Purpose
This document is an overview of the different levels of access using SSH for authenticated scanning in OUTSCAN or HIAB.
Introduction
There is no fixed list of platforms that are supported in Authenticated Scanning using SSH. It varies from architecture to architecture and from configuration to configuration.
From a technical standpoint, OP24 generally support authenticating to everything that speaks compliant SSH, and is configured to have cryptographic support that overlaps with OP24. For more information about supported ciphers, kex, and macs see libssh2.org.
Depending on configuration, OP24 support the major GNU/Linux distributions, macOS, the more modern SSH-compliant Cisco devices (excluding some old Cisco devices,), and some network appliances such as BIG-IP TMOS, Arista, Juniper devices and so on.
Requirements
The targets need to have at least one from the lists configured for ciphers, kex, and macs.
sshd_config example:
Ciphers aes256-ctr,aes192-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256
MACs hmac-sha2-512,hmac-sha2-256
Platforms
Outpost24 supports scanning platforms over SSH as long as the platform passes the commands to a supported shell. Commands are sent over the exec channel in SSH, and not over the shell channel. As such, platforms which do not implement this channel, or implement it incorrectly, will have limited or no support.
Fully supported
The best results will be from the most standardized GNU/Linux distributions, where we can query the package manager databases to obtain a list of installed packages. This includes distributions such as CentOS, RHEL, Debian, Ubuntu and other similar "standard" distributions.
On these systems, we generally also manage to run vulnerability-specific checks, such as Shellshock tests directly against bash, or searching the file system for log4j-affected applications that are installed outside of the package manager.
Best-Effort Supported
Devices or appliances from vendors such as Cisco, Juniper, BIG-IP, or Citrix are generally supported, but to a lower degree. Commands that we execute usually find firmware/OS versions to act upon, but vulnerability-specific checks may or may not work.
Platforms such as IBM AIX, Solaris, and HP-UX also typically fall under this category - we manage to authenticate and manage to run a subset of commands, generally enough to determine some form of platform version, but with limited to no support for the vulnerability-specific checks.
Not Supported
Devices that do not implement SSH correctly, for example older Cisco devices, are not supported.
Devices that use esoteric shell implementations are not supported - for example, smaller network appliance vendors, or SSH on Windows.
References
Related Articles
- Automatic Asset Joining With Netsec
- HIAB Console
- HIAB Deployment Guide
- HIAB Enrollment
- Testing Target System for Open TCP Ports
- Technical Specification
- Virtual HIAB Appliance
- HIAB Remote Support
- HIAB Setup Guide
- HIAB Server Settings
- Authenticated Scanning Using SMB
- How to Test SMB Authentication
- SMB Authentication from OUTSCAN/HIAB
- Windows 7
- Windows 8.1
- Windows 10/Windows 2019 Server
- Windows 2008 R2 Server
- Windows 2012 R2 Server
- Windows 2016 Server
- Core Installation
- Authenticated Scanning Using WinRM
- Authenticated Scanning Using SSH
- Compliance Scanning
- HIAB Distribution Settings
- Scan Stages
- Performing a PCI DSS Scan
- Scanning-Less Scanning
- Scanning Performance and Impact Tuning
- Complementary Authenticated Scan on Default Credentials
- Scan Scheduling
- Scanning Range
- Accept Risks
- Add Comments
- Advanced Report Filters
- Assign Tasks
- Change Risk Levels
- Create and Edit Event Notifications
- Event Notification Module
- Mark as False Positives
- Reporting Tools
- Report Scheduling
- Request Clarifications
- Run Verification Scans
- Using Farsight in Netsec
- Access Tokens
- Attributes
- Netsec Filters
- PCI Compliance Scanning
- Tickets Quick Start Guide
- Two Factor Authentication
- Create Targets
- Manage Targets
- Dynamic Target Group
- Using the Agent Info Command
- Updating the Agent
- Retrieving the Agent UUID
- Adding Agent Attributes
- Checking if Agent is Running
- Updating Agent Attributes
- Finding the Agent Version
- Retrieving Results From the Agent in OUTSCAN
- Discovering the Agent in OUTSCAN
- Removing an Agent from Windows
- Finding New Agents In OUTSCAN
- Firewall Setup for Agents
- Checking if the Agent has Produced Results
- Agent Licensing
- Setting Up an Agent Using System Proxy
- Agent Latest Version
- Agent Call Home
- Configuring and Accessing the HIAB console using SSH
- HIAB Backup
- Firewall Rules
- HIAB Maintenance Settings
- HIAB Remote SSH Guide
- HIAB Restore
- HIAB Updates
- Account Settings
- Auditing Guide
- Manage Users
- User Groups
- User Roles
- Overview
- Amazon
- ArcSight (HIAB only)
- Atlassian Jira
- CyberArk
- Database Connector (HIAB only)
- ADFS Identity Provider Configuration
- Adjust Identity Provider SAML Metadata File
- Azure AD Identity Provider Configuration
- Identity Provider Settings
- Okta Identity Provider Configuration
- OneLogin Identity Provider Configuration
- LDAP/AD
- ServiceNow - Legacy
- SNMP (HIAB only)
- Splunk
- Syslog (HIAB only)
- Thycotic
- ServiceNow - App
- Understanding Scanner and Scheduler
- Check Connectivity to Agent Server
- Appliance Logs
- DNS Lookup in UI and in Console
- O24AUTH
- Scanning Critical Industrial Devices/Machines
- Scan Scheduling Errors
- Setting up a HIAB as an Appsec Scale Scanner
- Removing an Agent from Linux
- Create Users
- HIAB E-mail Whitelisting
- Converting Normal with Webapp Scans (Netsec) to Portal Workflows
- Installing a macOS Agent
- Target Groups
- Hardening the HIAB
- Supported Platforms for Authenticated SSH Scanning
- Troubleshooting SMB Authentication
- General Information about SMB/WinRM Scanning
- Download Agents
- Agent Installation Introduction
- Installing a Linux Agent
- Installing a Windows Agent
- Checking Schedules from OUTSCAN in Agent