OpenVAS is a powerful open-source vulnerability scanner widely used for security assessments. While the Greenbone Security Assistant (GSA) provides a web interface, you can also interact with OpenVAS using the command line. This guide will walk you through using OpenVAS via the command line with gvm-cli.

Step 1: Identify the Port List ID

The port list ID determines the scanning profile for OpenVAS. Retrieve available port lists with the following command:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<get_port_lists/>"

Common port lists:

• 4a4717fe-57d2-11e1-9a26-406186ea4fc5 – All IANA assigned TCP and UDP
• 730ef368-57e2-11e1-a90f-406186ea4fc5 – All TCP and Nmap top 100 UDP
• 33d0cd82-57c6-11e1-8ed1-406186ea4fc5 – All IANA assigned TCP

Step 2: Create a Target

To specify a host or multiple hosts for scanning, run the following command:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<create_target><name>demo_PTSA_target</name><hosts>178.79.189.74</hosts><port_list id='730ef368-57e2-11e1-a90f-406186ea4fc5'></port_list></create_target>"

The response will include a unique target ID.

Step 3: Get the Config ID

Retrieve the available scan configurations:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<get_configs/>" | xmlstarlet format

Example:

• daba56c8-73ec-11df-a475-002264764cea – Full and fast

Step 4: Get the Scanner ID

List the available scanners:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<get_scanners/>" | xmlstarlet format

Example:

• 08b69003-5fc2-4037-a479-93b440211c73 – OpenVAS default scanner

Step 5: Create a Scanning Task

Using the previously gathered information, create a scan task:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<create_task><name>demo_scan</name><comment>scan-using-cli</comment><config id='daba56c8-73ec-11df-a475-002264764cea'/><target id='2921ccc2-ab5c-4bf3-877b-c41872103223'/><scanner id='08b69003-5fc2-4037-a479-93b440211c73'/></create_task>"

A unique task ID will be returned.

Step 6: Start the Scan

Start the scanning task using its task ID:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<start_task task_id='5b485c14-0a42-444f-8a1a-2d0ff9ab014d'/>"

Step 7: Retrieve Scan Reports

Check the status and results of the scan:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<get_reports/>"

Step 8: Get Available Report Formats

To export scan results in different formats (PDF, CSV, XML, etc.), get available format IDs:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<get_report_formats/>"

Step 9: Export Scan Results

To export results in CSV format:

sudo -u _gvm gvm-cli --gmp-username admin --gmp-password YourPasswordHere socket --socketpath /run/gvmd/gvmd.sock --xml "<get_reports report_id='9e975cbd-918c-44e2-bc9e-28fc8ab8808f' format_id='c1645568-627a-11e3-a660-406186ea4fc5' filter='apply_overrides=0 levels=hml min_qod=50 first=1 rows=1000 sort=name ignore_pagination=1' details='1'/>" | grep -oP '(?<=</report_format>)[^<]+' | base64 -d > report.csv

Next Steps

• Secure your OpenVAS setup by configuring proper access controls.
• Automate scans using cron jobs or scripts.
• Integrate OpenVAS results with a SIEM for continuous monitoring.

By following these steps, you can efficiently use OpenVAS via the command line, making vulnerability scanning a seamless part of your security workflow.