Gathering IP Addresses for Nessus Scan

I routinely use Nessus to scan for vulnerability on the network. I have a relatively complex network with dozens of vlans, so the number of hosts comes out to be enormous. If I enter the entire network address range in Nessus, it will take Nessus days to complete the scan. On top of that, some of the services are so sensitive to network latency (such as database sync) that alerts and problems start to happen during Nessus scan. So I ended up dialing the scan setting to a slower pace to avoid causing too much stress on the network, and the scan now takes much longer to complete. I also noticed that Nessus will scan non-existing hosts across a firewall just the same as real hosts, thus wasting a lot of time on it. Perhaps firewall denying connection somehow caused Nessus to believe there is a real host behind it.

In order to solve this issue, I use nmap to do a quick scan first and then feed the discovered IP addresses to Nessus. This way Nessus won’t waste any time on non-existing hosts.

Quick Ping Scan

I use a simple script to do the work.

Step 1 – In the “/home/jamie/Documents/Nessus/scan” folder, create a script named “”:

# Created by Jamie Yu
# This script will ping network and generate valid IP address lists in /home/jamie/Documents/Nessus/scan folder to feed into Nessus scanner.
# delete existing files in /home/jamie/Documents/Nessus/scan/ip_list/ folder
rm -f /home/jamie/Documents/Nessus/scan/ip_list/*
# Private Tier Servers
nmap -n -sP -T4 | grep "Host" | awk '{print $2}' > /home/jamie/Documents/Nessus/scan/ip_list/Private_Tier_Servers_IP
# Private Tier Users
nmap -n -sP -T4 10.100.1-6.4-254 | grep "Host" | awk '{print $2}' > /home/jamie/Documents/Nessus/scan/ip_list/Private_Tier_Users_IP

Step 2 – Create a “ip_list” folder under “/home/jamie/Documents/Nessus/scan/”

Step 3 – Run the script. The script will ping each host specified in the nmap command line and resturn files with list of real hosts (those that responds to ping).

Step 4 – Go to Nessus console, create a new scan and specify the individual files under “ip_list” folder as “Targets File”.

Step 5 – Run scan.

Step 6 – Repeat steps 2 – 5 for next scan.

For me, the resulting IP address lists have been reduced significantly from thousands to under 1000. I can now complete a vulnerability scan within hours. Great!

More About Nmap Host Discovery

Of course, not all hosts will respond to ping. Nmap has many options to discover those less obvious hosts.

Example 1
Here’s a TCP port scan that probes all 65K TCP ports (obviously it’s a thorough but very slow scan):

nmap -n -PS0-65536 -T4

To generate IP address list, replace the namp command line in the “ script:

nmap -n -PS0-65536 -T4 | grep "Interesting ports" | awk '{print $2}' | awk -F : '{print $1}' > /home/jamie/Documents/Nessus/scan/ip_list/Private_Tier_Servers_IP

Note: the command works, but the double awk leaves much room to improve.

Example 2
Here’s another example of ping scan with some extra probes. This doesn’t take nearly as long as previous one, but covers more common ports than a simple Ping scan. A good balance between speed and accuracy.

nmap -n -sP -PE -PP -PS21,22,23,25,80,113,443,8080,31339 -PA80,113,443,8080,10042 -T4 --source-port 53

Note: This command requires root permission. 31339 and 10042 are just random tcp high ports. The idea came from this book “Nmap Network Scanning” by Gordon “Fyodor” Lyon – the author of nmap.

To generate IP address list, replace the nmap command line in the “ script:

nmap -n -sP -PE -PP -PS21,22,23,25,80,113,443,8080,31339 -PA80,113,443,8080,10042 -T4 --source-port 53 | grep "Host" | awk '{print $2}' > /home/jamie/Documents/Nessus/scan/ip_list/Private_Tier_Servers_IP

What’s Next?

So far I’m happy about my poor man’s way to solve this issue, but there’s always better ways to do things. I’m aware of using Nmap results with Nessus batch scanning. Just haven’t tried yet. Look forward to it.