In the past, I’ve used nessus for vulnerability scanning my lab, but as my service count has grown, the 16 IP limit is becoming a little unwieldy.
Is anyone able to recommend an alternative that fits at least most of the requirements I have?
-
Free (preferably in both senses of the word)
-
Doesn’t use Docker, even if containerized, I’d prefer to avoid having my scanner share a host with another service… and I’m not incredibly well versed with Docker
-
Scans multiple systems (I tried Trivy, but as far as I can tell it only scans the system you install it on)
-
Has a webui for management of scans
Alternatively, if anyone is willing to lend some advice for the configuration of Wazuh… I deployed the service months ago with the expectation that it could be used for vulnerability scanning (the Dev was in a few reddit threads suggesting that it had the capability), but i haven’t been able to configure it properly.
I appreciate any advice people are willing to offer!
Edit: fixed formatting
I know you said preferably no docker, but greenbone community edition is nice. It’s a fork from nessus back in the day. They don’t really put any restrictions on the community version. If you want to see it in action I have a test server up and running.
I originally crossed this one out because of the docker requirement, but because of your comment i looked again. It looks like it can be built from source instead! I’m deploying it after work tomorrow
Yes you can! I’ve attempted on debian before but it’s something like 12 components you have to build and configure and I ran into some issues. It’s been a while though and I don’t remember exactly what gave me trouble. I know I had issues at one point due to the host not having enough ram. If you don’t have at least 8 gigs it’s not going to be happy. At least in my experience.
Let me know how it goes though and what distro you use.
They have pretty good documentation.
Just about to get the web interface running!
The build from source is actually incredibly straightforward! There’s a few noob issues if you don’t fully read the command blocks included in the instructions (They have some links you need to navigate to to install dependencies) but beyond that, for how large everything is, I’m very surprised how easy they make it! If it was difficult last time you tried, I’d give it another shot!
I think my issue was I was building it on a debian 11 bullseye. I managed to get all the individual pieces built and running, there was just one piece missing and I can’t remember which now. I’ll certainly give it a go. Someone just sent me a kvm build of debian sid just for that reason in fact! I believe they are working on the gvm debian package.
I did it with Debian 12 bookworm. I’m working on getting the web interface accessible externally, as it’s bound to local host only by default.
Theres 2 steps where you need to watch for noob traps if you plan on using Debian, one in particular being where the link to Rustup is contained within the command block, you need to navigate there in your web browser to grab the rustup install script before you run the commands. If you hit a wall, feel free to message me and I may be able to help!
I’m on bookworm now myself. Check this out https://forum.greenbone.net/t/external-access-to-gsa-web-interface-ip/1671/4 and thanks I’ll let you know if I run into trouble!
I’ve heard wazuh can do authenticated vuln scanning, but since I’ve scaled down my homelab and hardened it to a point that vuln scanning is not currently needed I’ve had no need to do so. I have a friend deploying wazuh at his job so I’m gonna have to reach out to him some time to learn how he is doing it once I start growing my lab again.
I use nuclei for networked vuln scanning, which is all I really need right now. Works well with community rules, but it is a cli application. I really like how I don’t need to deploy it on a dedicated device, I just run it using all rules on the subnets that I want to scan from my laptop, which I have plugged into a vuln-scanning network with open fw rules, and check back in half an hour. Once I get a few more raspberry pis, I’ll have one on such a network that I can just run a scan from.
OSSIM is a pain to install, but does tick all your boxes. But I think its basically abandoned by AT&T to force people on to Alienvault.
It installs to a VM, but has some very weird hard coded quirks, like expecting the network cards to be ethX, and the harddisks to be /dev/sdX. I can’t remember exactly how I got it installed, but I can dig out the libvirt config if it helps.
You may checkout IVRE, it’s a bit weird but it seems like it can do some stuff verywell
If Greenbone doesn’t work out I might try this next, it looks interesting.