Security Assessment Method

Overview

We will start with a list of networks and/or hosts of interest. We will use nmap to look for hosts and services, and do an OS and service verson detection. We will then use the greppapble output file produced by nmap as input to nessus, when we use nessus to try known vulnerabilities against the open ports and services. Finally, to reduce false positives, we will attempt to manually verify each of the serious vulnerabilitie sfound by nessus.

Use nmap to find and identify open ports

Commonly used parameters:

• -n to skip name resolution
• -vv to see verbose activity
• -P0 to prevent pinging first
• -oA {outputfile} to log in all 3 formats; give filename without extension.
• -iL {hostlistfile} to read list of hosts from a file. Makes more of an audit trail than just typing subnets or hosts on the commandline.
• --resume will read the logfile and pick up where the previous scan left off.

Do a list scan

List scan (-sL) expands a list of subnets into a list of IP addresses, for later use as an inputfile.

nmap -sL -R -i 10.1.1.0/24 10.1.2.0/24 -oA hostlist

After creating the inputfile, edit the .nmap variant. Remove any hosts which you don't want to run nmap against, and remove everything else but the IP addresses, keeping one IP address per line.

Here are some parameters to try when making the hostlist:

• -PE sends an ICMP echo request (rather than doing a UDP ping.)
• -PP uses an ICMP timestamp request (type 13).
• -PM uses an ICMP netmask request (type 17).
• -PA sends an ACK to port 80 and listens for a RST.

Scan all IPs for a list of common ports

nmap -sSR -n -r -vv -P0 -A -iL hostlist -oA outputfileT

In the command above:

• -A is used to make nmap try to identify OS and service versions.
• -sSR is used to perform a syn scan and then do an RPCgrind.

nmap -sU -n -r -vv -P0 -A -iL hostlist -oA outputfileU

Same thing again, against UDP.

Do full scan on the interesting hosts

Now pick the 20 or so most interesting hosts from the above results, make an inputfile containing their IP addresses only, and do a complete scan of all TCP and UDP ports.

nmap -sSR -n -r -vv -P0 -A -p1-65535 -iL hostlist -oA outputfileT
nmap -sU -n -r -vv -P0 -A -p1-65535 -iL hostlist -oA outputfileU

The UDP scan can be very timeconsuming. To speed it up, shorten the timeout from the 3 second default to, say, 20ms by using --max_rtt_timeout 20

The output files will be used as input to nessus in the next step.

Next: nessus->