Home page logo

pen-test logo Penetration Testing mailing list archives

Re: How do VA scans work technically
From: Todd Haverkos <infosec () haverkos com>
Date: Wed, 09 Jul 2008 13:21:24 -0500

"Aseem Kumar" <kumaraseem () gmail com> writes:

Thanks for all the gr8 replies.

gr8?  Why, you'd better be typing from a mobile keyboard.  :-) 

Showing of already remediated vulnerabilities was what i was
concerned.  So i always have to take the reports from these scans
with a pinch of salt. They even might miss something.

But what if i am running say a web server on a non-standard port and
have really disabled all settings that might allow an outsider to
get a banner or version number of underlying application then will
the scanners still be able to do some heuristics and come out with
nearly correct answers.

Can someone point me to any link that will provide more insight into
this process.

The good news is that Nessus plugins are open source, and that source
code is rather readable.

Also, Nessus is still free for non commercial use, so your best bet is
to configure a web server as stealthily you like, and fire off Nessus
against it, see how it responds, and as results come back that
surprise you or pique your interest, read through some plugin code to
find out exactly why. 

You'll find some plugins are based on banner grabbing, and those
plugins won't fire if you've obscured your version headers, but other
plugins are able to test for the issues directly without having to
infer from version banners.  

I'm not aware of any white papers that discuss things in the level of
detail you're seeking, but there's nothing keeping you from what you

Here are the plugins-- each starts with the title and a link to the
source code ("View the source code of this plugin here") where the
word here is a hyperlink to the plugin source: 

Specifically here are the web server plugins: 

Here's where to download Nessus; 

Determining how exactly Qualys does the same job won't be something as
easy to figure out, but I think you'll learn a lot by experimenting
and reading plugin code from Nessus, and running the tool against your
own various permutations of web server configs.  This is one of the
wonderful things about open source and free tools, so by all means
take advantage of the opportunity it affords. 

Best Regards, 
Todd Haverkos, LPT MsCompE

This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]