Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: How do VA scans work technically

Re: How do VA scans work technically

From: Aseem Kumar <kumaraseem_at_gmail.com>
Date: Thu, 10 Jul 2008 23:17:51 +0530

I am just starting with VA and have got lots of material to go through.
Some of the replies have really been very informative for me.
I was not initially hoping for so many responses. I will be putting up
a little test lab to work out with free tools at home.

Thanks a lot to everyone.

Regards
Aseem

On Thu, Jul 10, 2008 at 4:49 PM, Rivest, Philippe <PRivest_at_transforce.ca> wrote:
> Don't know if you got an answer for this. But yes, you should at all time
> double/triple verify the result of automated scans. You should do this in 2
> separated operations
>
> 1- Identify false positive
> 2- Identify false negative
>
> Those are very important. It is very important to understand that a scanner
> may not get all the vulnerability (or take one as negative) and you will then
> say to your client "its all good!" when in fact its not. And theres also the
> "ITS SOOOOooo BAD" (false positive) when everything is good.
>
> From my own experience, I remember running Nikto against my clients web
> server and I got more or less 75-150 vulnerability & warnings. Years later I
> have yet to identify why, but only a very few were actual flaws & warning
> when I tested them manually.
>
>
> For your non standard port, this is how you should go about it.
>
> 1- Port scan the machine from 1 - 65536
> 2- All ports that are strange, "telnet ip port" "GET / HTTP/1.0"
> 3- If you get an answer from #2 you just identified a web server
> 4- Run your tools on that port
>
>
> If you disabled all the banners and such, I would go about reading the source
> code of your pages (just a few of them). I would try to identify default
> files that you left on the web server that could help me identify the web
> service. I would (of course) identify if it's a windows box or linux to try
> and *limit* the possibilities.
>
> Merci / Thanks
> Philippe Rivest, CEH
> Vérificateur interne en sécurité de l'information
> Courriel: Privest_at_transforce.ca
> Téléphone: (514) 331-4417
> www.transforce.ca
>
> Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
> You could print this email, but it does takes a long time to grow trees.
>
>
> -----Message d'origine-----
> De : listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] De la
> part de Aseem Kumar
> Envoyé : 9 juillet 2008 04:52
> À : pen-test_at_securityfocus.com
> Objet : Re: How do VA scans work technically
>
> Hi,
>
> Thanks for all the gr8 replies.
>
> Showing of already remediated vulnerabilities was what i was concerned.
> So i always have to take the reports from these scans with a pinch of
> salt. They even might miss something.
>
> But what if i am running say a web server on a non-standard port and
> have really disabled all settings that might allow an outsider to get
> a banner or version number of underlying application then will the
> scanners still be able to do some heuristics and come out with nearly
> correct answers.
>
> Can someone point me to any link that will provide more insight into
> this process.
>
> Regards
> Aseem
>
> On Wed, Jul 9, 2008 at 11:07 AM, Killy <killfactory_at_gmail.com> wrote:
>> Nessus can ne configured to perform safe scans. It will still for blank
>> root, as and administrator passwords under that config.
>>
>> So, it depends on your definition of exploit :)
>>
>> Nessus can also be configured to prrerform brute force attacks using a
> hydra
>> plugin/module
>>
>> You also perform thorough tests/scans.
>>
>> I have feeling that you are wanting to if nessus and qualys operate like
>> metasploit, canvas or other exploit frameworks.
>>
>> I would say no. But nessusbis very flexible and you can customize It and
>> create your own plugin to do just about anything.
>>
>> There is plenty of documentation and help online.
>>
>> Sent from my iPod
>>
>> On Jul 8, 2008, at 4:02 PM, "Aseem Kumar" <kumaraseem_at_gmail.com> wrote:
>>
>>> Hey,
>>>
>>> Can someone tell me (any weblink , any ebook, or direct answers) as to
>>> how the VA scans like those of Qualys or Nessus work?
>>>
>>> How do they find the vulnerabilities of a system without ever exploiting
>>> it?
>>>
>>> Regards
>>> Aseem
>>>
>>> ------------------------------------------------------------------------
>>> This list is sponsored by: Cenzic
>>>
>>> Top 5 Common Mistakes in
>>> Securing Web Applications
>>> Get 45 Min Video and PPT Slides
>>>
>>> www.cenzic.com/landing/securityfocus/hackinar
>>> ------------------------------------------------------------------------
>>>
>>
>
>
>
> --
> Love enables you to put your deepest feelings and fears in the palm of
> your partner's hand, knowing they will be handled with care.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
> 

-- 
Love enables you to put your deepest feelings and fears in the palm of
your partner's hand, knowing they will be handled with care.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides
www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------
Received on Jul 10 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos