Build a Vulnerability Scanning Lab

Regular vulnerability scanning is essential for maintaining security posture. This project guides you through setting up a dedicated scanning lab using OpenVAS (Greenbone Vulnerability Management).

Project Overview

What you'll build:

• Isolated vulnerability scanning environment
• OpenVAS scanner with web interface
• Target network for safe testing
• Reporting and remediation workflow

Time to complete: 2-4 hours

Why a Dedicated Scanning Lab?

• Safe testing - Scan without impacting production
• Learning - Understand vulnerabilities hands-on
• Process development - Build scanning procedures
• Tool evaluation - Compare different scanners

Architecture

┌─────────────────────────────────────────────────────┐
│                 Scanning Lab Network                │
│                   (Isolated VLAN)                   │
│                                                     │
│  ┌─────────────┐       ┌─────────────────────┐     │
│  │   OpenVAS   │       │   Target Machines   │     │
│  │   Scanner   │──────►│   (Vulnerable VMs)  │     │
│  │  (Manager)  │       │                     │     │
│  └─────────────┘       └─────────────────────┘     │
│         │                                          │
│         │ Web UI                                   │
│         ▼                                          │
│  ┌─────────────┐                                   │
│  │   Analyst   │                                   │
│  │ Workstation │                                   │
│  └─────────────┘                                   │
└─────────────────────────────────────────────────────┘

Prerequisites

• Hypervisor (Proxmox, VMware, VirtualBox)
• 8GB+ RAM available for VMs
• 100GB+ storage
• Isolated network segment

Part 1: OpenVAS Deployment

Option A: Docker Deployment (Recommended)

# Create project directory
mkdir -p /opt/openvas
cd /opt/openvas
 
# Create docker-compose.yml
cat > docker-compose.yml << 'EOF'
version: '3.8'
 
services:
  vulnerability-scanner:
    image: greenbone/community-container:stable
    container_name: openvas
    restart: unless-stopped
    ports:
      - "127.0.0.1:9392:9392"
    volumes:
      - openvas_data:/var/lib/gvm
      - openvas_feeds:/var/lib/openvas
 
volumes:
  openvas_data:
  openvas_feeds:
EOF
 
# Start container
docker-compose up -d
 
# Initial setup takes 15-30 minutes for feed sync
docker logs -f openvas

Option B: Dedicated VM

# Ubuntu 22.04 installation
sudo apt update
sudo apt install -y gvm
 
# Initialize GVM
sudo gvm-setup
 
# Note the generated admin password
# Verify installation
sudo gvm-check-setup

Access Web Interface

After feed synchronization:

1. Open browser to https://localhost:9392
2. Login with admin credentials
3. Wait for feed update to complete

Part 2: Create Target Network

Intentionally Vulnerable VMs

Download and deploy practice targets:

Metasploitable 3:

# Using Vagrant
vagrant init rapid7/metasploitable3-ub1404
vagrant up

VulnHub Images:

• Download from vulnhub.com
• Various difficulty levels
• Import as VMs

DVWA (Web Application):

# docker-compose.yml addition
services:
  dvwa:
    image: vulnerables/web-dvwa
    container_name: dvwa
    ports:
      - "8081:80"
    environment:
      - MYSQL_PASS=p@ssw0rd

Network Isolation

Ensure scanning network is isolated:

# Firewall rules (example)
# Allow: Scanner -> Targets (all ports)
# Allow: Analyst -> Scanner (web interface)
# Deny: Scanning network -> Production
# Deny: Scanning network -> Internet

Part 3: Configure OpenVAS

Create Target Definition

1. Navigate to Configuration > Targets
2. Click New Target
3. Configure:
   • Name: Lab Targets
   • Hosts: 10.100.0.0/24 (your target network)
   • Port List: All TCP and UDP

Configure Scan Settings

1. Go to Configuration > Scan Configs
2. Clone "Full and fast" for customization
3. Adjust based on needs:
   • Enable/disable specific NVT families
   • Adjust concurrent hosts
   • Set timeout values

Create Scheduled Task

1. Navigate to Scans > Tasks
2. Click New Task
3. Configure:
   • Name: Weekly Lab Scan
   • Target: Lab Targets
   • Scanner: Default
   • Scan Config: Full and fast
   • Schedule: Weekly

Part 4: Running Scans

Manual Scan

1. Go to Scans > Tasks
2. Select your task
3. Click Start (play button)
4. Monitor progress in dashboard

Interpreting Results

Severity Levels:

Export Reports

1. Go to Scans > Reports
2. Select completed scan
3. Export options:
   • PDF (executive summary)
   • CSV (for tracking)
   • XML (for integration)

Part 5: Remediation Workflow

Tracking Findings

Create a tracking system:

## Vulnerability Tracking
 
| ID | Host | Vulnerability | Severity | Status | Assigned | Due |
|----|------|---------------|----------|--------|----------|-----|
| 001 | 10.100.0.10 | SSH Weak Ciphers | Medium | Open | Admin | 2/15 |
| 002 | 10.100.0.20 | Apache CVE-2024-xxx | High | In Progress | DevOps | 2/10 |

Verification Scans

After remediation:

1. Create targeted scan for specific vulnerabilities
2. Run verification scan
3. Compare results
4. Update tracking

Part 6: Automation

API Integration

#!/usr/bin/env python3
# Example: Automated scan status check
 
from gvm.connections import UnixSocketConnection
from gvm.protocols.gmp import Gmp
from gvm.transforms import EtreeTransform
 
# Connect to GVM
connection = UnixSocketConnection(path='/var/run/gvmd/gvmd.sock')
transform = EtreeTransform()
 
with Gmp(connection=connection, transform=transform) as gmp:
    gmp.authenticate('admin', 'your-password')
 
    # Get all tasks
    tasks = gmp.get_tasks()
 
    for task in tasks.findall('task'):
        name = task.find('name').text
        status = task.find('status').text
        print(f"Task: {name}, Status: {status}")

Scheduled Reporting

#!/bin/bash
# /opt/openvas/weekly-report.sh
 
# Generate and email weekly report
# Integrate with your reporting system
 
DATE=$(date +%Y-%m-%d)
REPORT_DIR="/opt/openvas/reports"
 
# Export via API or web interface
# Email to security team

Best Practices

Scanning Guidelines

1. Schedule during off-hours - Minimize impact
2. Start with light scans - Identify issues before deep scans
3. Document everything - Track scan history
4. Validate findings - Manual verification of critical issues
5. Regular feed updates - Keep vulnerability definitions current

Safe Scanning

DO:
✓ Scan only authorized systems
✓ Use isolated networks for testing
✓ Coordinate with system owners
✓ Document scan activities
 
DON'T:
✗ Scan production without approval
✗ Scan systems you don't own
✗ Run aggressive scans blindly
✗ Ignore scan results

Expanding the Lab

Additional Scanners

Consider adding:

• Nessus Essentials - Free for 16 IPs
• Nuclei - Fast template-based scanner
• Nikto - Web server scanner
• OWASP ZAP - Web application scanner

Integration Ideas

• SIEM integration for alerts
• Ticketing system for remediation tracking
• Dashboard aggregation
• Compliance reporting

Troubleshooting

Common Issues

Scans running slowly:

• Reduce concurrent hosts
• Check network connectivity
• Verify target availability

Missing vulnerabilities:

• Update NVT feeds
• Enable additional scan families
• Use credentialed scanning

Feed sync failures:

• Check internet connectivity
• Verify proxy settings
• Check disk space

Security Considerations

• Keep scanner updated
• Secure admin credentials
• Restrict network access to scanner
• Encrypt scan results
• Audit scanner access

Conclusion

A dedicated vulnerability scanning lab provides invaluable insights into your security posture. Regular scanning, combined with effective remediation tracking, significantly reduces your attack surface.

Next Steps

1. Expand target inventory
2. Implement credentialed scanning
3. Integrate with SIEM
4. Automate remediation workflows
5. Build compliance reports

Last updated: January 2026