Infocyte HUNT allows for users to store credentials within our tool for authenticating endpoints within your network. The HUNT server lives within your environment, which means it is within your security controls. Additionally, all credentials are encrypted and stored in a database on the host server and never shown in plain text to the user; it is only used in the back-end when the server needs to communicate with the endpoints. As the HUNT server can scan Linux endpoints running OpenSUSE, Debian, Ubuntu, Red Hat, CentOS, and Fedora, we can use SSH keys to authenticate to the endpoint.
To do this, you must follow the steps listed below:
- Prepare and gather SSH keys on your endpoints.
- If you have multiple Linux endpoints and want to authenticate using SSH on all of them, you will need the public key of each Linux machine.
- If you are not sure how to generate an SSH key on your machine, please see https://www.ssh.com/ssh/keygen/ to learn how to generate an SSH key
- Once that is generated, you will need to copy the public key from the .ssh folder on the Linux system. We only need the contents of the file, not the file itself. The file with the public key will end in .pub..
- You should also add a passphrase to the SSH key, which is something you will need to make note of as Infocyte HUNT will need in order to authenticate against the remote endpoint.
- Create a query with an IP, hostname, IP range, or CIDR in HUNT that contains your Linux endpoint.
- Create a new credential with the username and password of your Linux endpoint
- We need this because when we authenticate to the server over SSH using SSH keys, we will still need to input password information to run the script as the root user (sudo command)
- Add a new SSH credential, which will include the SSH private key and the SSH passphrase if you set one up.
- Copy and paste the SSH private key into the field.
- Save the query.
- Enumerate the query.
- Check the results of the query in the hosts list to make sure the host you are looking for is there and the credentials are correct.
- If you see a red exclamation mark, you might have entered the wrong username and password for the host. Go to the Credentials menu by clicking into the admin menu and select Credentials. From there, you can click on the credential set you created for the Linux host and reenter the credentials. Enumerate on the query again to test.
Items to note:
- In order for the HUNT server to authenticate with the target SSH host using the private key, the associated public key will need be appended to the ~/.ssh/authorized_keys file on the target host.
- The file permissions for the authorized_keys file on the remote host will also need to be modified to mode 600.
- The user that creates the SSH key must have admin (sudo) rights on the endpoint. Otherwise, they will be unable to use sudo on the endpoint, which means our scan will not succeed because it will never be launched.
- The HUNT server is using the private key of the Linux host to authenticate as if the HUNT server were the Linux host itself.
- Our HUNT dissolvable agent has been tested on bash, so if your Linux endpoint is set to use another command processor, such as csh, the dissolvable agent will not run.
Linux distributions Infocyte HUNT can scan:
- Linux Kernels 2.6+ (libc 2.11+) and above [post-2009]
- RHEL/Centos 5 and above
- Ubuntu 12 and above
- Debian 7 and above
- Fedora 21 and above
- SUSE Linux Enterprise Server 11 Service Pack 4 (SP4) and above