Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: How do VA scans work technically
From: "Rivest, Philippe" <PRivest () transforce ca>
Date: Thu, 10 Jul 2008 07:19:52 -0400

Don't know if you got an answer for this. But yes, you should at all time
double/triple verify the result of automated scans. You should do this in 2
separated operations

1- Identify false positive
2- Identify false negative

Those are very important. It is very important to understand that a scanner
may not get all the vulnerability (or take one as negative) and you will then
say to your client "its all good!" when in fact its not. And theres also the
"ITS SOOOOooo BAD" (false positive) when everything is good.

From my own experience, I remember running Nikto against my clients web
server and I got more or less 75-150 vulnerability & warnings. Years later I
have yet to identify why, but only a very few were actual flaws & warning
when I tested them manually.


For your non standard port, this is how you should go about it.

1- Port scan the machine from 1 - 65536 
2- All ports that are strange, "telnet ip port" "GET / HTTP/1.0"
3- If you get an answer from #2 you just identified a web server 
4- Run your tools on that port 


If you disabled all the banners and such, I would go about reading the source
code of your pages (just a few of them). I would try to identify default
files that you left on the web server that could help me identify the web
service. I would (of course) identify if it's a windows box or linux to try
and *limit* the possibilities.

Merci / Thanks
Philippe Rivest, CEH
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
 

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la
part de Aseem Kumar
Envoyé : 9 juillet 2008 04:52
À : pen-test () securityfocus com
Objet : Re: How do VA scans work technically

Hi,

Thanks for all the gr8 replies.

Showing of already remediated vulnerabilities was what i was concerned.
So i always have to take the reports from these scans with a pinch of
salt. They even might miss something.

But what if i am running say a web server on a non-standard port and
have really disabled all settings that might allow an outsider to get
a banner or version number of underlying application then will the
scanners still be able to do some heuristics and come out with nearly
correct answers.

Can someone point me to any link that will provide more insight into
this process.

Regards
Aseem

On Wed, Jul 9, 2008 at 11:07 AM, Killy <killfactory () gmail com> wrote:
Nessus can ne configured to perform safe scans. It will still for blank
root, as and administrator passwords under that config.

So, it depends on your definition of exploit :)

Nessus can also be configured to prrerform brute force attacks using a
hydra
plugin/module

You also perform thorough tests/scans.

I have feeling that you are wanting to if nessus and qualys operate like
metasploit, canvas or other exploit frameworks.

I would say no. But nessusbis very flexible and you can customize It and
create your own plugin to do just about anything.

There is plenty of documentation and help online.

Sent from my iPod

On Jul 8, 2008, at 4:02 PM, "Aseem Kumar" <kumaraseem () gmail com> wrote:

Hey,

Can someone tell me (any weblink , any ebook, or direct answers) as to
how the VA scans like those of Qualys or Nessus work?

How do they find the vulnerabilities of a system without ever exploiting
it?

Regards
Aseem

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------





-- 
Love enables you to put your deepest feelings and fears in the palm of
your partner's hand, knowing they will be handled with care.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]