aeondave/openvas
offensive-tools/vuln-scanners/openvas/SKILL.md
OpenVAS / Greenbone Community Edition: comprehensive network vulnerability scanner checking 90,000+ NVTs across hosts, services, and web apps. Use when performing infrastructure-level vulnerability assessments — CVE scanning, service enumeration, misconfiguration detection, and compliance checks across subnets or single hosts. CLI via gvm-cli; web UI via GSA.
$ install --global
skillsauthnpx skillsauth add aeondave/malskill openvasInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:47 AM199.7s2 files scanned
SKILL.md
- name:
- openvas
- description:
- OpenVAS / Greenbone Community Edition: comprehensive network vulnerability scanner checking 90,000+ NVTs across hosts, services, and web apps. Use when performing infrastructure-level vulnerability assessments — CVE scanning, service enumeration, misconfiguration detection, and compliance checks across subnets or single hosts. CLI via gvm-cli; web UI via GSA.
- license:
- GPL-2.0
- compatibility:
- Linux (recommended). Deploy via Docker Compose (Greenbone Community Edition). gvm-tools for CLI: pip install gvm-tools. gvm-cli requires access to /run/gvmd/gvmd.sock.
- author:
- AeonDave
- version:
- 1.0
OpenVAS / Greenbone Community Edition
Network and service vulnerability scanner — 90,000+ NVTs, CVEs, misconfigs, compliance.
Architecture
GSA (Web UI :9392) ─→ gvmd ─→ ospd-openvas ─→ openvas-scanner
│ │
PostgreSQL Redis (NVT cache)
Components: gvmd (manager daemon), ospd-openvas (OSP wrapper), openvas (scanner), gsa (web UI), notus-scanner (fast CVE checks via JSON advisories).
Deploy (Docker — Greenbone Community Edition)
# Download compose file
curl -f -O https://greenbone.github.io/docs/latest/_static/docker-compose-22.4.yml
# Start all services
docker compose -f docker-compose-22.4.yml -p greenbone-community-edition pull
docker compose -f docker-compose-22.4.yml -p greenbone-community-edition up -d
# Wait for feed sync (can take 30-60 min first time)
docker compose -f docker-compose-22.4.yml -p greenbone-community-edition \
logs -f vulnerability-tests
# Default credentials: admin / admin
# Web UI: https://127.0.0.1:9392
GSA Web UI Scan Workflow
1. Configuration → Credentials # Optional: SSH/SMB creds for authenticated scan
2. Configuration → Targets # Create target (hosts/subnet, port list)
3. Configuration → Scan Configs # Choose config (see table)
4. Scans → Tasks → New Task # Bind target + config + optional credentials
5. ▶ Start Task # Execute
6. Scans → Reports → select # View findings; export XML/CSV/PDF
Scan Configurations
| Config | ID | Use |
|--------|----|-----|
| Full and Fast | daba56c8-73ec-11df-a475-002264764cea | Standard pentest scan |
| Full and Deep | 698f691e-7489-11df-9d8c-002264764cea | Slower, more thorough |
| Empty | 085569ce-73ed-11df-83c3-002264764cea | Base for custom configs |
| Discovery | 8715c877-47a0-438d-98a3-27c7a6ab2196 | Port/service discovery only |
| Host Discovery | 2d3f051c-55ba-11e3-bf43-406186ea4fc5 | Ping sweep only |
| System Discovery | bbca7412-a950-11e3-9109-406186ea4fc5 | OS/service fingerprinting |
gvm-cli (Command Line)
# Install
pip install gvm-tools
# Auth alias — add to shell profile
alias gvmcli='gvm-cli --gmp-username admin --gmp-password admin \
socket --socketpath /run/gvmd/gvmd.sock --xml'
# Test connectivity
gvmcli '<get_version/>'
# List targets
gvmcli '<get_targets/>'
# List tasks
gvmcli '<get_tasks/>'
# Get results for task
gvmcli '<get_results task_id="TASK_ID"/>'
# Get report (XML)
gvmcli '<get_reports report_id="REPORT_ID" filter="apply_overrides=0 min_qod=70"/>'
Create Scan via CLI
# 1. Create target
gvmcli '<create_target>
<name>My Target</name>
<hosts>192.168.1.0/24</hosts>
<port_list id="33d0cd82-57c6-11e1-8ed1-406186ea4fc5"/>
</create_target>'
# → note target id from response
# 2. Create task
gvmcli '<create_task>
<name>Scan Task</name>
<target id="TARGET_ID"/>
<config id="daba56c8-73ec-11df-a475-002264764cea"/>
</create_task>'
# → note task id from response
# 3. Start task
gvmcli '<start_task task_id="TASK_ID"/>'
# 4. Check status
gvmcli '<get_tasks task_id="TASK_ID"/>'
# Look for: <status>Running</status> or <status>Done</status>
Port List IDs
| Port List | ID |
|-----------|-----|
| All IANA Assigned TCP | 33d0cd82-57c6-11e1-8ed1-406186ea4fc5 |
| All TCP and Nmap Top 100 UDP | 730ef368-57e2-11e1-a90f-406186ea4fc5 |
| All TCP | fd591a34-56fd-11e1-9f27-406186ea4fc5 |
gvm-pyshell (Python Scripting)
gvm-pyshell --gmp-username admin --gmp-password admin \
socket --socketpath /run/gvmd/gvmd.sock
# In shell:
>>> targets = gmp.get_targets()
>>> tasks = gmp.get_tasks()
>>> gmp.start_task(task_id='TASK_ID')
Useful Filters
# Results with severity >= 7.0, QoD >= 70
gvmcli '<get_results filter="severity>7 min_qod=70 sort-reverse=severity"/>'
# Only active CVEs
gvmcli '<get_nvts filter="type=cve"/>'
Feed Update (Manual)
# In Docker deployment
docker compose exec ospd-openvas greenbone-nvt-sync
docker compose exec gvmd greenbone-feed-sync --type GVMD_DATA
docker compose exec gvmd greenbone-feed-sync --type SCAP
docker compose exec gvmd greenbone-feed-sync --type CERT
Common Troubleshooting
| Symptom | Fix |
|---------|-----|
| Scan stuck at 0% | Check scanner registered: gvmcli '<get_scanners/>' |
| Feed empty / old NVTs | Run greenbone-nvt-sync manually |
| GSA unreachable | Check port 9392 and SSH tunnel if remote |
| Scan very slow | Use "Full and Fast" not "Full and Deep"; reduce concurrent hosts |
| Low QoD results | Filter with min_qod=70 (confirmed findings only) |
QoD (Quality of Detection)
| QoD | Meaning | |-----|---------| | 100% | Package version check (most reliable) | | 70%+ | Active exploit confirmation | | 50% | Remote banner check | | 30% | Unreliable/indirect detection |
Filter min_qod=70 eliminates most false positives.
References
- Greenbone Community Docs
- GMP XML Protocol Reference
- Scan configs and port list IDs:
references/scan-configs.md
Related Skills
aeondave/offensive-linux-role
data-ai
VerifiedTrustedCommunity
Scoped routing: Linux operator; hosts, sessions, users, services, packages, logs, containers, SSH, network paths, privilege evidence.
4SKILL.mdUpdated Jun 5, 2026
aeondave/ics-technique
development
VerifiedTrustedCommunity
Offensive methodology for ICS/OT/SCADA environments in authorized industrial penetration testing and red team operations. Use when assessing PLCs, RTUs, HMIs, engineering workstations, historians, or field devices running Modbus, DNP3, EtherNet/IP, S7comm/S7+, Profinet, IEC 60870-5-104, BACnet, or OPC-UA. Covers passive OT network enumeration, protocol-level device interrogation, PLC coil/register read-write attacks, HMI session exploitation, historian and engineering workstation compromise, and safe escalation rules for critical infrastructure scope. Does not cover: general IT network exploitation (network-technique), physical hardware interfaces UART/JTAG/SPI (hardware-technique), wireless sensor network attacks (wireless-technique), RF/SDR signal analysis (hardware-ctf or wireless-technique), or CTF-framed ICS lab tasks (ics-ctf).
4SKILL.mdUpdated Jun 2, 2026
aeondave/game-technique
tools
VerifiedTrustedCommunity
Offensive methodology for authorized game security assessments, game client security research, and game-adjacent penetration testing in real-world engagements. Use when assessing game clients for cheating vulnerabilities, testing anti-cheat effectiveness, auditing game server protocols for score manipulation or economic fraud, reverse engineering game DRM or license validation, analyzing game save file protection, or assessing game mod/plugin security. Covers: process memory scanning and manipulation (Cheat Engine methodology), game binary reversing for license and DRM bypass, game network protocol analysis and packet replay, anti-cheat mechanism analysis, save file format reversing and tampering, speed hack and value injection techniques. Does NOT cover: CTF game challenges (game-ctf), game engine source code auditing (web-exploit-technique or vuln-search-technique for the backend), or general binary exploitation (pwn-ctf or reversing-technique).
4SKILL.mdUpdated Jun 2, 2026
aeondave/hardware-technique
development
VerifiedTrustedCommunity
Auth assessment: hardware/embedded methodology; UART/JTAG/SWD/SPI/I2C, firmware extraction, boot/debug paths, embedded OS evidence.
4SKILL.mdUpdated Jun 2, 2026