Purpose
This document is an overview of the different levels of access using SSH for authenticated scanning in OUTSCAN or HIAB.
Introduction
There is no fixed list of platforms that are supported in Authenticated Scanning using SSH. It varies from architecture to architecture and from configuration to configuration.
From a technical standpoint, OP24 generally support authenticating to everything that speaks compliant SSH, and is configured to have cryptographic support that overlaps with OP24. For more information about supported ciphers, kex, and macs see libssh2.org.
Depending on configuration, OP24 support the major GNU/Linux distributions, macOS, the more modern SSH-compliant Cisco devices (excluding some old Cisco devices,), and some network appliances such as BIG-IP TMOS, Arista, Juniper devices and so on.
Requirements
The targets need to have at least one from the lists configured for ciphers, kex, and macs.
sshd_config example:
Ciphers aes256-ctr,aes192-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256
MACs hmac-sha2-512,hmac-sha2-256
Platforms
Outpost24 supports scanning platforms over SSH as long as the platform passes the commands to a supported shell. Commands are sent over the exec channel in SSH, and not over the shell channel. As such, platforms which do not implement this channel, or implement it incorrectly, will have limited or no support.
Fully supported
The best results will be from the most standardized GNU/Linux distributions, where we can query the package manager databases to obtain a list of installed packages. This includes distributions such as CentOS, RHEL, Debian, Ubuntu and other similar "standard" distributions.
On these systems, we generally also manage to run vulnerability-specific checks, such as Shellshock tests directly against bash, or searching the file system for log4j-affected applications that are installed outside of the package manager.
Best-Effort Supported
Devices or appliances from vendors such as Cisco, Juniper, BIG-IP, or Citrix are generally supported, but to a lower degree. Commands that we execute usually find firmware/OS versions to act upon, but vulnerability-specific checks may or may not work.
Platforms such as IBM AIX, Solaris, and HP-UX also typically fall under this category - we manage to authenticate and manage to run a subset of commands, generally enough to determine some form of platform version, but with limited to no support for the vulnerability-specific checks.
Not Supported
Devices that do not implement SSH correctly, for example older Cisco devices, are not supported.
Devices that use esoteric shell implementations are not supported - for example, smaller network appliance vendors, or SSH on Windows.
References
Related Articles
- Automatic Asset Joining With Netsec
- HIAB Console
- HIAB Deployment Guide
- HIAB Enrollment
- Testing Target System for Open TCP Ports
- Technical Specification
- HIAB Remote Support
- HIAB Setup Guide
- HIAB Server Settings
- Authenticated Scanning Using SMB
- How to Test SMB Authentication
- SMB Authentication from OUTSCAN/HIAB
- Windows 7
- Windows 8.1
- Windows 10/Windows 2019 Server