DeepSurface RiskAnalyzer can be configured to perform credentialed scans by connecting to devices over one of several protocols and logging in with provided credentials. Both the DeepSurface Main Console and Subordinate scanners can be configured for scanning.
Regardless of the type of devices being scanned, the DeepSurface appliance should be configured with a valid DNS server that can provide information on the devices in the environment. Of particular interest is PTR (reverse DNS) records for host IP addresses, which are often provided by Windows domain controllers through the associated DNS servers.
When performing credentialed scans, the Main Console is configured with target IP address ranges which RiskAnalyzer uses to first discover live hosts before attempting to authenticate. The discovery phase involves a combination of ICMP traffic (ping, timestamp, etc), DNS requests, and simple TCP port scans to find systems that are responding. TCP discovery scanning targets about 10 common services by default, but this port list can be configured.
Once an IP address is identified as being "alive", authenticated scanning commences. Each credential configured for the scan group is attempted on each IP until one is successful. Port requirements for each operating system's authenticated scans are detailed below.
The following network requirements apply when scanning Windows devices:
SMB or WinRM
To gain access to run scripts on each Windows device, RiskAnalyzer must be able to log in via SMB or WinRM (Powershell Remoting). For SMB scans, most customers leverage WMI capabilities, but other SMB options are available. SMB scanning requires that RiskAnalyzer can reach port TCP/445 on each device. WinRM scanning requires that RiskAnalyzer can connect to either TCP/5985 or TCP/5986.
LDAP or LDAPS
When scanning domain controllers, RiskAnalyzer connects to and obtains information from LDAP services which reside on either TCP/389 (LDAP) or TCP/636 (LDAPS). Note that in the case of port 389 communications, scans require that StartTLS is enabled with a configured certificate so that the authentication step and data transfer are encrypted.
The following network requirements apply when scanning *BSD, Linux, and MacOS devices:
SSH
RiskAnalyzer must be able to connect to SSH services running on these devices. By default, DeepSurface connects to TCP/22, but may be configured to access SSH on alternative ports.
Accepted SSH private key formats: RSA
, ECDSA
, ED-25519