Re: How do VA scans work technically

[Jason <securitux () gmail com>]

Not exactly...

Qualys does not exploit the vulnerabilities. It checks for the
existence of the vulnerability in any number of ways, such as a patch
missing or the behavior of the target / application when sent a
certain packet or sequence of packets. Many vulnerabilities are the
result of the way a certain piece of code behaves when sent a sequence
of data and Qualys knows how the vulnerable version behaves when sent
this data. It doesn't have to exploit it to make the determination.
That being said, Qualys also has 'potential' vulnerabilities, which
are vulnerabilities it believes exist based on the checks, but is not
certain as the only way to be certain is to run the exploit code and
possibly crash the system out, which it will not do. You therefore
should check manually.

Nessus works in a similar way however it will also exploit some
vulnerabilities, not going too far unless safe checks are disabled. In
that case, Nessus will tell you if the vulnerability is there but as a
result may crash the system, rendering the rest of the test useless.
And even if safe checks are enabled, I have crashed systems using
Nessus on custom coded apps. All in all Nessus, which I have been
using forever, is very invasive. Use caution with it on anything
custom coded.

I guess it depends on your definition of exploit I suppose but usually
by exploit you mean to take advantage of a vulnerability to cause
unintended system behavior which the vulnerability scanners try not to
do. That's more the role of the Metasploit / Core apps.

-J

On Wed, Jul 9, 2008 at 1:29 AM, Tariq Naik <Tariq_Naik () symantec com> wrote:
> Hi,
>
> Qualys and Nessus do exploit the vulnerabilities. A very few of them
> only find the version of the OS and services along with the patch levels
> and then list the vulnerabilities from a pre built database without
> actually exploiting them. They will list a vulnerability even if the
> vulnerability has been actually remediated using some remediation.
>
> Regards,
> Tariq
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of Aseem Kumar
> Sent: Wednesday, July 09, 2008 1:33 AM
> To: pen-test () securityfocus com
> Subject: How do VA scans work technically
>
> Hey,
>
> Can someone tell me (any weblink , any ebook, or direct answers) as to
> how the VA scans like those of Qualys or Nessus work?
>
> How do they find the vulnerabilities of a system without ever exploiting
> it?
>
> Regards
> Aseem
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------