Penetration Testing mailing list archives
Re: How do VA scans work technically
From: HITESH PATEL <hitesh50 () yahoo com>
Date: Wed, 9 Jul 2008 18:04:03 -0700 (PDT)
vulnerability scanners are signature-based automated scanners (just like signature based anti-virus softwares) which throws the vulnerability attack against the system based on the type of the target system (or sometimes you can run blind scan also). This is also one of the main reasons that such scanners can have lots of false-positives. These scanners can be very handy to find already known issues as well as low hanging fruits but in my opinion it will never replace human-based penetration testing. These scanners will find issue only if it has vulnerability signature in its DB. Also the scanners you have mentioned is broad scanners which tries to cover broad range of systems. more targetted scanners like web-application scanners (e.g. AppScan or WebInspect) does more targetted scanning (e.g. HTTP protocols). My suggestion is do not confuse between "automated signature based vulnerability scanning" and true "white(or black) box manual(an automated) penetration testing". Both has different scope. I know you didn't ask for this suggestion but I come across a lot of such misunderstanding and hence just added my $0.02. -Hitesh ----- Original Message ---- From: Aseem Kumar <kumaraseem () gmail com> To: pen-test () securityfocus com Sent: Tuesday, July 8, 2008 4:02:48 PM Subject: How do VA scans work technically Hey, Can someone tell me (any weblink , any ebook, or direct answers) as to how the VA scans like those of Qualys or Nessus work? How do they find the vulnerabilities of a system without ever exploiting it? Regards Aseem ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- Re: How do VA scans work technically, (continued)
- Re: How do VA scans work technically Jason (Jul 09)
- RE: How do VA scans work technically Tariq Naik (Jul 16)
- Re: How do VA scans work technically Jason (Jul 09)
- Re: How do VA scans work technically Killy (Jul 08)
- Re: How do VA scans work technically Aseem Kumar (Jul 09)
- Re: How do VA scans work technically Todd Haverkos (Jul 09)
- AW: How do VA scans work technically puppe (Jul 10)
- RE: How do VA scans work technically Rivest, Philippe (Jul 10)
- Re: How do VA scans work technically Aseem Kumar (Jul 10)
- RE: How do VA scans work technically sandip (Jul 25)
- Re: How do VA scans work technically Aseem Kumar (Jul 09)
- Re: How do VA scans work technically Zed Qyves (Jul 22)