We will start with a list of networks and/or hosts of interest. We will use nmap to look for hosts and services, and do an OS and service verson detection. We will then use the greppapble output file produced by nmap as input to nessus, when we use nessus to try known vulnerabilities against the open ports and services. Finally, to reduce false positives, we will attempt to manually verify each of the serious vulnerabilitie sfound by nessus.
Commonly used parameters:
List scan (-sL) expands a list of subnets into a list of IP addresses, for later use as an inputfile.
nmap -sL -R -i 10.1.1.0/24 10.1.2.0/24 -oA hostlisthtt
After creating the inputfile, edit the .nmap variant. Remove any hosts which you don't want to run nmap against, and remove everything else but the IP addresses, keeping one IP address per line.
Here are some parameters to try when making the hostlist:
nmap -sSR -n -r -vv -P0 -A -iL hostlist -oA outputfileT
In the command above:
nmap -sU -n -r -vv -P0 -A -iL hostlist -oA outputfileU
Same thing again, against UDP.
Now pick the 20 or so most interesting hosts from the above results, make an inputfile containing their IP addresses only, and do a complete scan of all TCP and UDP ports.
nmap -sSR -n -r -vv -P0 -A -p1-65535 -iL hostlist -oA outputfileT nmap -sU -n -r -vv -P0 -A -p1-65535 -iL hostlist -oA outputfileU
The UDP scan can be very timeconsuming. To speed it up, shorten the timeout from the 3 second default to, say, 20ms by using --max_rtt_timeout 20
The output files will be used as input to nessus in the next step.