Standalone OS Detection without OpenVAS

My goal is to use OpenVAS for OS detection without running a full vulnerability or service scan. Ideally, I want a command-line option similar to Nmap’s -O flag, where OpenVAS performs only OS detection. Here are the approaches I’ve tried:

Approach 1: Modifying OpenVAS Scan Configurations
I enabled “Product Detection” and “Port Scanning” in the OpenVAS web UI, but the OS result still shows no matches. While I could use the “Service Detection” scan, it is much slower—OpenVAS takes 7 minutes, whereas Nmap finishes in 40 seconds. I’m familiar with gvm-cli, but I still need to reference the scan configuration (which I was unable to pinpoint what configuration to just do the OS detection).

Approach 2: Running the NASL Script Manually
I found that the NASL script for OS detection is located at /var/lib/openvas/plugins/os_detection.nasl (please correct me if I’m wrong). However, running it with openvas-nasl returns no results, even though the web UI scan does detect the OS. Here’s the command that I use: openvas-nasl -X os_detection.nasl -t <target_ip> It returns “No Best matching OS identified. Please see the VT ‘Unknown OS and Service Banner Reporting’ (OID: 1.3.6.1.4.1.25623.1.0.108441) for possible ways to identify this OS.”

Can anyone guide me in the right direction to achieve my goal?

Hello,

and welcome to this community forums.

Only a few very short hints / pointers:

  • Approach 1: You could:
    1. clone the base scan configuration
    2. add the VT OS Detection Consolidation and Reporting / os_detection.nasl with the OID 1.3.6.1.4.1.25623.1.0.105937 to this can config
    3. see 9 Scanning a System - Greenbone Enterprise Appliance – GOS 24.10.0 for more background info on such scan configuration handling / usage
  • Approach 2:
    1. The os_detection.nasl is “only” a “wrapper” to consolidate, collect, enumerate and report the OS based on a huge amount of other VTs (see the relevant script_dependencies entries of that file)
    2. openvas-nasl is not really a tool for the “end user” / for “full” scans as you e.g. would need to maintain the whole dependency chain on your own manually
    3. if you still want to go down this rabbit hole (i would strongly discourage to do this) some guidance might be available in various posts on this forums like e.g. How to test a single .nasl via the command line - #3 by _jp
1 Like