(Advanced) Using Nmap Results With Nessus Batch Scanning

2009-07-22 by Administrator, tagged as software

I’m refering to an article I read on the Nessus blog: Using Nmap Results With Nessus Batch Scanning. Since they don’t seem to offer comments I decided to write this short article.

First of all it is important to have read this info: Nmap from within Nessus

Combining the information of these two articles I’d like to add that you should also use the -v option when running nmap. This is because otherwise the file containing the grepable results will not contain a comment line starting with “Ports scanned: ” following the information about all scanned ports. The nmap.nasl script contains a part where it says:

if (egrep(string: res, pattern: '^# +Ports scanned:+TCP\\(65535;')) 
     full_scan = 1;
else
     full_scan = 0;

So as you can see “nmap.nasl” uses this for some extra info

The next point is that you usually use such a construct in batch mode (yeah, I not only read the title but wrote it). I for one care this for them… uh, nevermind, wanted to say that you usually start such a scan with the command line nessus client. It got slightly updated and lots of stuff is now found in “.nessus” files. They are “XML” and may contain the targets.

But I for one do not wanna have this information inside a “.nessus” file but inside a plain text file I can also feed to Nmap (-iL option). Since the “nmap.nasl” script checks if the current target is found in the grepable results file you have to supply the target info to Nessus. This is done with the command line option --target-file.

This is somewhat redundant info and it would be nice if you could also feed the grepable results file as an input file to Nessus but on the other hand, what is this option “Do not scan targets not found in the file” for?

To make a long story short I suggest at least these command line options for Nmap and Nessus:

nmap -v -sV -O -P0
nessus --dot-nessus <file.nessus> --target-file <file>
          --policy-name <name>