Authenticated Scanning Using SSH

Purpose

This document provides the steps needed for setting up SSH Authentication from OUTSCAN and HIAB.

Introduction

This document is a comprehensive overview of the Linux configuration required to succeed with authenticated scans using OUTSCAN or HIAB.

Requirements

This document has been elaborated under the assumption the reader has access to the OUTSCAN/HIAB account and Portal Interface.

Authenticated Scanning

This guide provides you with a technical step-by-step procedure in order to succeed with authenticated scanning through SSH, along with the different setups supported within OUTSCAN and HIAB.

Prerequisites

The targets need to have at least one from the lists configured for ciphers, kex, and macs.

Option

Value

Ciphers

aes256-ctr
aes192-ctr
aes128-ctr
aes256-cbc
aes192-cbc
aes128-cbc
3des-cbc
blowfish-cbc

MAC hashes

hmac-sha2-512
hmac-sha2-256
hmac-sha1
none

Key Exchange Methods

curve25519-sha256@libssh.org
ecdh-sha2-nistp256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1

sshd_config example:

Ciphers aes256-ctr,aes192-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256
MACs hmac-sha2-512,hmac-sha2-256

Authentication Methods

Both "Password Authentication" (Username + Password) and "Public Key Authentication" (Username + SSH Private Key) are supported.

When using an SSH PrivateKey, a username need to be specified as well as it is required in both password or Private Key Authentication. The authentication require you to specify an identity (identified with username) and to provide some assertion (that can be a password or an SSH PrivateKey).

When specifying both SSH PrivateKey and password, the software tries the first method offered by the SSH server (usually PublicKey authentication) with fallback to second method (usually password authentication) and being capable of using both when required by the SSH server.
In case the SSH server does not offer PublicKey authentication, but only password authentication, password authentication without testing SSHPrivateKey is used.

Password Authentication

This form of authentication is the simplest, as it only requires you to specify the username and corresponding password. On Unix/Linux, the username is a usually system-wide username as specified in /etc/passwd.
To succeed with this authentication, enable the password authentication within the SSHD configuration on the targeted system, located at /etc/ssh/sshd_config.
Remove the hashtag before PasswordAuthentication yes in the SSHD configuration file and restart the SSH service within the terminal.

# Change to yes to enable challenge-response passwords
# (beware issues with some PAM modules and threads) 
ChallengeResponseAuthentication no

#Change to no to disable tunneled clear text passwords
PasswordAuthentication yes


# Kerberos options 
#KerberosAuthentication no 
#KerberosGetAFSToken no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes

Authenticate Against the Target

There are three available setups to use authentication against target(s).

Per Target
Per Target Group
Per Scan Policy

Per Target

To access the setup for SSH authentication on a specific target:

Go to Main Menu > Netsec > Manage Targets.
Right-click on the targets entry and choose Edit to display the Maintaining Target window.
Select SSH under Authentication tab.

The necessary Authentication Credentials for password-based authentication are:

SSH username: Username used when authenticating against the target.
SSH password: Password used when authenticating against the target.
Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

Command	Description
sudo	This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doas	It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesu	It is an IBM implementation of su.
dzdo	Used in Linux/Unix (can be installed at will). An alternative to sudo.
pfexec	Mostly used in Solaris.
custom	It gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.

Running Test under Test Credentials performs authentication against the target to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Target Group

To access the setup for SSH Authentication for a Target Group:

Go to Main Menu > Netsec > Manage Targets.
Right-click on the Target Group entry and choose Set Target Authentication to display the Authentication window.
In the Authentication drop-down menu, select SSH.

The necessary Authentication Credentials for password-based authentication are:

SSH username: Username used when authenticating against the target.
SSH password: Password used when authenticating against the target.
Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

Command	Description
sudo	This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doas	It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesu	It is an IBM implementation of su.
dzdo	Used in Linux/Unix (can be installed at will). An alternative to sudo.
pfexec	Mostly used in Solaris.
custom	It gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.

Running Test under Test Credentials will perform authentication against all targets defined within the Target Group to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Scan Policy

To access the setup for SSH Authentication for a Scan Policy:

Go to Main Menu > Netsec > Scan Scheduling.
Right-click on the desired entry within the Scan Policy tab, or create a new one to display the Maintaining Scanning Policy window.
Select the SSH tab to enter your SSH setup.

The following options are required to succeed with SSH password-based authentication.

SSH username: Username used when authenticating against the target.
SSH password: Password used when authenticating against the target.
Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

Command	Description
sudo	This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doas	It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesu	It is an IBM implementation of su.
dzdo	Used in Linux/Unix (can be installed at will). An alternative to sudo.
pfexec	Mostly used in Solaris.
custom	It gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.

Testing credentials against a specific target is performed within the Test Credentials section.

Public Key Authentication

First generate a public/private keys pair that will identify the user on the server and choose to protect it with password or not.
No password implies that anyone with access to the key files will have the same level of access, and password will not be asked when establishing a connection to the server. Protecting the keys with password means that every time the user attempts to establish a connection to the server using those keys, a password for decryption will be asked.
To succeed with this authentication, it is required that you specify where the authorized keys file is located within the SSHD configuration on the targeted system, located at /etc/ssh/sshd_config.

RSAAuthentication yes 
PubkeyAuthentication yes 
AuthorizedKeysFile 		%h/.ssh/authorized_keys

Note

The SSH key format is PEM

Example:

Default location is %h/.ssh/authorized_keys.

Once defined, restart the SSH service within the terminal and create the file authorized_keys at the defined location.

Note

The authorized_keys should be a text file, and not directory.
Once created, copy the public SSH key previously created and paste this string within the authorized_keys file.

Authenticate against the Target

There are three available setups to use authentication against target(s).

Per Target

To access the setup for SSH authentication on a specific target:

Go to Main Menu > Netsec > Manage Targets.
Right-click on the target entry and choose Edit to display the Maintaining Target window.
Select SSH under Authentication Tab.

The following options are required to succeed with SSH Public Key Authentication.

Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

Command	Description
sudo	This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doas	It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesu	It is an IBM implementation of su.
dzdo	Used in Linux/Unix (can be installed at will). An alternative to sudo.
pfexec	Mostly used in Solaris.
custom	It gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.

SSH public key file: Provide the scanner with the public key that should be used during the authentication.
SSH private key file: Provide the scanner with the private key that should be used during the authentication.
SSH private key passphrase: Enter the passphrase for the private key. Can be left blank if the private key has no passphrase.

Running Test under Test Credentials will perform authentication against the target to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Target Group

To access the setup for SSH Authentication for a Target Group:

Go to Main Menu > Netsec > Manage Targets.
Right click on the Target Group entry and choose Set Target Authentication to display the Authentication window.
Select SSH in the drop-down menu.

The following options are required to succeed with SSH Public Key Authentication.

Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

Command	Description
sudo	This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doas	It is an OpenBSD based command. 95% of its features are similar to sudo. https://man.openbsd.org/doas
sesu	It is an IBM implementation of su.
dzdo	Used in Linux/Unix (can be installed at will). An alternative to sudo.
pfexec	Mostly used in Solaris.
custom	It gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.

SSH public key file: Provide the scanner with the public key that should be used during the authentication.
SSH private key file: Provide the scanner with the private key that should be used during the authentication.
SSH private key passphrase: Enter the passphrase for the private key. Can be left blank if the private key has no passphrase.

Running Test under Test Credentials will perform authentication against all targets defined within the Target Group to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Scan Policy

To access the setup for SSH Authentication for a Scan Policy:

Go to Main Menu > Netsec > Scan Scheduling.
Right click on the desired entry within Scan Policy tab or create a new to display the Maintaining Scanning Policy window.
Select SSH in the drop-down menu and enter your SSH setup.

The following options are required to succeed with SSH Public Key Authentication.

Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

Command	Description
sudo	This command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doas	It is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesu	It is an IBM implementation of su.
dzdo	Used in Linux/Unix (can be installed at will). An alternative to sudo.
pfexec	Mostly used in Solaris.
custom	It gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.

SSH public key file: Provide the scanner with the public key that should be used during the authentication.
SSH private key file: Provide the scanner with the private key that should be used during the authentication.
SSH private key passphrase: Enter the passphrase for the private key. Can be left blank if the private key has no passphrase.

Testing credentials against a specific target is performed within the Test Credentials section.

Exporting SSH Commands

As we in the product itself provide a feature that allows a customer to extract and up-to-date and accurate list (compliance module "export commands" with an otherwise empty policy),

To export a list of available SSH commands:

Go to Main Menu > Compliance Scanning.
Click Export Commands tab.
Select a policy.
Click on the Export button to read or save the list of commands for the selected policy in a txt file.

The feature exports default commands in other words normal Netsec scanning and commands included in the selected policy.

Sudo

To run sudo from Scanner, the following configuration is required within the targets /etc/sudoers file:

Defaults:username !requiretty

_Copyright

_{© 2024 Outpost24® All rights reserved.}_{This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}