{"id":398,"date":"2025-10-27T13:48:37","date_gmt":"2025-10-27T13:48:37","guid":{"rendered":"https:\/\/hackingwithj.com\/?p=398"},"modified":"2025-10-27T13:48:37","modified_gmt":"2025-10-27T13:48:37","slug":"openvas-in-the-wild-hunting-misconfigurations-at-home","status":"publish","type":"post","link":"https:\/\/hackingwithj.com\/?p=398","title":{"rendered":"OpenVAS in the Wild: Hunting Misconfigurations at Home"},"content":{"rendered":"\n<p>My vacation is over and I haven\u2019t touched a computer \u2014 time to get back on (hacking) track. To work more efficiently as a budding pentester, I want to automate repetitive tasks. Today I spun up OpenVAS in VirtualBox (about 10 minutes) and ran a full scan against my home subnet. The scan took a while, but returned useful findings that helped me prioritise remediation and sharpen my tooling workflow.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">OpenVAS<\/h1>\n\n\n\n<p>OpenVAS (part of the Greenbone Vulnerability Management stack) is an open-source vulnerability scanner that discovers hosts, enumerates services and compares them against a vulnerability feed to produce prioritized findings. It\u2019s not magic \u2014 results need human triage \u2014 but it\u2019s a great automation tool to find low-hanging misconfigurations and missing patches across a network. I used it to get a broad view of my home VLAN so I could plan remediation and deeper manual checks.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Findings<\/h2>\n\n\n\n<p>The OpenVAS scan found 20 hosts and ~50 findings (many were low severity or accepted risks). Broken down by severity:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Severity<\/th><th>Count<\/th><\/tr><\/thead><tbody><tr><td>High<\/td><td>1<\/td><\/tr><tr><td>Medium<\/td><td>14<\/td><\/tr><tr><td>Low<\/td><td>35<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The highest severity item was an <strong>SMB null-session<\/strong> on my main PC (scored 7.5). That\u2019s where an anonymous connection to <code>IPC$<\/code> (or other SMB shares) is allowed without authentication.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SMB null session (High \u2014 7.5)<\/h2>\n\n\n\n<p>OpenVAS flagged an anonymous\/null session to the <code>IPC$<\/code> share. In simple terms, this means a remote user could connect to SMB with no credentials and query information via named pipes. According to resources like HackTricks, a null session can be used (with tools such as <code>enum4linux<\/code>) to enumerate:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OS and host details<\/li>\n\n\n\n<li>Domain\/NetBIOS info<\/li>\n\n\n\n<li>Local users and groups<\/li>\n\n\n\n<li>Exported SMB shares<\/li>\n\n\n\n<li>Some security policy information<\/li>\n<\/ul>\n\n\n\n<p>OpenVAS captured this as a high-risk finding because it gives an attacker low-effort visibility into your host and domain configuration.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"409\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-67-1024x409.png\" alt=\"\" class=\"wp-image-401\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-67-1024x409.png 1024w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-67-300x120.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-67-768x307.png 768w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-67-1536x614.png 1536w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-67.png 1623w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>At first I didn\u2019t even realise SMB was enabled on my main PC, so I wanted to check what an unauthenticated attacker could actually see. I whipped up a tiny script to test anonymous\/null sessions against common admin shares and then ran a couple of classic enumeration tools.<\/p>\n\n\n\n<p>Save this as <code>smb.sh<\/code> and run it only against systems you own or are authorised to test.<\/p>\n\n\n\n<pre class=\"wp-block-code has-vivid-purple-color has-text-color has-link-color wp-elements-0383aae6103fe0da56c18b47afb29770\"><code>nano smb.sh\n\n#!\/bin\/bash\n\nip='&lt;TARGET-IP-HERE>'\nshares=('C$' 'D$' 'ADMIN$' 'IPC$' 'PRINT$' 'FAX$' 'SYSVOL' 'NETLOGON')\n\nfor share in ${shares&#91;*]}; do\n    output=$(smbclient -U '%' -N \\\\\\\\$ip\\\\$share -c '')\n\n    if &#91;&#91; -z $output ]]; then\n        echo \"&#91;+] creating a null session is possible for $share\" # no output if command goes through, thus assuming that a session was created\n    else\n        echo $output # echo error message (e.g. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME)\n    fi\ndone\n\nchmod +x smb.sh\n.\/smb.sh<\/code><\/pre>\n\n\n\n<p>What I saw:<\/p>\n\n\n\n<div class=\"wp-block-group is-nowrap is-layout-flex wp-container-core-group-is-layout-6c531013 wp-block-group-is-layout-flex\">\n<ul class=\"wp-block-list\">\n<li>Most shares returned <strong>ACCESS DENIED<\/strong> (Windows blocking anonymous listing), which is good \u2014 those default administrative shares were protected.<\/li>\n\n\n\n<li><code>IPC$<\/code> and a few other named pipes were accessible to an anonymous session in my initial OpenVAS finding, but when I tried the direct checks (<code>smbclient<\/code>, <code>enum4linux<\/code>) I got limited info \u2014 Windows had tightened up a lot by default, so the exposure was mostly informational (usernames, share names) rather than giving full filesystem access.<\/li>\n\n\n\n<li><code>enum4linux -a &lt;target><\/code> and <code>smbclient -L \/\/&lt;target> -N<\/code> gave a quick view of what an anonymous user could enumerate; in my case there were some shares visible but they were mostly empty or blocked from anonymous write\/read.<\/li>\n<\/ul>\n<\/div>\n\n\n\n<p>Some screenshots:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"398\" height=\"172\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-68.png\" alt=\"\" class=\"wp-image-402\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-68.png 398w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-68-300x130.png 300w\" sizes=\"auto, (max-width: 398px) 100vw, 398px\" \/><figcaption class=\"wp-element-caption\"><em>The script<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"391\" height=\"252\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-69.png\" alt=\"\" class=\"wp-image-403\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-69.png 391w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-69-300x193.png 300w\" sizes=\"auto, (max-width: 391px) 100vw, 391px\" \/><figcaption class=\"wp-element-caption\"><em>rpcclient null session<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"954\" height=\"609\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-70.png\" alt=\"\" class=\"wp-image-404\" style=\"width:707px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-70.png 954w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-70-300x192.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-70-768x490.png 768w\" sizes=\"auto, (max-width: 954px) 100vw, 954px\" \/><figcaption class=\"wp-element-caption\"><em>enum4Linux<\/em><\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"619\" src=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-71.png\" alt=\"\" class=\"wp-image-405\" style=\"width:709px;height:auto\" srcset=\"https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-71.png 811w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-71-300x229.png 300w, https:\/\/hackingwithj.com\/wp-content\/uploads\/2025\/10\/image-71-768x586.png 768w\" sizes=\"auto, (max-width: 811px) 100vw, 811px\" \/><figcaption class=\"wp-element-caption\"><em>smbclient<\/em><\/figcaption><\/figure>\n\n\n\n<p>Remediation (what I did \/ what you should do)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Patch &amp; harden<\/strong> the host OS (Windows updates) and rotate any credentials if you suspect exposure.<\/li>\n\n\n\n<li><strong>If you don\u2019t need SMB on that host, disable it completely.<\/strong> That was my choice for this PC.<\/li>\n\n\n\n<li><strong>Disable SMBv1<\/strong> \u2014 it\u2019s legacy and insecure. Microsoft documents how to detect and disable SMBv1 here:<br><a>https:\/\/learn.microsoft.com\/en-us\/windows-server\/storage\/file-server\/troubleshoot\/detect-enable-disable-smbv1<\/a><\/li>\n\n\n\n<li><strong>Block SMB at the network level<\/strong> \u2014 prevent SMB (TCP 445, TCP\/UDP 139, UDP 137\u2013138) from being accessible across VLANs or from untrusted segments.<\/li>\n\n\n\n<li><strong>Disable anonymous\/guest access<\/strong> to shares and ensure shares are not exposed to Everyone\/Anonymous.<\/li>\n\n\n\n<li><strong>Enable SMB signing<\/strong> and require authentication where possible.<\/li>\n\n\n\n<li><strong>Audit shares and service status<\/strong> regularly (use <code>smbclient -L<\/code>, <code>enum4linux<\/code>, and scheduled OpenVAS scans).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Weak SSH algorithms allowed<\/h2>\n\n\n\n<p>While reviewing my OpenVAS scan I noticed an odd host on port <strong>2333<\/strong> that I hadn\u2019t realised was running SSH \u2014 it turned out to be my Zigbee\/Tuya gateway. OpenVAS flagged two findings:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Weak Encryption Algorithm(s) Supported (SSH)<\/strong> \u2014 severity 4.3<\/li>\n\n\n\n<li><strong>Weak Host Key Algorithm(s) (SSH)<\/strong> \u2014 severity 5.3<\/li>\n<\/ul>\n\n\n\n<p>Both on port <strong>2333<\/strong> (Tuya\u2019s SSH port). In short: the gateway\u2019s SSH implementation accepts outdated\/weak algorithms and a weak host key. That\u2019s a risk because it makes passive decryption, downgrade attacks or key-forging easier if someone can intercept or target the device. The documentation of Tuya developer:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>The THP23-X-D development board uses a one-device-one-key encryption scheme. You need the password before logging in.&nbsp;<a href=\"https:\/\/service.console.tuya.com\/8\/3\/create?source=help_sidebar\">Submit a ticket<\/a>&nbsp;to request the password by providing the SN of your THP23-X-D development board.<\/p>\n<\/blockquote>\n\n\n\n<p>Tuya devices use a one-device-one-key scheme and require the vendor-supplied password (you need to open a ticket and provide the device SN to get it). There are writeups about extracting firmware and recovering such passwords via UART\/serial (<a href=\"https:\/\/paulbanks.org\/projects\/lidl-zigbee\/\">Hacking the Silvercrest (Lidl) Smart Home Gateway | PaulBanks.Org<\/a>), but that\u2019s invasive, may void warranty and needs downtime \u2014 not ideal for a production device.<\/p>\n\n\n\n<p>So I went with a practical short-term mitigation, plus steps for a better long-term fix. Because I couldn\u2019t log in to reconfigure the device and I didn\u2019t want to risk downtime, I applied a network-level block. I blocked SSH to the device on port <strong>2333<\/strong> from all networks. becuase I use OPNsense this was relativly easy to do.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Other OpenVAS finding<\/h2>\n\n\n\n<p><strong>Cleartext transmission of sensitive information via HTTP \u2014 8 hits<\/strong><br>Most of my devices serve a small web UI without a certificate. In practice this is mostly irrelevant for me because I front everything with Nginx Proxy Manager and terminate TLS there \u2014 the proxy handles HTTPS and the backend traffic is on the LAN. Still: any web UI that receives credentials or tokens should be served over TLS, even internally.<\/p>\n\n\n\n<p><em>Action<\/em><strong>:<\/strong> Prioritise certs for services exposed to users (Let&#8217;s Encrypt via the proxy). For purely local-only endpoints consider firewalling them or adding VPN-only access.<\/p>\n\n\n\n<p><strong>TCP timestamps information disclosure \u2014 19 hits<\/strong><br>This is noisy but low-risk for my environment. TCP timestamps can leak kernel uptime and help attackers with OS fingerprinting or coarse host correlation. It\u2019s not dramatic, but cleaning it up reduces your fingerprintable surface.<\/p>\n\n\n\n<p><em>Action<\/em><strong>:<\/strong> Disable TCP timestamps on Linux hosts if possible (<code>sysctl -w net.ipv4.tcp_timestamps=0<\/code>) and test for side effects.<\/p>\n\n\n\n<p><strong>Weak MAC algorithm(s) supported (SSH) \u2014 10 hits<\/strong><br>This is a useful and actionable finding \u2014 several devices still accept old MACs or weak ciphers. I patched most of the devices I control, but some embedded gadgets are locked-down and still advertise weak algorithms.<\/p>\n\n\n\n<p><em>Action<\/em><strong>:<\/strong> For devices you manage: tighten <code>sshd<\/code> configs to prefer strong MACs\/ciphers\/KEX (e.g. <code>hmac-sha2-256<\/code>, <code>aes*-ctr<\/code>, <code>curve25519-sha256<\/code>). For closed devices: firewall them off or isolate them on a VLAN until vendor\/firmware updates are available.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">What I learned<\/h1>\n\n\n\n<p>Running OpenVAS against my own network was eye-opening \u2014 and useful in three main ways:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Automated tooling is worth the effort.<\/strong><br>OpenVAS found things I\u2019d miss manually. Going forward my scans will be more structured: start with a subnet discovery, then feed live targets to OpenVAS so the output is less noisy and more focused.<\/li>\n\n\n\n<li><strong>Blue-team skills improve red-team sense.<\/strong><br>Hardening services (TLS, SSH algos, VLANs) taught me the practical trade-offs attackers exploit. That knowledge makes me a better pentester and makes my remediation advice more realistic for clients.<\/li>\n\n\n\n<li><strong>Hands-on practice matters.<\/strong><br>Scanning my own network helped me practice triage: which findings are critical, which are informational, and which are acceptable risks for my environment. It also reinforced a simple truth \u2014 a single weak device (or default service) can weaken an otherwise solid network<\/li>\n<\/ol>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>My vacation is over and I haven\u2019t touched a computer \u2014 time to get back on (hacking) track. To work more efficiently as a budding pentester, I want to automate repetitive tasks. Today I spun up OpenVAS in VirtualBox (about 10 minutes) and ran a full scan against my home subnet. The scan took a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[20,9,17],"tags":[],"class_list":["post-398","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-network-hacking","category-tooling"],"_links":{"self":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/398","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=398"}],"version-history":[{"count":6,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions"}],"predecessor-version":[{"id":409,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=\/wp\/v2\/posts\/398\/revisions\/409"}],"wp:attachment":[{"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=398"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=398"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hackingwithj.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=398"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}