3

I recently launched a system discovery scan with OpenVAS to an IP from my net to compare its results to Nmap. As you can see in the image OpenVAS does not find all the ports Nmap does.

enter image description here

Both scans were all TCP ports scans. Also, both tools are installed in the same Ubuntu machine inside the same net as the scanned IP.

Why does this happen?

  • 3
    We can't know why until you run a packet capture during both scans – schroeder Feb 26 '20 at 19:49
  • 1
    You don't have enough specific information. Which options were specified on the command line for nmap, and which settings were selected for the OpenVAS job? Sometimes, you will get different results with nmap depending on whether it was -sS, -sT, -sN, -sF, or -sA. I'm not sure which option is equivalent to OpenVAS "All TCP" scan... it's possible that none are 100% equivalent. – DoubleD Feb 26 '20 at 21:12
  • Nmap scan was done with -p- command and in openVAS I specified all 65536 ports. – Jernimo Domnguez Fernndez-Nez Feb 26 '20 at 22:56
  • After following your advice I analyzed packet capture during both scans. I focussed on port 2700. I realized that OpenVAS did manage to do a successful 3way handshake but then tried to get further data (I suppose banners) with several HTTP GETs. To all of them it got a [FIN, ACK] from the scanned IP. On the other hand Nmap just got the 3way handshake and stoped. My guess is that although OpenVAS scan also got a 3way handshake, not being able to get all the info he wanted made him say its closed. What do you thing of this @schroeder and @DoubleD? Thanks for your previous comments...very useful! – Jernimo Domnguez Fernndez-Nez Feb 27 '20 at 16:10
  • 1
    yes, I would agree. nmap wants to know if it responds. I'd have to see the OpenVas output to see what it categorised the port as. – schroeder Feb 27 '20 at 16:14

2 Answers2

1

After studying and analyzing data from packet captures of both scans I discovered the answer. Apparently, OpenVAS works this way:

1) TCP 3way handshake on port

2) OpenVAS asks different famous protocol questions (HTTP, telnet, etc.) to get an answer with data (banners).

3) If it does get answers, it will create a report with all that data and say its open.

3)If it does not get an answer for them, OpenVAS will say its closed as he cannot give further data about the service the port is running.

So, what happened with ports 27000, 49154, 50095? These ports have very rare services running therefore OpenVAS did not ask questions for those specific and not usual protocols. As a result OpenVAS did not get answers and gave those ports as closed.

On the other hand Nmap just needs a succesful 3way handshake to give a port as open and like OpenVAS, Nmap did get 3way handshake for all those ports and did not try to get further data.

I hope I explained myself well enough. Thank you all for your help and advice.

0

To anyone who still requires ports to be listed by OpenVAS whenever a 3-way handshake is completed:

In Scan Configs -> General -> Checks for open TCP/UDP ports -> Edit -> Silent: No

When the scan is ongoing or completed:

Results -> Checks for open TCP/UDP ports -> View Open TCP/UDP Ports

schroeder
  • 123,438
  • 55
  • 284
  • 319