VA (Vulnerability Assessment) (Scanning & Enumeration)
Use nessus with below profile
DoS disabled
Web scan enabled
SSL scan on every ports instead of known ports
Enable TCP and UDP scan
Only give open ports’ list in the configuration that were found by nmap including TCP and UDP rather than full ports in order to save time particularly number of IPs are more and less time for audit and report.
Use Nexpose
Use OpenVAS
Use nmap scanner on specific open ports using below command.
For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:
Nmap -Pn -sS -p22 --script ssh* -v
In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.
Audit SSL
Use openssl, sslyze tools to find below issues within SSL.
Self-signed certificate
SSL version 2 and 3 detection
Weak hashing algorithm
Use of RC4 and CBC ciphers
Logjam issue
Vulnerability Scanning with Nmap
Nmap Exploit Scripts
https://nmap.org/nsedoc/categories/exploit.htmlNmap search through vulnerability scripts
cd /usr/share/nmap/scripts/ ls -l \*vuln\*Nmap search through Nmap Scripts for a specific keyword
ls /usr/share/nmap/scripts/\* | grep ftpScan for vulnerable exploits with nmap
nmap --script exploit -Pn $ipNMap Auth Scripts
https://nmap.org/nsedoc/categories/auth.htmlNmap Vuln Scanning
https://nmap.org/nsedoc/categories/vuln.htmlNMap DOS Scanning
nmap --script dos -Pn $ip NMap Execute DOS Attack nmap --max-parallelism 750 -Pn --script http-slowloris --script-args http-slowloris.runforever=trueScan for coldfusion web vulnerabilities
nmap -v -p 80 --script=http-vuln-cve2010-2861 $ipAnonymous FTP dump with Nmap
nmap -v -p 21 --script=ftp-anon.nse $ip-254SMB Security mode scan with Nmap
nmap -v -p 21 --script=ftp-anon.nse $ip-254