Understand vulnerability tests and NASL scripts

How invasive is greenbone when it tests for vulnerabilities, which methods are used for internal and external scans?

Are only simple requests used or real penetration testing methods, which can alter system data?

I would also like to understand how the NASL scripts are structured, is there a good tutorial?

Here is my attempt at an answer to some questions I consider tough ones :thinking:

There is a setting called safe_checks which can be enabled or disabled within a scan config. It will enable or disable specific NVTs that are considered “invasive” to reduce the chance of causing disruption or damage to a system. However, it should be noted that even “safe” or “non-invasive” tests can potentially cause service disruption.

Also, I can add here that “internal” VTs are classified as the families “local_security_checks” I think by each OS they apply to and you can see those from the SecInfo → NVTs page in Greenbone.

The NVTs themselves offer a wide range of methods ranging from simple service discovery by querying active services, some “fuzzing” which may try a set of default credentials and interact more with the service’s application layer protocol, and even some “denial of service” tests which will submit malformed data that is known to cause service disruptions to a specific service.

The “service detection” NVTs are used to determine which other VTs (NASL scripts) maybe run against a particular target by discovering what CPEs (products) are active.

There is very little documentation about NASL language on the Internet. To understand how NASL works, I’m afraid the best method would be to examine the .nasl and .inc files in the var/lib/openvas/plugins directory themselves. In lieu of a good tutorial source, I have resorted to using ChatGPT to quickly explain particular files and learn more about how NASL works. You could also use the nasldocs package and point it at the /var/lib/openvas/plugins directory and it will build a set of documentation for only the .inc files which are the NASL “include” files that are generally used by the .nasl files to include standard functions.

I’m not aware of which version of NASL OpenVAS uses, and whether it is different than the Nessus version of NASL.