I have a long journey ahead and only just started using greenbone.
Some background:
I installed the most recent release via apt on a fresh Kali linux vm and trying to set up scanning/vulnerability detection as per requirements for the Australian Essential Eight maturity model. This involves regular and automated scanning of the entire network and vulnerability detection (and much more). I’m trying out greenbone as an alternative to tenable and if I can make it work, will upgrade to the paid version.
I have a number of Entra ID joined laptops I need to scan and have deployed a local admin account. Then I set up a target in my network and a “Full and Fast” scan for one host with 2 IPs (only one active) and let it run. The firewall blocks most ports but 445 is open.
In openvas.log I see the following:
sd main:MESSAGE:2025-11-07 06h15.09 utc:655639:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: openvas 23.23.1 started
sd main:MESSAGE:2025-11-07 06h15.09 utc:655639:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: attack_network_init: INIT MQTT: SUCCESS
sd main:MESSAGE:2025-11-07 06h15.13 utc:655639:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: Vulnerability scan 0fc03ddb-ca34-40e1-8ec3-dc35b47fc071 started: Target has 2 hosts: 10.0.1.1, 10.6.6.41, with max_hosts = 20 and max_checks = 4
libgvm boreas:MESSAGE:2025-11-07 06h15.13 utc:655639:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: Alive scan 0fc03ddb-ca34-40e1-8ec3-dc35b47fc071 started: Target has 2 hosts
sd main:MESSAGE:2025-11-07 06h15.15 utc:655664:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: Vulnerability scan 0fc03ddb-ca34-40e1-8ec3-dc35b47fc071 started for host: 10.6.6.41
libgvm boreas:MESSAGE:2025-11-07 06h15.26 utc:655639:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: Alive scan 0fc03ddb-ca34-40e1-8ec3-dc35b47fc071 finished in 13 seconds: 1 alive hosts of 2.
lib nasl:MESSAGE:2025-11-07 06h24.18 utc:657154:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: 657154 Syntax error with set_kb_item() [null value for name ‘wmi/login/pci_devices/1/vendor’]
lib nasl:MESSAGE:2025-11-07 06h24.18 utc:657154:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: 657154 Syntax error with set_kb_item() [null value for name ‘wmi/login/pci_devices/1/device’]
sd main:MESSAGE:2025-11-07 06h33.13 utc:655664:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: Vulnerability scan 0fc03ddb-ca34-40e1-8ec3-dc35b47fc071 finished for host 10.6.6.41 in 1078.46 seconds
sd main:MESSAGE:2025-11-07 06h33.13 utc:655639:0fc03ddb-ca34-40e1-8ec3-dc35b47fc071: Vulnerability scan 0fc03ddb-ca34-40e1-8ec3-dc35b47fc071 finished in 1084 seconds: 1 alive hosts of 2
On the windows machine I can see a successful login for the admin account in event viewer but not much else. Except for this log entry in Microsoft-Windows-SMBServer/Operational: A client attempted to access the server using SMB1 and was rejected because SMB1 file sharing support is disabled or has been uninstalled.
That’s right, windows 11 should not accept v1 requests but I expect greenbone to try SMBv2 and v3.
The report is very minimal, it lists only one vulnerability (TCP Timestamps Information Disclosure), 0 ports, 0 applications, 0 operating systems, 0 CVEs and 1 error:
NVT timed out after 320 seconds. 10.6.6.41 SMB Brute Force Logins With Default Credentials
To me this looks like something went wrong. Any suggestions how to improve the results?
Kali hasn’t packaged the openvas-smb component yet (See https://bugs.kali.org/view.php?id=4827), not sure how much this is used / required these days for authenticated scans but this might play a role as well
Remote Registry is set to Manual but I authenticated with local admin and LocalAccountTokenFilterPolicy was not set. Since my devices are on Entra ID, I will attempt to switch from local admin to domain admin.
Can somebody please explain what the “Generated install package for credentials” is? And why “During the installation, the installer offers a dialog to enter the appliance’s IP address.”
Is this something being installed on the scanned system?
If Kali is behind with publishing packages, what’s the recommended way to set up? I’m currently virtualising on proxmox. I read somewhere that the provided VM images are difficult to upgrade and might require trashing and starting from scratch, though I find that hard to believe.
Generated install package for credentials: During the installation, the installer offers a dialog to enter the appliance’s IP address. If the entry is confirmed, the firewall rule is configured. The service File and Printer Sharing will be enabled in the firewall rules.
Furthermore authenticated scans will not work without openvas-smb since SMB is the session layer protocol used for communication with Windows targets. If Kali is not packaging openvas-smb you can submit a bug to the Kali Bug Tracker.
However, in the case you are attempting to use Kerberos over SMB you can also refer the conversation here, since Kerberos credentials are not enabled by default in the Community Edition of products.
The provided VM images are not intended as an easy way to use the community edition. They are instead VM images for testing our product. That’s a very different use case.
I figured out what this installer is and where it comes from. I think I can do without it for my windows hosts, since they are all Entra ID enrolled and I can automate from Azure/Intune.
I have also set up a community container and repeated my scans:
Credentialed scan via ssh/pubkey on a fresh debian machine that is running the greenbone docker containers.
The report shows 2 vulnerabilities (TCP Timestamps Information Disclosure and ICMP Timestamp Reply Information Disclosure), 1 application (cpe:/a:openbsd:openssh:10.0p2) and 1 CVE (CVE-1999-0524). This seems a bit light. Should I see more?
Credentialed scan on a windows 11 laptop using a local admin account.
The report shows the same 2 vulnerabilities, 0 applications, 0 CVEs and 1 Error Message (NVT timed out after 320 seconds; SMB Brute Force Logins With Default Credentials).
The error message appears to be more of a success message. I would expect this to list errors during the scanning process not failed login accounts for default credentials I haven’t provided. Again, the results are not what I would expect.
Since #2 was so unrevealing, I decided to try the generated install package. However, after downloading it from the web UI, I got this error when trying to run it:
The executable is a text file containing the string “MZ”. There is nothing in docker logs that indicates an error generating the installer when the credentials are created.
Unrelated, going through the logs I found this: openvasd-1 | 2025-11-21T07:42:21.295873Z WARN openvasd::vts::orchestrator: Unable to check feed error=Unable to calculate hash: Unable to load file: sha256sums not found.
