How does QualysGuard scanning work?
QualysGuard scanning methodology mainly focuses on the different steps that an attacker might follow in order to perform an attack. It tries to use exactly the same discovery and information gathering techniques that will be used by an attacker.
The scanning engine is composed of different modules that handle specific scanning tasks and are chained in an intelligent way in order to avoid performing any meaningless vulnerability checks. It only performs vulnerability detection based on services that were discovered and properly identified.
The scanning engine performs scans in a very dynamic manner to optimize speed and performance. The following is a simplified description of the main steps of a scan:
1. Checking if the remote host is alive - The first step is to to check if the host to be scanned is up and running in order to avoid wasting time on scanning a dead or unreachable host. This detection is done by sending ICMP Echo Request (ping) packets, as well as probing some well-known TCP and UDP ports. By default, we probe TCP Ports 21-23, 25, 53, 80, 88, 110-111, 135, 139, 443, 445 and UDP Ports 53, 111, 135, 137, 161, 500. This can be changed by editing the option profile.
If the scanner receives at least one reply from the remote host, it continues the scan.
2. Firewall detection - The second test is to check if the host is behind any firewalling/filtering device. This test enables the scanner to gather more information about the network infrastructure and will help during the scan of TCP and UDP ports.
3. TCP / UDP Port scanning - The third step is to detect all open TCP and UDP ports to determine which services are running on this host. The number of ports is configurable, but the default scan is approximately 1900 TCP ports and 180 UDP ports.
4. OS Detection - Once the TCP port scanning has been performed, the scanner tries to identify the operating system running on the host. This detection is based on sending specific TCP packets to open and closed ports.
5. TCP / UDP Service Discovery - Once TCP/UDP ports have been found open, the scanner tries to identify which service runs on each open port by using active discovery tests.
6. Vulnerability assessment based on the services detected - Once the scanner has identified the specific services running on each open TCP and UDP port, it performs the actual vulnerability assessment. The scanner first tries to check the version of the service in order to detect only vulnerabilities applicable to this specific service version. Every vulnerability detection is non-intrusive, meaning that the scanner never exploits a vulnerability if it could negatively affect the host in any way.
Qualys Support KnowledgeBase