Discovery Operations

These operations aim at feeding Horizon with certificates discovered on the network through different means. These certificates will be fed along with appropriate Discovery metadata, such as IP address or Hostname of the machine on which the discovered certificate is held.

Local Scan

In local scan mode, the Horizon Client will scan the machine it is installed on for certificates, and reports them to Horizon. Certificates are discovered if they match following conditions:

  • They are saved in PEM or DER format in a file that is pointed in a configuration file

  • They are contained in a Machine or User "MY" certificate store (Windows Only)

  • They are not CA certificates

In local scan mode, Horizon client should be launched with root or administrator rights, or it will probably fail to discover all certificates.

horizon-cli localscan --campaign=test

Network Scan

In network scan mode, the Horizon Client will first connect to Horizon to get the campaign’s scanning parameters (Hosts and Ports), then perform the network scanning and feed Horizon with the scan results.

The following algorithm is used for network scanning:

  1. If --ping-first flag is given, perform ICMP ping on the defined hosts and discard hosts that are not reachable

  2. Scan the hosts and ports for an open TCP port

  3. If TCP port is opened:

    • If port is not '25', try a TLS handshake. If handshake succeeds, retrieve the certificate and report it to Horizon

    • If port is '25', perform SMTP STARTTLS, retrieve the certificate and report it to Horizon

The "timeout" global configuration variable has an impact on both open ports discovery and TLS handshake. In case you get unexpected handshake errors or EOF, try to increase the timeout. However, this will also make the network scan perform slower.

horizon-cli netscan --campaign=test

In order to perform network scans on a recurring schedule, the Horizon Client offers the possibility to create periodic tasks to run a scan.

The three supported options for the period parameter are:

  • daily - runs the task everyday between 0-4 AM UTC

  • weekly - runs the task every Sunday between 0-4 AM UTC

  • monthly - runs the task on the first day of the month between 0-4 AM UTC

horizon-cli netscan --campaign=test --create-periodic-task --period=monthly

The created task can then be removed using:

horizon-cli netscan --campaign=test --remove-periodic-task

nmap import

In nmap import mode, the discovery itself is performed by nmap, using the ssl-cert plugin. Horizon Client then has the ability to import the nmap scanning results into Horizon using the nmap import mode.

To be able to do so, nmap needs to be launched with the -oX option, in order to export its scan result as XML file. This XML file is then passed on to Horizon Client.

horizon-cli importscan nmap --campaign=test --xmlfile=nmapresults.xml

Qualys Certificate View import

In Qualys Certificate View (CV) import mode, the discovery itself is performed by Qualys CV. Horizon Client then has the ability to import the Qualys CV scanning results into Horizon using the qualyscv import mode.

To be able to do so, a technical account must have been created into Qualys CV for Horizon Client, with appropriate rights to be able to view the scanning results. You need also to identify your Qualys CV API Gateway URL using the following link.

horizon-cli importscan qualyscv --campaign=test --endpoint=https://gateway.qg1.apps.qualys.eu --username=testlogin --password=testpassword