Discovery Operations
These operations aim at feeding Horizon with certificates discovered on the network through different means. These certificates will be fed along with appropriate Discovery metadata, such as IP address or Hostname of the machine on which the discovered certificate is held.
Local Scan
In local scan mode, the Horizon Client will scan the machine it is installed on for certificates, and reports them to Horizon. Certificates are discovered if they match following conditions:
-
They are saved in PEM or DER format in a file that is pointed in a configuration file
-
They are contained in a Machine or User "MY" certificate store (Windows Only)
-
They are not CA certificates
In local scan mode, Horizon client should be launched with root or administrator rights, or it will probably fail to discover all certificates.
|
Network Scan
In network scan mode, the Horizon Client will first connect to Horizon to get the campaign’s scanning parameters (Hosts and Ports), then perform the network scanning and feed Horizon with the scan results.
The following algorithm is used for network scanning:
-
If
--ping-firstflag is given, perform ICMP ping on the defined hosts and discard hosts that are not reachable -
Scan the hosts and ports for an open TCP port
-
If TCP port is opened:
-
If port is not '25', try a TLS handshake. If handshake succeeds, retrieve the certificate and report it to Horizon
-
If port is '25', perform SMTP STARTTLS, retrieve the certificate and report it to Horizon
-
The "timeout" global configuration variable has an impact on both open ports discovery and TLS handshake. In case you get unexpected handshake errors or EOF, try to increase the timeout. However, this will also make the network scan perform slower.
|
In order to perform network scans on a recurring schedule, the Horizon Client offers the possibility to create periodic tasks to run a scan.
The three supported options for the period parameter are:
-
daily - runs the task everyday between 0-4 AM UTC
-
weekly - runs the task every Sunday between 0-4 AM UTC
-
monthly - runs the task on the first day of the month between 0-4 AM UTC
|
This periodic task can be run with a specific user identity on Linux using the user parameter.
|
The created task can then be removed using:
|
nmap import
In nmap import mode, the discovery itself is performed by nmap, using the ssl-cert plugin. Horizon Client then has the ability to import the nmap scanning results into Horizon using the nmap import mode.
To be able to do so, nmap needs to be launched with the -oX option, in order to export its scan result as XML file. This XML file is then passed on to Horizon Client.
|
Qualys Certificate View import
In Qualys Certificate View (CV) import mode, the discovery itself is performed by Qualys CV. Horizon Client then has the ability to import the Qualys CV scanning results into Horizon using the qualyscv import mode.
To be able to do so, a technical account must have been created into Qualys CV for Horizon Client, with appropriate rights to be able to view the scanning results. You need also to identify your Qualys CV API Gateway URL using the following link.
|
Nessus Scan Import
In Nessus scan import mode, Horizon Client enables the importation of scanning results from Nessus into Horizon. This mode allows for a seamless integration of Nessus vulnerability scans into the Horizon environment.
To utilize this feature, you need to ensure that you have valid credentials for Nessus with the necessary permissions to access and export scan data and the scan id on which you want to perform the import. Additionally, you must know your Nessus URL through which Horizon Client will communicate with the Nessus API and use the "SSL Certificate Information" plugin output to get the certificates into horizon.
|