My goal is to use OpenVAS for OS detection without running a full vulnerability or service scan. Ideally, I want a command-line option similar to Nmap’s -O flag, where OpenVAS performs only OS detection. Here are the approaches I’ve tried:
Approach 1: Modifying OpenVAS Scan Configurations
I enabled “Product Detection” and “Port Scanning” in the OpenVAS web UI, but the OS result still shows no matches. While I could use the “Service Detection” scan, it is much slower—OpenVAS takes 7 minutes, whereas Nmap finishes in 40 seconds. I’m familiar with gvm-cli, but I still need to reference the scan configuration (which I was unable to pinpoint what configuration to just do the OS detection).
Approach 2: Running the NASL Script Manually
I found that the NASL script for OS detection is located at /var/lib/openvas/plugins/os_detection.nasl (please correct me if I’m wrong). However, running it with openvas-nasl returns no results, even though the web UI scan does detect the OS. Here’s the command that I use: openvas-nasl -X os_detection.nasl -t <target_ip>
It returns “No Best matching OS identified. Please see the VT ‘Unknown OS and Service Banner Reporting’ (OID: 1.3.6.1.4.1.25623.1.0.108441) for possible ways to identify this OS.”
Can anyone guide me in the right direction to achieve my goal?