -sV <host-ip>

If you can see the services with nmap then there is likely a problem with how your scan is configured in GVM. You could also try the more simple Service Detection scan configuration in a task. It will be similar to the above nmap scan and just detect services - not look for vulns or attack.

Here is a post on how to enable NVT logs which you say you have already done but you may have to also add log_whole_attack = yes in the /etc/openvas/openvas.conf file.

From there you would have to parse the log file. I quickly came up with this but I’m not sure if its the best catch-all for parsing the logs:

sudo tail -1000 /var/log/gvm/openvas.log | grep .nasl

If you don’t understand what is happening with this command I can suggest dumping it into CatGPT. It offers fairly straightforward dissection of bash commands. Although not always perfect, this one should be on its level.

1 Like

The main suspect for this behaviour would be the Windows firewall.

Please also see our requirements and recommendations for scanning Microsoft Windows systems: 10 Scanning a System — Greenbone Enterprise Appliance 22.04.14 documentation