Installing scan agents on Linux (Debian Distribution)
If you want to scan a website in a demilitarized zone (DMZ), internal networks that are not publicly accessible, you can install Invicti scan agents in your network. The agent will conduct the actual scan job and then report the results back to Invicti Enterprise.
In addition to the scanning agent, you can install an authentication verifier agent on your network that will verify the form authentication on your website. For further information, see Installing Authentication Verifier Agents.
You can install the agent on a Linux operating system. If you choose this installation, you must install some dependencies on the system, such as .NET, Mono. Mono is a software platform designed to allow developers to easily create cross-platform applications that become part of the .NET Foundation.
This topic explains how to install an Invicti Enterprise scanning agent on Linux (Debian distribution) operating systems. To install the scan agent in Red Hat distributions, please see Installing a Scan Agent on Linux (RedHat Distribution).
The instructions below were tested on Debian 9, Debian 10, Ubuntu 18.04, and Ubuntu 20.04.
There are three stages to this process:
- Download the Invicti Enterprise agent file
- Install the Invicti agent
- Configure the Invicti agent as a Linux service
Prerequisites
Hardware Requirements
- 1.4 GHz Processor (2.0 GHz or faster recommended)
- 4 GB RAM or higher recommended
- 10 GB Free Disk space for each internal agent
Network Requirements
- Agent should be configured so that it can reach your internal website through HTTP/HTTPS.
- Agent needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443) port.
Allowlisting Requirements
- www.invicti.com
- netsparker.com
- r87.me
- Allowlist the following addresses according to your region:
- US region: 54.85.169.114, 3.232.155.177, netsparkercloud.com, s3.us-east-1.amazonaws.com
- EU region: 3.122.90.89, 3.71.172.17, eu.netsparker.cloud, s3.eu-central-1.amazonaws.com
- CA region: 15.223.111.146, 3.99.19.87, 3.96.72.255, ca.netsparker.cloud, s3.ca-central-1.amazonaws.com
Required Access
- User(s) must have root privileges to run the required commands. No root privileges? Install docker agent.
Downloading the Agent
You need to download the installation files of the agent to a machine on your internal network.
How to Download a Scan Agent in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, go to Agents > Manage Agents > Configure New Agent.
- From the Agent section, select Linux to download the required files to install the scan agent.
Installing the Agent
Once you download the required file, you can install an Invicti Enterprise agent in your environment.
How to Install an Invicti Enterprise Agent
- Open a terminal window.
- Update the following operating system application repositories:
sudo apt update && sudo apt upgrade -y
- Install the following dependent packages:
sudo apt install -y wget gss-ntlmssp nano mono-complete apt-transport-https \
p7zip-full libarchive-tools
Please make sure that your Mono version is 5.20 or above. For further information, please see How to update Mono.
- Next, install dotnet-sdk-3.1 for Linux operating systems. (This 4th step is only required for internal agents older than version 2.0.2.157.)
If you’ve already installed the SDK or runtime, use the dotnet –list-sdks and dotnet –list-runtimes commands to see which versions are installed.
wget https://packages.microsoft.com/config/debian/10/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb && sudo apt update
sudo apt install -y dotnet-sdk-3.1
- Create folder for Invicti Scanner dependency:
sudo mkdir -p /home/[YOUR_USER]/.local/share/Netsparker_Ltd
sudo chown -R [YOUR_USER] /home/[YOUR_USER]/.local/share/Netsparker_Ltd
[YOUR_USER] in the 5th step must be the same as [YOUR_USER] in the unit file described later in this article.
- Install the Headless Chrome browser dependencies:
sudo apt install -y gconf-service libasound2 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils libgdiplus
Only for Kali distributions, you may face a problem while installing the libappindicator1 dependency specified in the 6th step. If you do so, see Adding Debian Repository to the Sources.List in Kali Rolling.
- Next, extract the TAR file:
- To extract the scan agent, run the following commands:
cd /home/[YOUR_USER]
tar -xvf Invicti_Enterprise_Scanner_Agent.tar --one-top-level
Open appsettings.json file via any text editor you prefer in order to enter the necessary information, such as ApiToken:
cd /home/[YOUR_USER]/Invicti_Enterprise_Scanner_Agent
nano appsettings.json
These settings will be used by the agent:
- AgentName: This can be anything you want. This text will be displayed when you are starting a new scan. (If you are going to install more than one instance of the agent, you must set a unique agentName value for each instance, something you will use later.)
- AgentType: This can be Standard or Cloud. If you want to use Cloud Provider for scanning, AgentType must be Cloud.
- ApiToken: In Invicti Enterprise, the Agent Token is displayed in the Configure New Agent window. Copy the value into the apiToken. (For further information, see How to Get an Agent Token for the Scan Agent.)
- ApiRootUrl: This is the URL of Invicti Enterprise or the Invicti Enterprise On-Premises.
(Add "www" to your ApiRootUrl)
Changing default scan data folder for the scanner agent
To change the default scan data folder, add the following attribute under AgentInfo:
"ScanDataFolderPath": "FullPath"
The full path, for example, can be the following: /home/[YOUR_USER]/[Scan data folder]/
If you modify the existing agent’s appsettings.json file, you need to restart the service. If you add this line to the new agent, you can keep following the installation instruction.
How to Update Mono
You need to update Mono so that Invicti Helper Service can work properly. You can update the Mono as specified below:
For Ubuntu 18.04:
-
sudo apt install gnupg ca-certificates
-
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
-
echo "deb https://download.mono-project.com/repo/ubuntu stable-bionic/snapshots/5.20 main" | sudo tee /etc/apt/sources.list.d/mono-official-stable.list
-
sudo apt update
-
sudo apt install mono-runtime
For Debian 9:
-
sudo apt install dirmngr gnupg ca-certificates
-
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
-
sudo echo "deb https://download.mono-project.com/repo/debian stable-stretch/snapshots/5.20 main" > /etc/apt/sources.list.d/mono-official-stable.list
-
sudo apt update
-
sudo apt install mono-runtime
How to Add Debian Repository to the Source.List in the Kali Rolling Distribution
You need to add the Debian Repository to the Source.List in Kali Rolling so that you can install the libappindicator1 for the Headless Chrome browser dependencies.
- Open a terminal window.
-
sudo nano /etc/apt/sources.list
- Add the following lines to the Source.List file
- deb http://deb.debian.org/debian buster main contrib non-free
- deb-src http://deb.debian.org/debian buster main contrib non-free
- Save and close the document.
-
sudo apt update
-
sudo apt install libappindicator1
Once you install the libappindicator1, you can resume Installing the Agent with the 7th step.
To detect Out of band vulnerabilities via Invicti Hawk, please allowlist the following ports on your agent server: TCP 80 and 443, UDP 53. For further information about Invicti Hawk, see How Invicti Hawk Finds Vulnerabilities.
Setting Agent as a Linux Service
An internal agent should be configured as a Linux service so that it can poll the Invicti Enterprise servers regularly and can take the scan initiation command from the server.
Additionally, you can update the scan agent or enable it to auto-update itself. For further information about the agent update, see Auto-Update Support for Scanner Agents.
You can complete this process in three steps:
Add a Unit File for an Invicti Agent
- Open a terminal window.
-
cd /etc/systemd/system
-
sudo touch [YOUR_AGENT_NAME].service
-
sudo nano [YOUR_AGENT_NAME].service
The AgentName in the appsetting.json file and the unit file name for the agent must have the same name. This is required to start the scan agent as a Linux service and to update the scan agent when a new version is released.
- Add the following script into [YOUR_AGENT_NAME].service
For internal agents older than 2.0.2.157, use the following script:
[Unit]
Description=netsparker.service description
[Service]
Type=notify
KillMode=process
Restart=always
RestartSec=30
SyslogIdentifier=[YOUR_USER]
KillSignal=SIGINT
User=[YOUR_USER]
WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]
ExecStart=/usr/bin/dotnet [YOUR_AGENT_DIRECTORY_PATH]/Netsparker.Cloud.Agent.dll
ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"
[Install]
WantedBy=multi-user.target
For internal agents version 2.0.2.157 or newer, use the following script:
[Unit]
Description=netsparker.service description
[Service]
Type=notify
KillMode=process
Restart=always
RestartSec=30
SyslogIdentifier=[YOUR_USER]
KillSignal=SIGINT
User=[YOUR_USER]
WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]
ExecStart = [Your Agent Directory path]/Netsparker.Cloud.Agent
ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"
[Install]
WantedBy=multi-user.target
Save and close the document.
Configure Sudoers for an Invicti Agent
-
sudo cd /etc/sudoers.d
-
sudo touch [YOUR_AGENT_NAME]-systemctl
-
sudo visudo -f [YOUR_AGENT_NAME]-systemctl
- Add the following script into [YOUR_AGENT_NAME]-systemctl
-
[YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl start [YOUR_AGENT_NAME].service
-
[YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl stop [YOUR_AGENT_NAME].service
Save and close the document.
Start Invicti Enterprise Agent as a Linux Service
-
sudo systemctl daemon-reload
-
sudo systemctl start [YOUR_AGENT_NAME].service
You can now check the status of the connection between Invicti Enterprise and the scan agent. From the Agents menu, click Manage Agents. The Agents window is displayed.
Any changes in the appsetting.json file, such as setting proxy and changing API Token, require restarting the service so that the changes can take effect.
To keep the scanning agent service running in case of rebooting of the machine where the Agent is installed, do the following:
- Open a terminal.
- Run the following code:
sudo systemctl enable [YOUR_AGENT_NAME].service
You can set a proxy for the scanning agent in Invicti Enterprise. For further information about the proxy, see Setting Proxy in Scanner Agents. Using Proxy Auto-Configuration? For further information, see Using Proxy Auto-Configuration file.
Defining and Scanning an Internal Website in Invicti Enterprise
Now, you have installed a scanning agent into your infrastructure, you should configure Invicti Enterprise to let it know which websites should be scanned with an internal agent rather than with the built-in agents.
How to Define an Internal Website in Invicti Enterprise
- Log in to Invicti Enterprise.
- From the main menu, select Websites > New Website.
- Enter your internal website details (see Adding a Website in Invicti Enterprise).
- From the Agent mode field, select Internal.
- Select Save.
How to Scan an Internal Website with Agent
- Log in to Invicti Enterprise.
- From the main menu, select Scans > New Scan.
- From the Target URL field, select your Internal Website (if the field is not already populated).
- The Preferred Agent field is already selected by default. Your newly installed scanning Agent is displayed as an option. If you installed more than one instance, select the one which can access your Internal Website. If any of them can access your Internal Website, select the default option Any of the available agents. By selecting this, one of the idle agents will scan your website.
- Select Launch. (For simplicity, optimization and other settings are ignored in this procedure.)
Your scan has been started in the Queued state. Shortly, you will see that its status changes to Scanning. Once it is completed, you will be able to explore the vulnerabilities found on your website.
Installing Multiple Agents on the Same Operating System
You can install more than one agent in Linux.
How to Install Multiple Agents on the Same Operating System
- Open a terminal window.
- Create a new folder for the new agent.
- Copy the TAR file into the new folder, and extract the TAR file
- Follow the instructions in Installing the Agent and Setting Agent as a Linux Service.
Make sure that you entered a different name for the new agent.
For further information about managing agents, see Managing Groups.
How to Get an Agent Token for the Scan Agent
- Log in to Invicti Enterprise.
- From the main menu, select Agents > Manage Agents > Configure New Agent.
- In the Agent Token field, select Copy to clipboard ().