Penetration Testing mailing list archives
Re: How do VA scans work technically
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 09 Jul 2008 13:21:24 -0500
"Aseem Kumar" <kumaraseem () gmail com> writes:
Hi, Thanks for all the gr8 replies.
gr8? Why, you'd better be typing from a mobile keyboard. :-)
Showing of already remediated vulnerabilities was what i was concerned. So i always have to take the reports from these scans with a pinch of salt. They even might miss something. But what if i am running say a web server on a non-standard port and have really disabled all settings that might allow an outsider to get a banner or version number of underlying application then will the scanners still be able to do some heuristics and come out with nearly correct answers. Can someone point me to any link that will provide more insight into this process.
The good news is that Nessus plugins are open source, and that source code is rather readable. Also, Nessus is still free for non commercial use, so your best bet is to configure a web server as stealthily you like, and fire off Nessus against it, see how it responds, and as results come back that surprise you or pique your interest, read through some plugin code to find out exactly why. You'll find some plugins are based on banner grabbing, and those plugins won't fire if you've obscured your version headers, but other plugins are able to test for the issues directly without having to infer from version banners. I'm not aware of any white papers that discuss things in the level of detail you're seeking, but there's nothing keeping you from what you seek. Here are the plugins-- each starts with the title and a link to the source code ("View the source code of this plugin here") where the word here is a hyperlink to the plugin source: http://www.nessus.org/plugins/index.php?view=all Specifically here are the web server plugins: http://www.nessus.org/plugins/index.php?view=all&family=Web+Servers Here's where to download Nessus; http://www.nessus.org/download/ Determining how exactly Qualys does the same job won't be something as easy to figure out, but I think you'll learn a lot by experimenting and reading plugin code from Nessus, and running the tool against your own various permutations of web server configs. This is one of the wonderful things about open source and free tools, so by all means take advantage of the opportunity it affords. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- How do VA scans work technically Aseem Kumar (Jul 08)
- RE: How do VA scans work technically Tariq Naik (Jul 08)
- Re: How do VA scans work technically Jason (Jul 09)
- RE: How do VA scans work technically Tariq Naik (Jul 16)
- Re: How do VA scans work technically Jason (Jul 09)
- Re: How do VA scans work technically Killy (Jul 08)
- Re: How do VA scans work technically Aseem Kumar (Jul 09)
- Re: How do VA scans work technically Todd Haverkos (Jul 09)
- AW: How do VA scans work technically puppe (Jul 10)
- RE: How do VA scans work technically Rivest, Philippe (Jul 10)
- Re: How do VA scans work technically Aseem Kumar (Jul 10)
- RE: How do VA scans work technically sandip (Jul 25)
- Re: How do VA scans work technically Aseem Kumar (Jul 09)
- Re: How do VA scans work technically Zed Qyves (Jul 22)
- RE: How do VA scans work technically Tariq Naik (Jul 08)
- <Possible follow-ups>
- Re: How do VA scans work technically HITESH PATEL (Jul 09)