Purpose
This document explains the feature of Running authenticated scan on found default credentials.
Introduction
The scanner checks for any available default credentials on various services from a list of different vendors, by performing logins to respective service and saves the credentials if successful. This complementary scan only run against SSH and SMB services.
Complementary Authenticated Scan
The Complementary Authenticated Scan performs a limited scoped SSH/SMB authenticated scan, and the default credentials that are found by harass are used for this scan. For an SSH authenticated scan, ssh-commands scanning components are used and for the SMB authenticated scan, psh-commands and remote-registry scanning components are used. There might be multiple default credentials configured on a target, in that case, complementary authenticated scan is performed only once with the credentials set from the top of the list.
Scope of Scan
Use case
The Complementary Authenticated Scan originated from a PCI scan where the target had an SSH service running on the default SSH port with default credentials from the vendor. The target was using the default credentials from the vendor <vendor:vendor> as username:password. No other port was present that was giving any useful information about the target. A PCI scan is originally an unauthenticated scan, and the scanner was unable to deduce what kind the target was. The only port that was present that could give some info about the target was the SSH port.
Scope
Taking this use case into consideration, an idea was formed to perform a limited scoped authenticated scan to determine the kind of Operating system and its version.
The scope of the implementation was increased from SSH to SMB as well. In conclusion, this feature involves in detecting the operating system version of the target by SSH and/or SMB authentication methods using the found default credentials.
Controllability of the Scan
Case-1
In the scan configuration, if the Disable logins checkbox is checked, then complementary authenticated scan will not run.
Case-2
If the scan has already been configured with working/valid credentials (in the sense an authenticated scan), then complementary authenticated scan will not run.
Case-3
If there is no default credentials found, then the complementary authenticated scan will not run.
Related Articles
- Windows 10/Windows 2019 Server
- HIAB Updates
- General Information about SMB/WinRM Scanning
- Change Risk Levels
- Removing an Agent from Windows
- ServiceNow - Legacy
- Windows 8.1
- Netsec Filters
- Discovering the Agent in OUTSCAN
- Technical Specification
- Account Settings
- How to Test SMB Authentication
- Windows 2016 Server
- Identity Provider Settings
- HIAB Server Settings
- Installing a Linux Agent
- Okta Identity Provider Configuration
- Scanning-Less Scanning
- Check Connectivity to Agent Server
- Scan Scheduling Errors
- Overview
- Event Notification Module
- HIAB Maintenance Settings
- HIAB Deployment Guide
- Database Connector (HIAB only)
- Azure AD Identity Provider Configuration
- Add Comments
- Target Groups
- Checking if Agent is Running
- Core Installation
- Windows 2008 R2 Server
- Agent Installation Introduction
- Automatic Asset Joining With Netsec
- Manage Users
- Firewall Setup for Agents
- Scanning Range
- SNMP (HIAB only)
- ADFS Identity Provider Configuration
- Splunk
- Agent Call Home
- Advanced Report Filters
- Accept Risks
- SMB Authentication from OUTSCAN/HIAB
- Virtual HIAB Appliance
- Using the Agent Info Command
- Amazon
- User Roles
- Removing an Agent from Linux
- Retrieving the Agent UUID
- Atlassian Jira
- Understanding Scanner and Scheduler
- Finding the Agent Version
- Create and Edit Event Notifications
- Installing a macOS Agent
- Syslog (HIAB only)
- Setting Up an Agent Using System Proxy
- ServiceNow - App
- Thycotic
- DNS Lookup in UI and in Console
- HIAB Console
- Auditing Guide
- Adding Agent Attributes
- HIAB Distribution Settings
- Run Verification Scans
- Agent Latest Version
- Finding New Agents In OUTSCAN
- Setting up a HIAB as an Appsec Scale Scanner
- Checking Schedules from OUTSCAN in Agent
- Hardening the HIAB
- Performing a PCI DSS Scan
- Two Factor Authentication
- Attributes
- Firewall Rules
- HIAB Enrollment
- Supported Platforms for Authenticated SSH Scanning
- Authenticated Scanning Using WinRM
- OneLogin Identity Provider Configuration
- Windows 7
- HIAB Remote Support
- Compliance Scanning
- Manage Targets
- Assign Tasks
- Authenticated Scanning Using SSH
- Tickets Quick Start Guide
- Retrieving Results From the Agent in OUTSCAN
- Appliance Logs
- Converting Normal with Webapp Scans (Netsec) to Portal Workflows
- Updating the Agent
- Troubleshooting SMB Authentication
- Agent Licensing
- Mark as False Positives
- Installing a Windows Agent
- Using Farsight in Netsec
- Testing Target System for Open TCP Ports
- HIAB Restore
- Scan Stages
- Request Clarifications
- HIAB Setup Guide
- Updating Agent Attributes
- CyberArk
- LDAP/AD
- Checking if the Agent has Produced Results
- ArcSight (HIAB only)
- HIAB E-mail Whitelisting
- Adjust Identity Provider SAML Metadata File
- Scanning Critical Industrial Devices/Machines
- Reporting Tools
- Scan Scheduling
- Scanning Performance and Impact Tuning
- PCI Compliance Scanning
- Configuring and Accessing the HIAB console using SSH
- User Groups
- Create Users
- HIAB Remote SSH Guide
- Download Agents
- Create Targets
- Windows 2012 R2 Server
- HIAB Backup
- Report Scheduling
- Access Tokens
- O24AUTH
- Complementary Authenticated Scan on Default Credentials
- Authenticated Scanning Using SMB
- Dynamic Target Group