CyberCNS Scan Types

Owned by Sneha B A (Unlicensed)
Last updated: Feb 12, 2024 by Vrushali
4 min read

Type of Scan

Vulnerability Scan

Asset Discovery

SNMP Scan

Active Directory Scan

Firewall Scan

Type of Scan

Vulnerability Scan

Asset Discovery

SNMP Scan

Active Directory Scan

Firewall Scan

Full Scan

Yes

Yes

Yes

Yes

Yes

Asset discovery Scan

Yes

Yes

No

No

No

Active Directory Scan

Yes

Yes

No

Yes

No

SNMP Scan

Yes

No

Yes

No

No

Offline Vulnerability Scan

Yes

No

No

No

No

Firewall Scan

Yes

No

No

No

Yes

List of Supported Operating Systems for Vulnerability Scan.

Ubuntu 22.04 LTS

Jammy Jellyfish

Ubuntu 20.04 LTS

Focal Fossa

Ubuntu 18.04 LTS

Bionic Beaver

Ubuntu 16.04 LTS

Xenial Xerus

Ubuntu 14.04 LTS

Trusty Tahr

CENT OS

CentOS - 4

 

CentOS - 5

 

CentOS - 6

 

CentOS - 7

 

CentOS - 8

 

REDHAT LINUX OS

RHEL 4

Nahant

RHEL 5

Tikanga

RHEL 6

Santiago

RHEL 7

Maipo

RHEL 8

Ootpa

DEBIAN OS

Debian 7

Wheezy

Debian 8

Jessie

Debian 9

Stretch

Debian 10

Buster

Debian 11

Bullseye

MAC OS

OS X 10.9

Mavericks (Cabernet)

OS X 10.10

Yosemite (Syrah)

OS X 10.11

El Capitan (Gala)

macOS 10.12

Sierra (Fuji)

macOS 10.13

High Sierra (Lobo)

macOS 10.14

Mojave (Liberty)

macOS 10.15

Catalina (Jazz)

macOS 11

Big Sur (GoldenGate)

macOS 12

Monterey (Star)

Microsoft Windows OS

windows 8 (64-bit)

 

windows 8.1 (64-bit)

 

windows 10 (64-bit)

 

windows 11 (64-bit)

 

Windows server 2012 (64-bit)

 

Windows server 2012 R2 (64-bit)

 

Windows server 2016 (64-bit)

 

Windows server 2019 (64-bit)

 

Windows server 2022 (64-bit)

 

Scan Types

Regular Scan (Full Scan)

  • You can initiate a Full scan for all the assets which are discovered. It checks all the parameters in the Discovery Settings and accordingly initiates Asset discovery, Vulnerability Scan, SNMP scan, Active Directory Scan & Firewall Scan. This is the scan achieved by using a regular agent/probe. 

CyberCNS runs a vulnerability scan on the asset to identify asset inventory overview like installed programs and associated Vulnerabilities in the asset.

It uses the following techniques to get to the devices:

Windows

It attempts to use the Admin SMB share to send a small executable called the Dissolvable agent that it then runs on the remote machine to fetch the details. It probes the shares using standard SMB tools and does an NFS discovery to check any NFS shares.

Active Directory

It uses LDAP to query the users, and groups from the Credentials provided during the AD setup in the AD/Master credentials. It runs Powershell commands to figure out GPOs, Security Groups, and memberships of the groups.

Linux

It uses SSH credentials to log in to the box and figure out using Linux commands what is running on the machines.

Network Devices

It uses SNMP to discover the Sysobjectid and look up the version of the device and then query the vulnerabilities for the version. It also connects to OEM APIs to get the vulnerability details.

Asset Discovery Scan

While in the Discovery Settings for any Company, you can provide IP ranges (IP range/Static IP/CIDR). once provided any or all here, the Asset Discovery scan will discover all the assets which are available in the mentioned subnet. You can also Exclude IP range from Scanning as well when selected. Any changes done anytime in this section will request a pop-up asking for a scan.

Active Directory Scan

For a Probe Agent, Discovery Settings, you can provide Active Directory Credentials. Once validated it will initiate an Active Directory scan. We are using a dissolvable agent if SMB is available and that agent will create PowerShell in memory and execute, if SMB is not available we are using LDAP protocol directly without using any PowerShell scripts.

Active Directory scan will include below:

  1. A scan is performed on the computers detected during active directory scan.

  2. If any of the Active Directory systems on the list has a lightweight agent or probe agent installed, the asset inventory search for that asset will be skipped as it is getting scanned by the local agent.

  3. This scan is carried out utilising NMAP device discovery on the remaining systems.

Prerequisite for AD audit scan

To perform an AD audit on a domain controller, it is important to first enable audit events. Once enabled, The CyberCNS agent will read the events every 15 minutes and push them to your CyberCNS domain.

To verify which audit events are currently enabled, run the following command:

>> auditpol /get /category:*

This command will provide a list of all the audit categories and their status.

To Enable the audit events use the command given below
Create a “ .bat ” file and add below lines based on user audit requirements or user can run individual commands to enable audit events. (Ex: AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE )


@echo OFF

Rem Enable Security System Extension

echo Enabling "Security System Extension"

AUDITPOL /SET /SUBCATEGORY:"Security System Extension" /SUCCESS:ENABLE 

echo Enabling "Security State Change"

AUDITPOL /SET /SUBCATEGORY:"Security State Change" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Logon" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Logoff" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Other Logon/Logoff Events" /SUCCESS:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Network Policy Server" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Application Generated" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Other Object Access Events" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Process Creation" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Process Termination" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Authentication Policy Change" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Authorization Policy Change" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"User Account Management" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Computer Account Management" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Security Group Management" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Distribution Group Management" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Directory Service Changes" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Directory Service Access" /SUCCESS:ENABLE 

AUDITPOL /SET /SUBCATEGORY:"Other Account Logon Events" /SUCCESS:ENABLE /FAILURE:ENABLE

AUDITPOL /SET /SUBCATEGORY:"Kerberos Authentication Service" /SUCCESS:ENABLE /FAILURE:ENABLE

SNMP Scan

For network devices CyberCNS uses SNMP scan. If a device has SNMP enabled, then it will read the SNMP description using defined SNMP credentials. For supported network devices, it will initiate a vulnerability scan as well.

Vulnerability Scan

Once the required credentials and user privileges are defined the Vulnerability Scan can be successfully initiated. In a vulnerability scan, you will be able to discover the vulnerabilities based on installed security updates. This scan uses SMB protocol for the scan.

Firewall Scan

A firewall when selected can be scanned for Firewall Scan, which will help check for certain Firewall Rules' success/failure. This can be initiated for supported devices.

Offline Vulnerability Scan

An offline vulnerability scan is used to compare scanned assets' vulnerability data with the CyberCNS vulnerability database to show any new vulnerabilities that are present in the vulnerable versions. It does not actually scan the asset but It compares the latest scan results with the CyberCNS vulnerability updated database and shows the results. It is a server-side scan and it is not dependent on any installed agents. This scan runs only if the agent gets offline for more than 48 hours.

 

For devices not domain connected or if they are standalone/remote devices, you can use Lightweight Agent which can be initiated for Windows, Linux, or Mac systems. The lightweight agent is used for standalone systems and needs an agent to be installed on each system. This agent then pushes the report to the CyberCNS portal.