On Tue, Feb 24, 2004 at 10:10:01PM -0800, alan donald wrote:
>
> How does nessus find out what application is
> running.Since it has to know this information in order
> to launch an exploit.
It does not *have* to know which application is running in order to run
a check. It has to know which *service* is running, that's totally
different.
> And exactly how much information
> does nessus need to launch an exploit. I mean the full
> application name and version number is necessary or
> the service name is also sufficient in many cases?
It depends. Sometimes it does need to full banner, sometimes just
looking at how the application reacts to "weird" packets is enough.
> Ive seen it sending the "get" probe but I was confused
> about wherther it would be able to find an application
> uniquely on the basis of this probe.
That's service recognition, not application recognition.
> So what is actually doing ?
> 1. Is it just matching a banner
Sometimes yes.
> 2.does it have a database of responses for each
> application like maybe nmap does.
find_services does that for service recognition, but we don't care about
the "application" - we care about the service. Please read the source
code of find_services.
> 3.It is fingerprinting the application in some other
> way.
Sometimes it also does that - see smtpscan.nasl, dns_fingerprint.nasl
and others, and sometimes the result is used to optimize the scan.
Feel free to read the source code, it will answer your questions.
-- Renaud
_______________________________________________
Nessus mailing list
[EMAIL PROTECTED]
http://mail.nessus.org/mailman/listinfo/nessus
