Purpose

This document explains the feature of Running authenticated scan on found default credentials.

Introduction

The scanner checks for any available default credentials on various services from a list of different vendors, by performing logins to respective service and saves the credentials if successful. This complementary scan only run against SSH and SMB services.

Complementary Authenticated Scan

The Complementary Authenticated Scan performs a limited scoped SSH/SMB authenticated scan, and the default credentials that are found by harass are used for this scan. For an SSH authenticated scan, ssh-commands scanning components are used and for the SMB authenticated scan, psh-commands and remote-registry scanning components are used. There might be multiple default credentials configured on a target, in that case, complementary authenticated scan is performed only once with the credentials set from the top of the list.

Scope of Scan

Use case

The Complementary Authenticated Scan originated from a PCI scan where the target had an SSH service running on the default SSH port with default credentials from the vendor. The target was using the default credentials from the vendor <vendor:vendor> as username:password. No other port was present that was giving any useful information about the target. A PCI scan is originally an unauthenticated scan, and the scanner was unable to deduce what kind the target was. The only port that was present that could give some info about the target was the SSH port.

Scope

Taking this use case into consideration, an idea was formed to perform a limited scoped authenticated scan to determine the kind of Operating system and its version.

The scope of the implementation was increased from SSH to SMB as well. In conclusion, this feature involves in detecting the operating system version of the target by SSH and/or SMB authentication methods using the found default credentials.

Controllability of the Scan

Case-1

In the scan configuration, if the Disable logins checkbox is checked, then complementary authenticated scan will not run.

Case-2

If the scan has already been configured with working/valid credentials (in the sense an authenticated scan), then complementary authenticated scan will not run.

Case-3

If there is no default credentials found, then the complementary authenticated scan will not run.


Reference

Complementary authenticated scan





Copyright

© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.