Probes/Agents
- 1 Introduction
- 2 Company Level
- 2.1 Discovery Settings
- 2.1.1 IP Ranges
- 2.1.1.1 Copy To Probe
- 2.1.2 SNMP Credentials
- 2.1.3 Active Directory Credentials
- 2.1.3.1 Exclude IP
- 2.1.4 Master Credentials
- 2.1.5 Performance Management
- 2.1.6 Brute Force Settings
- 2.1.1 IP Ranges
- 2.2 Uninstall Probe/Agents
- 2.3 Delete Probe/Agents
- 2.4 Fetch Event Logs
- 2.5 Agent Update Info
- 2.6 Migrate to Lightweight Agent
- 2.7 Migrate to Probe
- 2.8 Deprecated Agent
- 2.1 Discovery Settings
- 3 Global Level
Introduction
CyberCNS (ConnectSecure) provides three kinds of scans on each Asset. The objective and capability of each of the scans are different. (Please see the picture below)
Lightweight Agent Scan - gives an internal view of the asset (reported as vulnerabilities, patches, etc)
Probe Scan - gives an external view of the asset, placed between the Firewall and the asset (open ports reachable from within the network, TLS, SSL)
External Scan - gives an external view of the asset, placed outside the Firewall and reaching out to the asset (reported as Network Scan Findings, TLS, SSL, open ports reachable through the Firewall)
Each of these gives a different view of the asset and is available to view in the Asset View.
Please note that Apache and PHP are visible through either a Probe scan and/or an External Scan. Since these findings from different scans reveal different things from different viewpoints, there isn't much to tally or reconcile.
Company Level
Once the agent installation is successful, Navigate to the Probe / Agents tab to view the installed agent along with the details of Hostname, Version, Agent Type, IP, OS Type, Installed On, Last Scanned Time, Last PII Scan Time, Last Ping Time, and whether the agent is Online (If the agent is online it shows in green) or Offline (if the agent is offline it shows in red).
Probe Agents, Lightweight agents and Deprecated Agents are separated in the Probe/Agent section. Probe Agent scan and Lightweight agent scan can be separately and manually triggered at the Company Level.
Full Scan, Asset Scan, Active Directory Scan, Offline Vulnerability Scan, Firewall Scan, Lightweight Agent Scan, and PII Scan are the scan types available on the top of the page, where the scan for the agent can be done using these options based on the requirement. When the scan is completed, it will successfully upload the results to the company from where this agent was downloaded under the https://cybercns.atlassian.net/wiki/spaces/Verison2/pages/1579384899 section.
Discovery Settings
In the depicted below image using the Action column addition of Discovery settings or Uninstall of the agent can be carried out.
Under Discovery settings, IP ranges credentials, SNMP credentials, Active Directory credentials, Master Credentials, Performance Management, and Brute Force Settings can be added.
IP Ranges
In the IP Ranges click on +Add to add the IP ranges and can add single/multiple entries.
Addition of IP Ranges, CIDR, Static IP, and Domain Name to discover the assets and provide your IP/subnets to scan using the agent and can also add multiple entries here OR exclude the Subnet/IP from scanning.
In IP ranges, if CIDR is chosen as Discovery Type then enter the Name and select the Netmask value as required.
Click on Save once the above credentials are provided.
In IP ranges, if IP Range is chosen as Discovery Type then enter the Name and the End IP address.
Click on Save once the above credentials are provided.
In IP ranges, if Static IP is chosen as Discovery Type then enter the Name and Start IP address.
Click on Save once the above credentials are provided.
The domain name functions as a link to the IP address. Links do not contain actual information, but they do point to the place where the IP address information resides. It is convenient to think of IP addresses as the actual code and the domain name as a nickname for that code.
In IP ranges, if the Domain Name is chosen as the Discovery Type then enter the name of your choice and the Domain name to be scanned, Exclude IP from scanning, and add the IP Ranges to be excluded from Scan.
Click on Save once the above credentials are provided.
Once the above details are Saved, the IP Ranges will be notified and an, IP added successfully message.
There is an option to Edit and Delete the IP Ranges using the Action column. Any IP Ranges can be edited and deleted if needed.
Copy To Probe
From one probe agent to another probe agent, the IP range will be copied within the same company. Duplicates will be discarded.
Select the company under which the probe agent’s discovery settings (Only IP Ranges) are to be copied to another probe agent.
Navigate to Probes/Agents, under the Action column, select a probe agent, and click on Discovery settings.
In the IP ranges section, under the action column, click on copy to probe option to copy all the IP details to another probe agent for the same company.
Here as shown in the depicted image, select the probe from the dropdown as needed.
Once the destination probe agent, click on copy option.
When the IP ranges are copied to the probe agent, will get a pop-up message as Copied successfully.
SNMP Credentials
The SNMP is used for the scanning of supported network devices using SNMP v1/v2 OR SNMP v3.
SNMP read-only credentials can be added under the SNMP Credentials section for network devices.
There are two options available for adding SNMP Credentials, they are SNMP v1/v2 and SNMP v3.
Click on +Add to add the SNMP v1/v2 Credentials and can add single/multiple entries.
In the depicted below image, you can choose either SNMP v1 or SNMP v2 as per the requirement.
Enter the Name and SNMP v1/v2 community string for network devices vulnerability scan and choose the type of version while adding SNMP credentials as per the requirement.
Once the details are provided click on Save.
Once the above details are Saved, the SNMP credentials save will be notified as, SNMP v1 added successfully, message.
There is an option to Edit and Delete the SNMP credentials using the Action column. Any SNMP credentials v1/v2 can be edited and deleted if needed.
If SNMP v3 is chosen click on +Add to add the SNMP v3 credentials and can add single/multiple entries.
In the depicted below the image select any one of the Auth Protocol and the Privacy Protocol.
Now, enter the details of Name, Security Name, Auth Password, and Privacy Password, and click on Save.
Once the above details are Saved, the SNMP credentials will be notified by, the SNMP v3 added successfully, message.
There is an option to Edit and Delete the SNMP credentials using the Action column. Any SNMP v3 credentials can be edited and deleted if needed.
Active Directory Credentials
Active Directory credentials are used to discover the assets and information from computers that are part of the AD network.
Click on +Add to add the Active Directory Credentials and can add single/multiple entries.
Active Directory credentials will have access to all the computers under AD. To only apply these credentials to limited IP ranges, please use Exclude IP section and add the IP Ranges to be excluded from the Active Directory Scan.
How you can find out the name and IP address of the AD domain controller on your network in Linux?
You can use Nslookup is a command-line tool that displays information you can use to diagnose Domain Name System (DNS) infrastructure.
Click Start, and then click Run.
In the Open box, type cmd.
Type nslookup, and then press ENTER.
Typeset type=all, and then press ENTER.
Type _ldap._tcp.dc._msdcs.Domain_Name, where Domain_Name is the name of your domain, and then press ENTER.
How do I get to Active Directory on Mac?
Click on the Apple logo > System Preferences...> User & Groups.
Click Login Options — click the lock icon to unlock it.
Next to Network Account Server, click Join...
Click Open Directory Utility...
How do I get to Active Directory on Windows?
Refer to this link for Active Directory on Windows To open on Windows.
Now, enter the details of Name, Domain, Active Directory Domain Controller Name/ IP address, User Name, and Password.
Next, click on Save when the above details are provided.
Once the above details are Saved, the Active Directory credentials will be notified by the Active Directory Credentials added successfully, message.
There is an option to Edit and Delete the Active Directory credentials using the Action column. Any Active Directory credentials can be edited and deleted if needed.
Exclude IP
This Tab allows you to configure the IP Addresses that can be excluded from scanning which is a part of the Active Directory discovery settings.
Click on +Add to add the Exclude IP.
Addition of IP Ranges, CIDR, Static IP, and Domain Name to discover the assets and provide your IP/subnets to scan using the agent and can also add multiple entries here OR exclude the Subnet/IP from scanning.
Master Credentials
To add Master Credentials click on +Add and can add single/multiple entries.
If you enter credentials for VMWare in the master credentials section, the agent will select and use any VMWare devices discovered as per the discovery settings, and if the corresponding port is open (port 22 for VMWare or Linux, port 445 for Windows) the scans will be successful.
Even if the VMWare/ESXI host is not authenticated, we are attempting to extract information about the version and build from packet headers obtained through various network protocols supported by VMWare including VCenter.
In Master Credentials, when the master credentials are provided, from the next scan, every vulnerability scan will try to scan with those credentials.
Select the Type of Asset as per the requirement.
Now, enter the details of your Name, Username, Password, and Domain.
When the above details are provided click on Save.
Once the above details are Saved, the Master credentials will be notified by the Asset Credentials added successfully, message.
There is an option to Edit and Delete the Master credentials using the Action column. Any Master credentials can be edited and deleted if needed.
To scan Azure AD Assets:
Azure AD users can not access a local network share directly. If they have a local Active Directory and it is connected to the Azure AD using Azure Connect, then users will sync with Azure AD and the local AD post which they can access ADMIN$.
For Granting permissions to Azure AD users for local network share:
You must install and configure an Azure AD Connect
After that, you must join your VM in Azure to the Domain Controller.
And finally set a user from your domain controller.
Performance Management
Brute Force Settings
Users can enable/disable “Brute Force Settings” from this section of discovery settings for the Probe Agent. Also, a specific port number can be provided.
It checks for default ssh credentials and populates the data under Network Scan Findings.
Uninstall Probe/Agents
As depicted in the below image can choose to uninstall the Probe/Agents as required.
Once the uninstall option is chosen, a confirmation dialogue box with Yes or No options appears to confirm uninstall choice once again.
In case, yes is selected, the Probe/Agent is notified by the Uninstalling initiated.., message.
Upon successful uninstallation, the Probe/Agents will start appearing offline in the CyberCNS portal.
For an Uninstallation and deletion of the agent, follow below steps given below:
The CyberCNSAgentV2 folder must not exist on the system. Please delete it if it exists.
Windows services cybercnsagentv2 and cybercnsagentmonitor should not be running and should not exist. If they exist, please stop the services and then delete them using the following commands
--> Open the command prompt, and Run as administrator.
--> sc.exe delete cybercnsagentv2
--> sc.exe delete cybercnsagentmonitor
Delete Probe/Agents
As depicted in the below image can choose to delete the Probe/Agents as required.
Multiple agents can be deleted or uninstalled using the Actions option.
Once the delete option is chosen, a confirmation dialog box with Yes or No options appears to confirm the delete choice once again.
Upon successful deletion, the Probe/Agents will disappear in the CyberCNS portal.
Fetch Event Logs
Navigate to Probes/Agents to fetch the Event logs for the required agent.
To fetch the event logs choose the Start date and the End date and click on the Fetch option.
Navigate to the Jobs> Agent Event Logs section, to view the job status. Once the job is completed successfully, using the action column download the event logs. The downloaded event logs will be in the Xlsx format.
Agent Update Info
Navigate to Probes/Agents, to get the Agent Update Info.
Once the agent is updated to the latest version, the agent log of the update to the latest version will be generated. It will display the agent update logs on the pop-up screen as shown below.
Migrate to Lightweight Agent
Navigate to Probes/Agents.
Select the appropriate probe agent to be migrated to the lightweight agent.
Select Migrate to Lightweight option under the Action column.
It will ask for confirmation with the warning. Click Yes to migrate from probe to lightweight.
Before migration from Probe Agent to lightweight agent, the asset shows PROBE_ASSET as a tag under Active Assets.
After migration from probe Agent to lightweight agent, the asset will show LIGHTWEIGHTAGENT as a tag under Active Assets.
Migrate to Probe
Navigate to Probes/Agents.
Select the appropriate lightweight agent to be migrated to the probe agent.
Select the Migrate to Probe option under the Action column.
It will ask for confirmation with the warning. Click Yes to migrate from lightweight to probe.
Before migration from lightweight Agent to probe agent, the asset shows LIGHTWEIGHTAGENT as a tag under Active Assets.
After migration from lightweight Agent to probe agent, the asset will show PROBE_ASSET as a tag under Active Assets.
Deprecated Agent
In the image below please enter the agent deprecation days as per the requirement. Once set, for the agent offline days, the deprecation value will be considered only if the entered days are more than the Last Ping time and the deprecated agents will be moved to the Deprecated Agents section.
Once the details are Saved, the Asset Deprecation Days will be Updated successfully.
Here can get the details of the agent/s being deprecated under the Deprecated Agent section.
Deprecate Agent can be restored and Deleted using the Restore and Delete under Action.
Global Level
To get all the agents of all the companies, Navigate to the Probe / Agents tab to view the installed agent along with the details of Hostname, Version, IP, OS Type, Installed On, Last Scanned Time, Last PII Scan Time, Last Ping Time, Company name, and whether the agent is Online (If the agent is online it shows in green) or Offline (if the agent is offline it shows in red).
The Probes/Agent tab lists all the agents installed across all the companies.
The Lightweight agent tab lists all the lightweight agents installed across all the companies.
When the agent is offline deprecation value will be considered and the deprecated agents will be moved to the Deprecated Agents tab.
It lists all the agents deprecated across all the companies.
The Bulk delete option allows for the Uninstallation, Deletion, Update Performance Management, or Depreciation of multiple agents(Probe/Lightweight) in Global Actions.
Agents can be Uninstalled, Deleted, or Deprecated. Additionally, they can fetch Event logs and provide Agent Update Info.
This completes the Probe/Agents.