Document Version: 2.7

Date: 2021-08-27


Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Introduction

This document is a comprehensive overview of the Linux configuration required to succeed with authenticated scans using OUTSCAN or HIAB. This document has been elaborated under the assumption the reader has access to the OUTSCAN/HIAB account and Portal Interface. 

Authenticated Scanning

This guide provides you with a technical step-by-step procedure in order to succeed with authenticated scanning through SSH, along with the different setups supported within OUTSCAN and HIAB.

Prerequisites

The targets need to have at least one from the lists configured for ciphers, kex, and macs matching the supported ones on https://www.libssh.org/features/.

OptionValue
Ciphers
aes256-ctr
aes192-ctr
aes128-ctr
aes256-cbc
aes192-cbc
aes128-cbc
3des-cbc
blowfish-cbc
MAC hashes
hmac-sha2-512
hmac-sha2-256
hmac-sha1
none
Key Exchange Methods
curve25519-sha256@libssh.org
ecdh-sha2-nistp256
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1


sshd_config example:

Ciphers aes256-ctr,aes192-ctr
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256
MACs hmac-sha2-512,hmac-sha2-256


Authentication Methods

Both "Password Authentication" (Username + Password) and "Public Key Authentication" (Username + SSH Private Key) are supported.

When using an SSH PrivateKey, a username need to be specified as well as it is required in both password or Private Key Authentication. The authentication require you to specify an identity (identified with username) and to provide some assertion (that can be a password or an SSH PrivateKey).

When specifying both SSH PrivateKey and password, the software tries the first method offered by the SSH server (usually PublicKey authentication) with fallback to second method (usually password authentication) and being capable of using both when required by the SSH server.
In case the SSH server does not offer PublicKey authentication, but only password authentication, password authentication without testing SSHPrivateKey is used.

Password Authentication

This form of authentication is the simplest, as it only requires you to specify the username and corresponding password. On Unix/Linux, the username is a usually system-wide username as specified in /etc/passwd.
To succeed with this authentication, enable the password authentication within the SSHD configuration on the targeted system, located at /etc/ssh/sshd_config.
Remove the hashtag before PasswordAuthentication yes in the SSHD configuration file and restart the SSH service within the terminal.

# Change to yes to enable challenge-response passwords
# (beware issues with some PAM modules and threads) 
ChallengeResponseAuthentication no

#Change to no to disable tunneled clear text passwords
PasswordAuthentication yes


# Kerberos options 
#KerberosAuthentication no 
#KerberosGetAFSToken no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes

Authenticate Against the Target

There are three available setups to use authentication against target(s).

  • Per Target
  • Per Target Group
  • Per Scan Policy

Per Target

To access the setup for SSH authentication on a specific target:

  1. Go to Main Menu > Netsec > Manage Targets.
  2. Right-click on the targets entry and choose Edit to display the Maintaining Target window.
  3. Select SSH under Authentication tab.




The necessary Authentication Credentials for password-based authentication are:

  • SSH username: Username used when authenticating against the target.
  • SSH password: Password used when authenticating against the target.
  • Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.

CommandDescription
sudoThis command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doasIt is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesuIt is an IBM implementation of su.
dzdoUsed in Linux/Unix (can be installed at will). An alternative to sudo.
pfexecMostly used in Solaris.
customIt gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.


Running Test under Test Credentials performs authentication against the target to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Target Group

To access the setup for SSH Authentication for a Target Group:

  1. Go to Main Menu > Netsec > Manage Targets.
  2. Right-click on the Target Group entry and choose Set Target Authentication to display the Authentication window.
  3. In the Authentication drop-down menu, select SSH.




The necessary Authentication Credentials for password-based authentication are:

  • SSH username: Username used when authenticating against the target.
  • SSH password: Password used when authenticating against the target.
  • Supported SSH substitute user commands (optional):

Note

The use of the following commands is to execute commands with a different user/privilege escalation.


CommandDescription
sudoThis command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doasIt is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesuIt is an IBM implementation of su.
dzdoUsed in Linux/Unix (can be installed at will). An alternative to sudo.
pfexecMostly used in Solaris.
customIt gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.



Running Test under Test Credentials will perform authentication against all targets defined within the Target Group to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Scan Policy

To access the setup for SSH Authentication for a Scan Policy:

  1. Go to Main Menu > Netsec > Scan Scheduling.
  2. Right-click on the desired entry within the Scan Policy tab, or create a new one to display the Maintaining Scanning Policy window.
  3. Select the SSH tab to enter your SSH setup.


The following options are required to succeed with SSH password-based authentication.

  • SSH username: Username used when authenticating against the target.
  • SSH password: Password used when authenticating against the target.
  • Supported SSH substitute user commands (optional):


Note

The use of the following commands is to execute commands with a different user/privilege escalation.



CommandDescription
sudoThis command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doasIt is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesuIt is an IBM implementation of su.
dzdoUsed in Linux/Unix (can be installed at will). An alternative to sudo.
pfexecMostly used in Solaris.
customIt gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.


Testing credentials against a specific target is performed within the Test Credentials section.

Public Key Authentication

First generate a public/private keys pair that will identify the user on the server and choose to protect it with password or not.
No password implies that anyone with access to the key files will have the same level of access, and password will not be asked when establishing a connection to the server. Protecting the keys with password means that every time the user attempts to establish a connection to the server using those keys, a password for decryption will be asked.
To succeed with this authentication, it is required that you specify where the authorized keys file is located within the SSHD configuration on the targeted system, located at /etc/ssh/sshd_config.

RSAAuthentication yes 
PubkeyAuthentication yes 
AuthorizedKeysFile 		%h/.ssh/authorized_keys

Note

The SSH key format is PEM

Example:

-----BEGIN RSA PRIVATE KEY-----
MHHDtgjmvgf5jkJHFkjgh23354kjds9834j32hgad76354jhewp89dsfjb45vgf5jkJHFkjgh23354kjds9834j
32hgad76354jhvgf5jkJHFkjgh23354gpjb545dsvFHpuipVAojkJkjds9834j32hgad76354jhgjmvgf5jkJHF
ad76354jhewp89dsfjb45vgf5jkJHFkjgh23354kjds9834j32hgad76354jhvgf5jkJHFkjgh23354kjds9834
piqDWrgpjb545dsvFHpuipVAojkJHFkjgh23354kjdskjgh23354kjds9834j32hg9834j32hgad7imsdflkmD6
45aljhvSALFBewkJ9aafdg82wrq35nk2äj32hgad75jkJ54kjds9834jHFkjgh23354kjds98MHHDtgjmvgf5jk
...
-----END RSA PRIVATE KEY-----


Default location is %h/.ssh/authorized_keys.

  • Once defined, restart the SSH service within the terminal and create the file authorized_keys at the defined location.

    Note

    The authorized_keys should be a text file, and not directory.

  • Once created, copy the public SSH key previously created and paste this string within the authorized_keys file.


Authenticate against the Target

There are three available setups to use authentication against target(s).

Per Target

To access the setup for SSH authentication on a specific target:

  1. Go to Main Menu > Netsec > Manage Targets.
  2. Right-click on the target entry and choose Edit to display the Maintaining Target window.
  3. Select SSH under Authentication Tab.




The following options are required to succeed with SSH Public Key Authentication.

  • Supported SSH substitute user commands (optional):


Note

The use of the following commands is to execute commands with a different user/privilege escalation.


CommandDescription
sudoThis command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doasIt is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesuIt is an IBM implementation of su.
dzdoUsed in Linux/Unix (can be installed at will). An alternative to sudo.
pfexecMostly used in Solaris.
customIt gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.


  • SSH public key file: Provide the scanner with the public key that should be used during the authentication.
  • SSH private key file: Provide the scanner with the private key that should be used during the authentication.
  • SSH private key passphrase: Enter the passphrase for the private key. Can be left blank if the private key has no passphrase.

Running Test under Test Credentials will perform authentication against the target to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Target Group

To access the setup for SSH Authentication for a Target Group:

  1. Go to Main Menu > Netsec > Manage Targets.
  2. Right click on the Target Group entry and choose Set Target Authentication to display the Authentication window.
  3. Select SSH in the drop-down menu.




The following options are required to succeed with SSH Public Key Authentication.

  • Supported SSH substitute user commands (optional):


Note

The use of the following commands is to execute commands with a different user/privilege escalation.


CommandDescription
sudoThis command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doasIt is an OpenBSD based command. 95% of its features are similar to sudo. https://man.openbsd.org/doas
sesuIt is an IBM implementation of su.
dzdoUsed in Linux/Unix (can be installed at will). An alternative to sudo.
pfexecMostly used in Solaris.
customIt gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.


  • SSH public key file: Provide the scanner with the public key that should be used during the authentication.
  • SSH private key file: Provide the scanner with the private key that should be used during the authentication.
  • SSH private key passphrase: Enter the passphrase for the private key. Can be left blank if the private key has no passphrase.

Running Test under Test Credentials will perform authentication against all targets defined within the Target Group to verify if the provided credentials are valid, the test will return with Success if the authentication was successful.

Per Scan Policy

To access the setup for SSH Authentication for a Scan Policy:

  1. Go to Main Menu > Netsec > Scan Scheduling.
  2. Right click on the desired entry within Scan Policy tab or create a new to display the Maintaining Scanning Policy window.
  3. Select SSH in the drop-down menu and enter your SSH setup.




The following options are required to succeed with SSH Public Key Authentication.

  • Supported SSH substitute user commands (optional):


Note

The use of the following commands is to execute commands with a different user/privilege escalation.


CommandDescription
sudoThis command is found in most of the Linux based systems (or can be installed). Used to execute commands as a different user (other than the one used to log in). From the tools perspective, it uses root account to perform the commands.
doasIt is an OpenBSD based command. 95% of its features are like sudo. https://man.openbsd.org/doas
sesuIt is an IBM implementation of su.
dzdoUsed in Linux/Unix (can be installed at will). An alternative to sudo.
pfexecMostly used in Solaris.
customIt gives a flexibility to use a custom defined privilege escalation command. When this option is selected, a field labeled SSH custom user command is ungrayed for typing in the custom command.


  • SSH public key file: Provide the scanner with the public key that should be used during the authentication.
  • SSH private key file: Provide the scanner with the private key that should be used during the authentication.
  • SSH private key passphrase: Enter the passphrase for the private key. Can be left blank if the private key has no passphrase.

Testing credentials against a specific target is performed within the Test Credentials section.

SSH Commands

The following are some of the SSH commands that are run once the scanner has authenticated successfully.

Note

The commands list is not exhaustive and is subject to change from time to time. Contact the support. for further details.


  • find /var/db/pkg/ -mindepth 2 -maxdepth 2 -printf "%P\\n"
  • /usr/sbin/pkg_info -q
  • xl info
  • openssl version
  • /bin/rpm -qa --qf '%{NAME}|%{EPOCH}:%{VERSION}|%{RELEASE}|%{SOURCERPM}\n'
  • /bin/rpm -qa --qf '%{NAME} %{EPOCH}:%{VERSION}%{RELEASE}\n'
  • apk info -v
  • sw_vers
  • cd /tmp; rm -f /tmp/bash_outpost24_wkeqrhqrqpq; env 'x=() { (a)=>\' bash -c "bash_outpost24_wkeqrhqrqpq echo vulnerable"; cat /tmp/bash_outpost24_wkeqrhqrqpq
  • ls /lib/libkeyutils.so.1.9 /lib64/libkeyutils.so.1.9 2> /dev/null
  • uname -r
  • grep '"version"' /opt/google/chrome/resources/chromeos/chromevox/manifest.json
  • /usr/bin/model
  • /usr/bin/dpkg-query -W -f='${Package} |${Source} |${Version} |${Status} \n'
  • for f in /Applications/*/Contents/Info.plist; do awk -v FILENAME='$f' '/CFBundleShortVersionString/ { getline; print FILENAME $0 }' "$f"; done
  • /bin/rpm -qa --qf '%{NAME} %{EPOCH}:%{VERSION}%{RELEASE}\n' | grep 'redhat-release-'
  • convert --version
  • /usr/sbin/swlist -a revision -l fileset
  • instfix -i
  • /usr/bin/ipcs -pm
  • ps ax
  • /usr/bin/ftp about:version
  • for f in /Library/Frameworks/*/Resources/Info.plist; do awk -v FILENAME='$f' '/CFBundleVersion/ { getline; print FILENAME $0 }' "$f"; done
  • show platform
  • /usr/bin/dpkg-query -W -f='${Package} |${Source} |${Version} |${Status} \n'
  • pkg info -l | grep FMRI
  • /usr/bin/ldd --version
  • bash -version
  • /usr/sbin/pkg info -q
  • docker images --format {{.ID}},{{.Repository,{{.Tag}},{{.Digest}},{{.CreatedSince}},{{.CreatedAt}},{{.Size}}
  • cat /etc/version
  • cat /etc/gentoo-release
  • show system info
  • /bin/rpm -Vv keyutils-libs && echo 'SUCCESSFUL COMMAND'
  • file /opt/google/chrome/chrome 2>&1 | grep -q ELF; echo $?
  • uname -a
  • uname -p
  • xe patch-list
  • cat /etc/SuSE-release
  • uname -s
  • apk info
  • echo
  • cat /etc/product
  • show hostinfo 1
  • /usr/bin/wget --version
  • show module
  • show version
  • showrev -p
  • cat /etc/slackware-version
  • cat /etc/ssh/ssh_config
  • pkgutil --pkgs | grep com.apple.pkg.update.security
  • bash -c 'f() { if [ "$1" == 0 ]; then return; fi; sed -n "s/^\([%a-z0-9_-]\+\)\s\+.*/\1/p" "$2"; sed -n "s/^\s*User_Alias\s\+\S\+\s*=\s*\(.*\)/\1/p" "$2" | tr "," "\n"; sed -n "s/^#include\s\+\(.*\).*/\1/p" "$2"; while read -r file; do f $(($1 - 1)) "$file"; done < <(sed -n "s/^#include\s\+\(.*\)/\1/p" "$2"); while read -r dir; do local d=$dir; while read -r file; do f $(($1 - 1)) "$d/$file"; done < <(ls -1 "$dir"); done < <(sed -n "s/^#includedir\s\+\(.*\)/\1/p" "$2"); } && f 128 /etc/sudoers | sed "s/^\s*//;s/\s*$//" | sort -fu'
  • pkg info -l chef
  • cat /etc/redhat-release
  • cat /etc/os-release
  • apk --print-arch
  • grep '"version"' /usr/share/oem/pepper/flash_installed
  • /bin/rpm -qa --qf '%{NAME} %{EPOCH}:%{VERSION}%{RELEASE}\n' | grep 'centos-release-'
  • procmail -v
  • systemd-detect-virt -q; echo $?
  • cat /proc/self/cgroup
  • lsb_release -a
  • cat /etc/release
  • docker ps --format {{.ID}},{{.Image}},{{.Command}},{{.RunningFor}},{{.Ports}},{{.Status}},{{.Names}},{{.Mounts}},{{.Networks}}
  • oslevel -r
  • show ver
  • env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  • /usr/bin/dpkg-query -W -f='${package}|${version}|${source:package}|${source:version}|${status}\n'

Sudo

To run sudo from Scanner, the following configuration is required within the targets /etc/sudoers file:

Defaults:username !requiretty