What exactly openvas/GVM do ?
The scan starts with port scanning and it also detects the vulnerable versions installed on the target . But other than that , what exactly will openvas do ?
Send traffic with high rate ? What kind of tests are done to find vulnerabilities / exploit the target / make the target crash .
@Err_security well. it uses nasl plugins to detect vulnerabilities. in rare cases it can crash target.
Yes , there are plugins written in nasl . But what does these plugins doing mostly ? As I mentioned earlier , I see few plugins detect the vulnerable versions installed on the target . But these will not crash the target .
I have seen device crash after performing openvas scan . Not sure what / which plugin caused the crash . So i wanted to know what kind of tests are done by openvas.
Is there a way to detect which test might have caused the device crash .
@Err_security they check software versions and so on. You can read nasl scripts by yourshelf.
If I remember correctly, there is option to disable “dangerous plugins”.
In some rare cases it can crash target.
As a starter you might want to look into 2 Read Before Use — Greenbone Enterprise Appliance 21.04.19 documentation
Vulnerability scans might have some side affects (depending on your settings, host hardening, network robustness, etc.). My advise is to start with safe scan type (e.g. full and fast). If a scan crashes your target in most cases the target can’t handle e.g. port scans, uncommon requests to some services or even high-rated network traffic. In such cases you definitely want to go back to your vendor or do some basic host hardening.
Our checks are a mix of active and passive (e.g. version) checks. Active means it will try to exploit a vulnerability to a point where it can be assured that the vulnerability indeed exists (but not going further e.g. installing a web shell etc.). We try our best to make these checks as non-intrusive as possible but we can’t always be sure how systems handle these network requests. There exist some (really) old checks that even would conduct an active DoS check. However these won’t be launched if using a safe scan type like “full and fast”.
So to summarize: Go from a basic, safe scan and see at what stage (if at all) your target crashes. Contact your vendor. If you see a problem in one of our checks, contact us here again and we can have a look.
Hope this helps.