Working with openvas plugins:

First test if your script written in NASL is syntactically correct. This could be done by using openvas-nasl with the -p option, e.g.:

# openvas-nasl -p broken-example.nasl
syntax error, unexpected IDENT, expecting ')'
Parse error at or near line 17

This is telling us that this script has a syntax error. Test the functionality of your script only after you've made sure your script contains only syntactically correct NASL.

Now you can test on your target host, if the LVT is correct, by writing debug-output into a debug file:

openvas-nasl  -T /tmp/debug-lvt.txt -X  example-lvt.nasl

The debug output will be written into the debug-lvt.txt file

The test on the network is a bit more complicated. To test if the right packet was sent, you can use TCPDUMP to capture the communication between the host and the client, e.g.:

# tcpdump -i lo -w debug.pcap -s 1450
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1450 bytes
10 packets captured
20 packets received by filter
0 packets dropped by kernel
Now it is possible to decode the content of the network communication.

  # tcpdump -vvvv -n -r debug.pcap

OMP Command line:

Get tasks from a sensor

omp -u ossim -w ossim -iX "<get_tasks/>"

OMP Remote Control

OpenVas configuration:

How to enable MS RPC calls

Listing shares with smbclient works for non-admin users with valid credentials.

server:~# /usr/share/python/alienvault-api-core/bin/ -hashes AAD3B435B51404EEAAD3B435B51404EE:029E435C4A50F859BCC682564D627473 schl/|tluaVneilA-s#|tluaVneilA-s ipconfig
Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies

[*] SMBv2.1 dialect used
[-] rpc_s_access_denied

The hashes can be obtained from here:

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (

USMEXTRANET:~# /usr/share/python/alienvault-api-core/bin/ -debug domainname/23.1.861.291|resu#23.1.861.291|resu
Impacket v0.9.15 - Copyright 2002-2016 Core Security TechnologiesPassword:
[*] SMBv3.0 dialect used
[+] Target system is and isFDQN is False
[+] StringBinding: \\\\WINSERVERINTRAN[\\PIPE\\atsvc]
[+] StringBinding: WINSERVERINTRANET[49155]
[+] StringBinding:[49155]
[+] StringBinding chosen: ncacn_ip_tcp:[49155]
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\> works when adding the scan user to the administrator group

To obtain the credential user and pass from a scan, you can click on "Check credentials" while you run the following command:

while true; do cp -a /var/tmp/check* . 2> /dev/null  ; done

Other commands that can help debug openvas and windows authentication are:

winexe -A ./check_credetial_AB9D470703ACBA7C71D9643A76FDD30A // ipconfig
smbclient --debuglevel=1 -A check_credetial_F2461B2A41AE35ABEEE683CD87C60DB9  -L //

Completed jobs:

select id, name, scan_SERVER, scan_START, scan_END, scan_SUBMIT, status from vuln_jobs;

Scheduled jobs:

select * from vuln_job_schedule;
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License