How does QualysGuard mapping work?
QualysGuard mapping methodology mainly focuses on the different steps that an attacker might follow in order to discover hosts to attack. It tries to use exactly the same discovery and information gathering techniques that will be used by an attacker.
1. WHOIS queries - The first step is to contact WHOIS servers in order to gather information about the domain name. QualysGuard may then retrieve primary DNS servers which handle the domain and sometimes netblocks associated with the domain.
2. DNS Zone Transfer - QualysGuard tries to extract a list of hosts for the domain by requesting zone transfers from the main DNS servers that handle the domain. Most DNS servers disallow such queries.
3. DNS Reverse lookup - QualysGuard also attempts reverse DNS lookup for each IP inside netblocks that are found for the domain. This may enable it to retrieve host names for related IP addresses.
4. DNS Name resolving bruteforcing - Another bruteforcing technique is to query the DNS servers for a list of commonly used host names.
5. PingSweep - This method is used to check for live hosts inside found netblocks that cannot be discovered with DNS queries. QualysGuard sends ICMP packets to each IP address in every netblock discovered for a domain test for live hosts.
6. Discovery methods for open services - In a standard scan, QualysGuard scans TCP ports 21, 22, 23, 25, 53, 80, 110, 111, 139, 443, 445. UDP ports 53, 111, 135, 137, 161, 500, runs traceroute, and sends ICMP packets in order to discover running services.
7. Router detection - Mapping reports up to two routers directly in front of each mapped host. This test is performed by examining the TTL field in the response packet from the target host.
8. Operating system detection - OS detection is done by TCP/IP stack fingerprinting, for which only one open TCP port is required.
Qualys Support KnowledgeBase