Background:-
I've installed Back|Track 5R3 on a VM (in a VMware environment) to evaluate it, connected to a live network with a connection to the Internet, and updated it with the latest packages. It's also on 3 test networks simulating the live environment, with a Metasploitable VM target and clones of 2 live Windows servers that I'm using to test against, making it a total of 4 network interfaces on the VM. The Internet connection is on eth0, and seems to be the default address picked by most tools for the local endpoint (even when another one makes more sense).

I'm going through the standard sequence for a pentest (well, more vulnerability assessment at this point), using the wiki as a guide as to how to set things up. I've run into a number of minor issues with the distro, but have managed to fix them so far.

Issue:-
I've set up OpenVAS in accordance with the instructions in the Wiki and, while it doesn't pass muster for version 5 according to "Openvas check setup" (OpenVAS Scanner being version 3.2.5 instead of 3.3), it is a valid OpenVAS v4 installation. There didn't seem to be an updated package for OpenVAS in the BT repositories, so I let that slide.

However, I can't get openvassd to scan. It keeps failing with the following error:
Code:
[Tue Jan 15 09:20:50 2013][3844] user om starts a new scan. Target(s) : 192.168.77.1, with max_hosts = 20 and max_checks = 4 
[Tue Jan 15 09:20:50 2013][3844] user om : testing 192.168.77.1 (::ffff:192.168.77.1) [3866] 
[Tue Jan 15 09:20:51 2013][3866] user om : new KB will be saved as /usr/local/var/lib/openvas/users/om/kbs/192.168.77.1
[Tue Jan 15 09:21:01 2013][3866] user om : The remote host (192.168.77.1) is dead 
[Tue Jan 15 09:21:01 2013][3866] Finished testing 192.168.77.1. Time : 10.26 secs 
[Tue Jan 15 09:21:01 2013][3844] user om : test complete
[Tue Jan 15 09:21:01 2013][3844] Total time to scan all hosts : 11 seconds 
[Tue Jan 15 09:21:01 2013][3844] user om : Kept alive connection
[Tue Jan 15 09:21:01 2013][3844] Communication closed by client
The test network I'm using here is 192.168.77.0/24, with BT on 192.168.77.250 and the target Metasploitable VM on 192.168.77.1. I can ping the Metasploitable VM before, during and after the scan failure, and I'm logged onto it as well, so I know it isn't dead and I know it's reachable via the network.

I started to look into the configuration file (at "/usr/local/etc/openvas/openvassd.conf", according to Greenbone Security Assistant and the openvassd manual page) to see if I could enable the "log_whole_attack" setting to get more detail, and found that the configuration file didn't exist! I created this file, using an example I found on the Internet, and updated it to include all of the settings reportedly set according to GSA as follows:-
Code:
# Configuration file of the OpenVAS Security Scanner
# Every line starting with a '#' is a comment

[Misc]

# Path to the security checks folder :
plugins_folder = /usr/local/var/lib/openvas/plugins

# Path to OpenVAS caching folder:
cache_folder = /usr/local/var/cache/openvas

# Path to OpenVAS include directories:
# (multiple entries are separated with colon ':')
include_folders = /usr/local/var/lib/openvas/plugins

# Maximum number of simultaneous hosts tested :
max_hosts = 30

# Maximum number of simultaneous checks against each host tested :
max_checks = 10

# Niceness. If set to 'yes', openvassd will renice itself to 10.
be_nice = no

# Log file (or 'syslog') :
logfile = /usr/local/var/log/openvas/openvassd.messages

# Shall we log every details of the attack ? (disk intensive)
log_whole_attack = yes

# Log the name of the plugins that are loaded by the server ?
log_plugins_name_at_load = yes


# Dump file for debugging output, use `-' for stdout
dumpfile = /usr/local/var/log/openvas/openvassd.dump


# Rules file :
rules = /usr/local/share/openvas/openvassd.rules


# CGI paths to check for (cgi-bin:/cgi-aws:/ can do)
cgi_path = /cgi-bin:/scripts


# Range of the ports the port scanners will scan :
# 'default' means that OpenVAS will scan ports found in its
# services file.
port_range = default


# Optimize the test (recommended) :
optimize_test = yes


# Optimization :
# Read timeout for the sockets of the tests :
checks_read_timeout = 5


# Ports against which two plugins should not be run simultaneously :
# non_simult_ports = Services/www, 139, Services/finger
non_simult_ports = 139, 445


# Maximum lifetime of a plugin (in seconds) :
plugins_timeout = 320


# Safe checks rely on banner grabbing :
safe_checks = yes


# Automatically activate the plugins that are depended on
auto_enable_dependencies = yes


# Do not echo data from plugins which have been automatically enabled
silent_dependencies = no


# Designate hosts by MAC address, not IP address (useful for DHCP networks)
use_mac_addr = no


#--- Knowledge base saving (can be configured by the client) :
# Save the knowledge base on disk :
save_knowledge_base = no
# Restore the KB for each test :
kb_restore = no
# Only test hosts whose KB we do not have :
only_test_hosts_whose_kb_we_dont_have = no
# Only test hosts whose KB we already have :
only_test_hosts_whose_kb_we_have = no
# KB test replay :
kb_dont_replay_scanners = no
kb_dont_replay_info_gathering = no
kb_dont_replay_attacks = no
kb_dont_replay_denials = no
kb_max_age = 864000
#--- end of the KB section



# If this option is set, OpenVAS will not scan a network incrementally
# (10.0.0.1, then 10.0.0.2, 10.0.0.3 and so on..) but will attempt to
# slice the workload throughout the whole network (ie: it will scan
# 10.0.0.1, then 10.0.0.127, then 10.0.0.2, then 10.0.0.128 and so on...
slice_network_addresses = no

# Should consider all the NASL scripts as being signed ? (unsafe if set to 'yes')
nasl_no_signature_check = yes

# Others
drop_privileges = no
unscanned_closed = yes
vhosts = 
vhosts_ip = 
config_file=/usr/local/etc/openvas/openvassd.conf

#end.
#
# Added by openvas-mkcert
#
# If you decide to protect your private key with a password,
# uncomment and change next line
# pem_password=password
# If you want to force the use of a client certificate, uncomment next line
# force_pubkey_auth = yes
#
# Added by openvas-mkcert
#
cert_file=/usr/local/var/lib/openvas/CA/servercert.pem
key_file=/usr/local/var/lib/openvas/private/CA/serverkey.pem
ca_file=/usr/local/var/lib/openvas/CA/cacert.pem
# If you decide to protect your private key with a password,
# uncomment and change next line
# pem_password=password
# If you want to force the use of a client certificate, uncomment next line
# force_pubkey_auth = yes
Running it again, I saw no improvement in the amount of detail being logged.
Code:
[Tue Jan 15 16:17:50 2013][3844] user om starts a new scan. Target(s) : 192.168.77.1, with max_hosts = 20 and max_checks = 4 
[Tue Jan 15 16:17:50 2013][3844] user om : testing 192.168.77.1 (::ffff:192.168.77.1) [3866] 
[Tue Jan 15 16:17:50 2013][3866] user om : new KB will be saved as /usr/local/var/lib/openvas/users/om/kbs/192.168.77.1
[Tue Jan 15 16:18:00 2013][3866] user om : The remote host (192.168.77.1) is dead 
[Tue Jan 15 16:18:00 2013][3866] Finished testing 192.168.77.1. Time : 10.26 secs 
[Tue Jan 15 16:18:00 2013][3844] user om : test complete
[Tue Jan 15 16:18:00 2013][3844] Total time to scan all hosts : 11 seconds 
[Tue Jan 15 16:18:00 2013][3844] user om : Kept alive connection
[Tue Jan 15 16:18:00 2013][3844] Communication closed by client
The discrepancy between the reported "max_hosts" and "max_checks" values in the log with respect to the configuration file indicates that openvassd is actually reading some other configuration file somewhere, and possibly binding to the wrong local IP address to start with (the Internet one which seems to be the default for most tools?).

Does anyone have any ideas as to how I might resolve this? I would normally look at the source code for the tool and tweak it if necessary, but as it's an executable, I'm not sure how easily I can tweak it, nor in this case, where I would get the customised source code.