Explain Traffic Probe in Vulnerability Scanning.
1 Answer


  • Services aren’t always so extroverted that they immediately announce themselves. However, lots of them will if you just ask.

  • For example, a web service will not respond until it receives data from the client. The following command makes a valid HTTP request using the HEAD method:

                       $ echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -v localhost 80
                       Connection to localhost 80 port [tcp/http] succeeded!
                       HTTP/1.1 200 OK
                       Date: Mon, 12 Nov 2012 21:15:58 GMT
               Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/1.0.1c DAV/2 PHP/5.3.14
                       Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
                       ETag: "eb879f-2c-3e9564c23b600"
                       Accept-Ranges: bytes
                       Content-Length: 44
                       Connection: close
                       Content-Type: text/html; charset=utf-8
     - We glean several bits of useful information from the previous output.
       The web site indicates Apache/2.2.11 in its Server header. You could
       infer from this that the web site is prone to certain denial of
       service (DoS) attacks. It also reports a version of PHP that likely
       has vulns.
     - Traffic probes try to use valid requests. For one thing, valid
       protocol messages are less likely to crash or interrupt a service.** 
     - If a web server didn’t handle the HEAD method without crashing, then
       it’s a buggy service that needs to be fixed regardless of security
       problems. The other reason is that the failure mode for services
       might not reveal as much information.**
     - For example, here’s another probe for an HTTP service using an
       incorrect request format. Notice that the informative headers are
               $ echo "." | nc -v localhost 80
             Connection to localhost 80 port [tcp/http] succeeded!
             <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
             <title>501 Method Not Implemented</title>
             <h1>Method Not Implemented</h1>
             <p>. to /index.html not supported.<br /></p>
  • There are counter-examples where invalid messages produce verbose errors from a service where valid messages produce uninformative ones.

  • This is one of the benefits of using a tool with a history of
    development and research that has enumerated the best ways to
    interrogate services.

  • Traffic probes are not perfect. Most services can be configured to remove version- related information or even spoof this information.

  • It’s trivial to make Apache report itself as running Internet Information Services (IIS) version 6. (It’s a lot harder to make Apache behave as if it’s running IIS/6.0.)

Please log in to add an answer.