Hi Patrice, On Apr 2, 2008, at 10:47 AM, Patrice ARNAL wrote: > Hello, > > I need some explanations on the way this plugin works. > The code associated seems to be more "OS identification" related > than "reverse nat" / proxy / "traffic shaper" related. > > I first noticed this plugin when scanning a real reverse proxy in > our infrastructure, > but now it seems to be fired on almost each scan I do. > > Before asking some explanations to our network team, I need to know > how this plugin works, almost in its methods.
This plugin performs an OS fingerprint on every open port. If two ports have different OS signatures, it's likely that either the host is doing reverse NAT (one external IP mapping to multiple different hosts internally) or (more likely in your case) that there is a transparent proxy on the way. For instance, Fortinet will run a transparent proxy on ports 21, 25 and 80 to scan for viruses inline. Another example are the Apple Aiport Extreme wireless base stations which have a FTP proxy to handle NAT more easily. I'd be interested in the results you're getting, but it's likely that your network team set up some filtering in place. BTW, Ron wrote a blog entry about this plugin : http://blog.tenablesecurity.com/2008/03/reverse-nat-det.html -- Renaud _______________________________________________ Nessus mailing list [email protected] http://mail.nessus.org/mailman/listinfo/nessus
