Security Assessment Method

Overview

We will start with a list of networks and/or hosts of interest. We will use nmap to look for hosts and services, and do an OS and service verson detection. We will then use the greppapble output file produced by nmap as input to nessus, when we use nessus to try known vulnerabilities against the open ports and services. Finally, to reduce false positives, we will attempt to manually verify each of the serious vulnerabilitie sfound by nessus.

Use nmap to find and identify open ports

Commonly used parameters:

Do a list scan

List scan (-sL) expands a list of subnets into a list of IP addresses, for later use as an inputfile.

nmap -sL -R -i 10.1.1.0/24 10.1.2.0/24 -oA hostlist
htt

After creating the inputfile, edit the .nmap variant. Remove any hosts which you don't want to run nmap against, and remove everything else but the IP addresses, keeping one IP address per line.

Here are some parameters to try when making the hostlist:

Scan all IPs for a list of common ports

nmap -sSR -n -r -vv -P0 -A -iL hostlist -oA outputfileT

In the command above:

nmap -sU -n -r -vv -P0 -A -iL hostlist -oA outputfileU

Same thing again, against UDP.

Do full scan on the interesting hosts

Now pick the 20 or so most interesting hosts from the above results, make an inputfile containing their IP addresses only, and do a complete scan of all TCP and UDP ports.

nmap -sSR -n -r -vv -P0 -A -p1-65535 -iL hostlist -oA outputfileT
nmap -sU -n -r -vv -P0 -A -p1-65535 -iL hostlist -oA outputfileU

The UDP scan can be very timeconsuming. To speed it up, shorten the timeout from the 3 second default to, say, 20ms by using --max_rtt_timeout 20

The output files will be used as input to nessus in the next step.

Next: nessus->