Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: How do VA scans work technically

Re: How do VA scans work technically

From: Todd Haverkos <infosec_at_haverkos.com>
Date: Wed, 09 Jul 2008 13:21:24 -0500

"Aseem Kumar" <kumaraseem_at_gmail.com> writes:
> Hi,
>
> Thanks for all the gr8 replies.

gr8? Why, you'd better be typing from a mobile keyboard. :-)

> Showing of already remediated vulnerabilities was what i was
> concerned. So i always have to take the reports from these scans
> with a pinch of salt. They even might miss something.
>
> But what if i am running say a web server on a non-standard port and
> have really disabled all settings that might allow an outsider to
> get a banner or version number of underlying application then will
> the scanners still be able to do some heuristics and come out with
> nearly correct answers.
>
> Can someone point me to any link that will provide more insight into
> this process.

The good news is that Nessus plugins are open source, and that source
code is rather readable.

Also, Nessus is still free for non commercial use, so your best bet is
to configure a web server as stealthily you like, and fire off Nessus
against it, see how it responds, and as results come back that
surprise you or pique your interest, read through some plugin code to
find out exactly why.

You'll find some plugins are based on banner grabbing, and those
plugins won't fire if you've obscured your version headers, but other
plugins are able to test for the issues directly without having to
infer from version banners.

I'm not aware of any white papers that discuss things in the level of
detail you're seeking, but there's nothing keeping you from what you
seek.

Here are the plugins-- each starts with the title and a link to the
source code ("View the source code of this plugin here") where the
word here is a hyperlink to the plugin source:
    http://www.nessus.org/plugins/index.php?view=all

Specifically here are the web server plugins:
       http://www.nessus.org/plugins/index.php?view=all&family=Web+Servers

Here's where to download Nessus;
       http://www.nessus.org/download/

Determining how exactly Qualys does the same job won't be something as
easy to figure out, but I think you'll learn a lot by experimenting
and reading plugin code from Nessus, and running the tool against your
own various permutations of web server configs. This is one of the
wonderful things about open source and free tools, so by all means
take advantage of the opportunity it affords.

Best Regards, 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on Jul 09 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos