RE: How do VA scans work technically

["Tariq Naik" <Tariq_Naik () symantec com>]

Yep you are correct when you say that none of them take unintended
advantage and a lot depends on how we define an exploit. In that since
nothing is exploited, but lot of signatures do break into the system in
certain ways using what we can put as intrusive reconnaissance eg. many
signatures that try to exploit certain vulnerabilities in web and ftp
servers to achieve directory traversal do actually attempt the directory
traversal. I have experience of Nessus brining down systems by
exploiting vulnerabilities. There are many signatures in the Nessus safe
check list also that can bring a server down. 

True that most vulnerability scanner will try to find a vulnerability
with the least intrusive manner like sending a sequence of packets and
seeing the behavior but there is only so much that can be done by using
non intrusive methods. Nessus plug-in can be written to actually exploit
a vulnerability. 

On the other hand we have shadow which as per my experience relies on
fingerprinting. It lists vulnerabilities after finding out the version
of the a certain daemon without actually checking whether the
vulnerability exists and hence gives very large amount of false
positives.

Tariq

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Jason
Sent: Wednesday, July 09, 2008 8:29 PM
To: Tariq Naik; Aseem Kumar
Cc: pen-test () securityfocus com
Subject: Re: How do VA scans work technically

Not exactly...

Qualys does not exploit the vulnerabilities. It checks for the existence
of the vulnerability in any number of ways, such as a patch missing or
the behavior of the target / application when sent a certain packet or
sequence of packets. Many vulnerabilities are the result of the way a
certain piece of code behaves when sent a sequence of data and Qualys
knows how the vulnerable version behaves when sent this data. It doesn't
have to exploit it to make the determination.
That being said, Qualys also has 'potential' vulnerabilities, which are
vulnerabilities it believes exist based on the checks, but is not
certain as the only way to be certain is to run the exploit code and
possibly crash the system out, which it will not do. You therefore
should check manually.

Nessus works in a similar way however it will also exploit some
vulnerabilities, not going too far unless safe checks are disabled. In
that case, Nessus will tell you if the vulnerability is there but as a
result may crash the system, rendering the rest of the test useless.
And even if safe checks are enabled, I have crashed systems using Nessus
on custom coded apps. All in all Nessus, which I have been using
forever, is very invasive. Use caution with it on anything custom coded.

I guess it depends on your definition of exploit I suppose but usually
by exploit you mean to take advantage of a vulnerability to cause
unintended system behavior which the vulnerability scanners try not to
do. That's more the role of the Metasploit / Core apps.

-J

On Wed, Jul 9, 2008 at 1:29 AM, Tariq Naik <Tariq_Naik () symantec com>
wrote:
> Hi,
>
> Qualys and Nessus do exploit the vulnerabilities. A very few of them 
> only find the version of the OS and services along with the patch 
> levels and then list the vulnerabilities from a pre built database 
> without actually exploiting them. They will list a vulnerability even 
> if the vulnerability has been actually remediated using some
remediation.
> Regards,
> Tariq
>
>
> -----Original Message-----
> From: listbounce () securityfocus com 
> [mailto:listbounce () securityfocus com]
> On Behalf Of Aseem Kumar
> Sent: Wednesday, July 09, 2008 1:33 AM
> To: pen-test () securityfocus com
> Subject: How do VA scans work technically
>
> Hey,
>
> Can someone tell me (any weblink , any ebook, or direct answers) as to

> how the VA scans like those of Qualys or Nessus work?
>
> How do they find the vulnerabilities of a system without ever 
> exploiting it?
>
> Regards
> Aseem
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ----------------------------------------------------------------------
> --
>
>
> ----------------------------------------------------------------------
> --
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------