Penetration Testing mailing list archives
RE: How do VA scans work technically
From: "Tariq Naik" <Tariq_Naik () symantec com>
Date: Wed, 16 Jul 2008 22:05:43 +0530
Yep you are correct when you say that none of them take unintended advantage and a lot depends on how we define an exploit. In that since nothing is exploited, but lot of signatures do break into the system in certain ways using what we can put as intrusive reconnaissance eg. many signatures that try to exploit certain vulnerabilities in web and ftp servers to achieve directory traversal do actually attempt the directory traversal. I have experience of Nessus brining down systems by exploiting vulnerabilities. There are many signatures in the Nessus safe check list also that can bring a server down. True that most vulnerability scanner will try to find a vulnerability with the least intrusive manner like sending a sequence of packets and seeing the behavior but there is only so much that can be done by using non intrusive methods. Nessus plug-in can be written to actually exploit a vulnerability. On the other hand we have shadow which as per my experience relies on fingerprinting. It lists vulnerabilities after finding out the version of the a certain daemon without actually checking whether the vulnerability exists and hence gives very large amount of false positives. Tariq -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Sent: Wednesday, July 09, 2008 8:29 PM To: Tariq Naik; Aseem Kumar Cc: pen-test () securityfocus com Subject: Re: How do VA scans work technically Not exactly... Qualys does not exploit the vulnerabilities. It checks for the existence of the vulnerability in any number of ways, such as a patch missing or the behavior of the target / application when sent a certain packet or sequence of packets. Many vulnerabilities are the result of the way a certain piece of code behaves when sent a sequence of data and Qualys knows how the vulnerable version behaves when sent this data. It doesn't have to exploit it to make the determination. That being said, Qualys also has 'potential' vulnerabilities, which are vulnerabilities it believes exist based on the checks, but is not certain as the only way to be certain is to run the exploit code and possibly crash the system out, which it will not do. You therefore should check manually. Nessus works in a similar way however it will also exploit some vulnerabilities, not going too far unless safe checks are disabled. In that case, Nessus will tell you if the vulnerability is there but as a result may crash the system, rendering the rest of the test useless. And even if safe checks are enabled, I have crashed systems using Nessus on custom coded apps. All in all Nessus, which I have been using forever, is very invasive. Use caution with it on anything custom coded. I guess it depends on your definition of exploit I suppose but usually by exploit you mean to take advantage of a vulnerability to cause unintended system behavior which the vulnerability scanners try not to do. That's more the role of the Metasploit / Core apps. -J On Wed, Jul 9, 2008 at 1:29 AM, Tariq Naik <Tariq_Naik () symantec com> wrote:
Hi, Qualys and Nessus do exploit the vulnerabilities. A very few of them only find the version of the OS and services along with the patch levels and then list the vulnerabilities from a pre built database without actually exploiting them. They will list a vulnerability even if the vulnerability has been actually remediated using some
remediation.
Regards, Tariq -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Aseem Kumar Sent: Wednesday, July 09, 2008 1:33 AM To: pen-test () securityfocus com Subject: How do VA scans work technically Hey, Can someone tell me (any weblink , any ebook, or direct answers) as to
how the VA scans like those of Qualys or Nessus work? How do they find the vulnerabilities of a system without ever exploiting it? Regards Aseem ---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ---------------------------------------------------------------------- -- ---------------------------------------------------------------------- -- This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ---------------------------------------------------------------------- --
------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- How do VA scans work technically Aseem Kumar (Jul 08)
- RE: How do VA scans work technically Tariq Naik (Jul 08)
- Re: How do VA scans work technically Jason (Jul 09)
- RE: How do VA scans work technically Tariq Naik (Jul 16)
- Re: How do VA scans work technically Jason (Jul 09)
- Re: How do VA scans work technically Killy (Jul 08)
- Re: How do VA scans work technically Aseem Kumar (Jul 09)
- Re: How do VA scans work technically Todd Haverkos (Jul 09)
- AW: How do VA scans work technically puppe (Jul 10)
- RE: How do VA scans work technically Rivest, Philippe (Jul 10)
- Re: How do VA scans work technically Aseem Kumar (Jul 10)
- RE: How do VA scans work technically sandip (Jul 25)
- Re: How do VA scans work technically Aseem Kumar (Jul 09)
- Re: How do VA scans work technically Zed Qyves (Jul 22)
- RE: How do VA scans work technically Tariq Naik (Jul 08)
- <Possible follow-ups>
- Re: How do VA scans work technically HITESH PATEL (Jul 09)