Enterprise Recon Cloud 2.12.0

How To Perform Agentless Scan

This section covers the following topics:

Overview

You can use ER Cloud to perform an agentless scan on network Targets via a proxy agent. Agentless scans allow you to perform a scan on a target system without having to:

  1. Install a Node Agent on the Target host, and
  2. Transmit sensitive information over the network to scan it.

Use agentless scans when:

  • The Node Agent is installed on a host other than the Target host.
  • Data transmitted over the network must be kept to a minimum.
  • The Target credential set has the required permissions to read, write and execute on the Target host.
  • The Target host security policy has been configured to allow the scanning engine to be executed locally.

For more information, refer to Agentless Scan Requirements below.

How an Agentless Scan Works

For a more detailed explanation on agentless scans, refer to the Scanning - How Agentless Scan Works section.

Agentless Scan Requirements

Make sure that the Target and Proxy Agent host fulfill the following requirements:

Target Host Proxy Agent TCP Port 1 Requirements
Windows host Windows Proxy Agent

  • Port 135, 139 and 445.

For Targets running Windows Server 2008 and newer:

  • Dynamic ports 9152 - 65535

For Targets running Windows Server 2003 R2 and older:

  • Dynamic ports 1024 - 65535

WMI can be configured to use static ports instead of dynamic ports.
  • Bi-directional SCP must be allowed between the Target and Proxy Agent host.
  • The Target host security policy must be configured to allow the scanning engine to be executed locally.
  • The Target credential must have the required permissions to read, write and execute on the Target host.
Linux or UNIX host Windows, Linux or UNIX Proxy Agent
  • Port 22.
  • Target host must have a SSH server installed and running.
  • Proxy Agent host must have an SSH client installed.
  • Bi-directional SCP must be allowed between the Target and Proxy Agent host.
  • The Target host security policy must be configured to allow the scanning engine to be executed locally.
  • The Target credential must have the required permissions to read, write and execute on the Target host.
macOS host macOS Proxy Agent
  • Port 22.
  • Target host must have a SSH server installed and running.
  • Proxy Agent host must have an SSH client installed.
  • For macOS Ventura 13 and above, the "Full Disk Access" feature must be enabled for sshd-keygen-wrapper in the Proxy Agent host.
  • Bi-directional SCP must be allowed between the Target and Proxy Agent host.
  • The Target host security policy must be configured to allow the scanning engine to be executed locally.
  • The Target credential must have the required permissions to read, write and execute on the Target host.

1 TCP Port allowed connections.

Data discovery and Remediation using the Agentless Scanning feature requires a high level of user permission and data access. This carries inherent risks which could lead to privileged account abuse or data loss due to the higher-than-usual level of access needed to achieve full domain access with remote software deployment and remote process execution to achieve an agentless scan or remediation action.

Before embarking on this approach, Ground Labs recommends consideration of the Agent-based scanning approach which can achieve data discovery with a reduced level of user permission whilst offering other performance benefits.

Supported Operating Systems

ER Cloud supports the following operating systems as agentless scan Targets:

Environment (Target Category) Operating System
Microsoft Windows Desktop
(Desktop / Workstation)
  • Windows 10 32-bit/64-bit
  • Windows 11 64-bit

Looking for a different version of Microsoft Windows?

Microsoft Windows Server
(Server)
  • Windows Server 2012/2012 R2 64-bit
  • Windows Server 2016 64-bit
  • Windows Server 2019 64-bit
  • Windows Server 2022 64-bit

Looking for a different version of Microsoft Windows?

Linux
(Server)
  • Debian 11+ 32-bit/64-bit
  • RHEL 7+ 64-bit
  • Oracle Linux 8 64-bit
  • Ubuntu 16+ 32-bit/64-bit

Looking for a different Linux distribution?

UNIX
(Server)
  • AIX 7.2+
  • FreeBSD 13 32-bit/64-bit
  • FreeBSD 14 32-bit/64-bit
  • Solaris 10+ (Intel x86)
  • Solaris 10+ (SPARC)
macOS
(Desktop / Workstation)
  • macOS Monterey 12.0
  • macOS Ventura 13.0
  • macOS Sonoma 14.0
Scans for macOS Targets locations
  • Selecting "All local files" when scanning macOS Targets may cause the same data to be scanned twice. See Exclude the Read-only System Volume from Scans for macOS Target locations for more information.
  • Scanning locations within the top-level Users (/Users) folder requires the "Full Disk Access" feature to be enabled for er2-agent. If locations within the /Users folder are scanned without enabling the required full disk access, these locations will be logged as inaccessible locations. For more information, refer to the Enable Full Disk Access section.
Agentless scans for macOS Ventura 13 and above

Performing agentless scans requires the "Full Disk Access" feature to be enabled for sshd-keygen-wrapper in the Proxy Agent host. For more information, refer to the Enable Full Disk Access section.

Looking for a different version of macOS?

Microsoft Windows Operating Systems

Ground Labs supports and tests ER Cloud for all Windows versions supported by Microsoft.

Prior versions of Windows may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

Linux Operating Systems

Ground Labs supports and tests ER Cloud for all Linux distributions currently supported by the respective providers.

Prior versions of Linux distributions may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

macOS Operating Systems

Ground Labs supports and tests ER Cloud for all macOS versions supported by Apple Inc.

Prior versions of macOS may continue to work as expected. However, Ground Labs cannot guarantee support for these versions indefinitely.

Start an Agentless Scan

To perform an agentless scan on a Target:

  1. Log in to the ER Cloud Web Console.
  2. Navigate to the Select Locations page by clicking on:
    • Scans > New Scan, or
    • the New Scan button in the Dashboard, Targets, or Scans > Schedule Manager page.
  3. On the Select Locations page, click + Add Unlisted Target.
  4. In the Select Target Type window, choose Server and enter the host name of the Target in the Enter New Target Hostname field.
  5. Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
  6. In the Select Types dialog box, select Target locations from Local Storage or Local Process Memory, select the Target type, and click Done.
  7. In the New Target page:
    1. Assign Target Group - Assign the Target to the Target Group selected from the dropdown box.
    2. Specify the Operating System of the Target - Select the operating system for the Target host from the dropdown box.

  8. Click Next.
  9. The UI prompts you if there is no usable Agent detected on the Target host. Select Would you like to search this target without installing an agent on it? to continue.
  10. Fill in the following fields and click Next:
    Credentials Details dialog box to configure the credentials and proxy agent to perform an agentless scan.

    Field Description
    Credential Label Enter a descriptive label for the credential set.
    Username Enter the Target host user name.
    Password Enter the Target host user password or passphrase for the private key.
    (Optional) Private Key

    Upload the file containing the private key. Only required for Target hosts that use a public key-based authentication method.

    For more information, refer to Set Up SSH Public Key Authentication.

    Agent to act as proxy host Select a suitable Proxy Agent.
  11. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next. Refer to the Use Data Type Profiles section.
  12. Set a scan schedule in the Set Schedule section. Refer to the Set Schedule section.
  13. Click Next.
  14. Review your scan configuration. Once done, click Start Scan.