GVM Vulnerability Scanning
After reconnaissance completes, you can run a GVM/OpenVAS network-level vulnerability scan to complement the web-layer findings from Nuclei. While Nuclei tests HTTP endpoints against template signatures, GVM probes services directly at the protocol layer — testing for misconfigurations, outdated software, default credentials, and known CVEs across every open port.
Greenbone Vulnerability Management (GVM) — formerly OpenVAS — is the world's largest open-source network vulnerability scanner. The GVM stack includes:
| Component | Purpose |
|---|---|
| OpenVAS Scanner (ospd-openvas) | Scanning engine — executes NVTs (Network Vulnerability Tests) against targets |
| GVM Daemon (gvmd) | Task orchestrator — manages scans, stores results, exposes the GMP API |
| Vulnerability Feed | 170,000+ NVTs covering OS, network services, databases, IoT, ICS |
| PostgreSQL + Redis | Backend storage for scan results and NVT metadata |
GVM actively negotiates protocols, authenticates to services, checks software versions, tests for default credentials, and probes for misconfigurations invisible at the HTTP layer — weak SSH ciphers, exposed database ports, SNMP community strings, SMB vulnerabilities, and more.
GVM starts automatically with docker compose up -d. On the first launch, it requires a one-time feed synchronization that takes ~30 minutes to download 170,000+ vulnerability tests. Subsequent starts are instant.
Default GVM credentials:
admin/admin(auto-created on first start)To change the password:
docker compose exec -u gvmd gvmd gvmd --user=admin --new-password='<new-password>'
If you started RedAmon without GVM (lightweight mode), you can start it later:
docker compose up -d gvmd gvm-ospd gvm-postgres gvm-redisGVM includes seven pre-configured scan profiles. Times below are per-target estimates:
| Scan Profile | NVTs | Duration | Description |
|---|---|---|---|
| Host Discovery | ~100 | 2-5 min | Basic host detection — is the target alive? |
| Discovery | ~500 | 5-10 min | Open ports, running services, OS fingerprint |
| System Discovery | ~2,000 | 10-20 min | Detailed OS and service enumeration |
| Full and fast | ~50,000 | 30-60 min | Comprehensive scan using port data to select relevant NVTs — recommended |
| Full and fast ultimate | ~70,000 | 1-2 hours | Includes dangerous NVTs that may crash services |
| Full and very deep | ~50,000 | 2-4 hours | Ignores prior data, runs all NVTs unconditionally |
| Full and very deep ultimate | ~70,000 | 4-8 hours | Most thorough — all NVTs including dangerous ones, ignores prior data |
Key differences:
- Fast profiles leverage port scan results to skip irrelevant NVTs
- Very deep profiles execute every NVT unconditionally, waiting for timeouts
- Ultimate variants add NVTs that may cause denial-of-service — use only in lab environments
Select the scan profile in your project's GVM Scan tab (see Creating a Project > Tab 8).
Prerequisites:
- Reconnaissance must have completed for the project (GVM needs IP/hostname data)
- The GVM stack must be running (
docker compose psshould showgvmdas "running")
Steps:
- On the Graph Dashboard, locate the GVM Vulnerability Scan group (red, shield icon) in the toolbar
- Click the "GVM Scan" button
-
A confirmation modal appears — click "Confirm" to start
-
Click the Logs button to open the GVM logs drawer and watch progress
-
When the scan completes, click the Download button to save results as JSON
Note: GVM scans are disabled in stealth mode because they generate ~50,000 active probes per target.
| Parameter | Default | Description |
|---|---|---|
| Scan Profile | Full and fast | Which scan profile to use (see table above) |
| Scan Targets Strategy | both | What to scan: both (IPs + hostnames), ips_only, or hostnames_only. "Both" doubles the target count |
| Task Timeout | 14400 (4 hours) | Maximum seconds for a single scan task. 0 = unlimited |
| Poll Interval | 5 | Seconds between status checks (5-300) |
| Cleanup After Scan | true | Remove targets/tasks from GVM's internal DB after results are extracted |
Full parameter reference: Project Settings Reference > GVM Vulnerability Scan
GVM findings are stored in the Neo4j graph as:
-
Vulnerability nodes with
source: "gvm"— linked to IP and Subdomain nodes viaHAS_VULNERABILITYrelationships - Associated CVE nodes with CVSS scores and descriptions
- Results include: vulnerability name, severity, QoD (Quality of Detection), affected host, port, and remediation guidance
The AI agent can reason about both web-layer vulnerabilities (Nuclei) and network-layer vulnerabilities (GVM) in a single unified graph.
- GitHub Secret Hunting — search for leaked credentials
- AI Agent Guide — let the AI analyze all findings (including GVM results)