Articles in this section

How to Scan: Infrastructure

Avatar
Maria Vicedo
  • Updated
Follow

This guide will teach you how to create scans of your infrastructure.  Once you learn the basics, such scans can be created very quickly, with almost no customisation required.

This guide will only describe the steps needed to setting up a scan.  Settings which are not mentioned in this guide can usually be left with their default values.

  1. Determine the Type of Scan
  2. Prerequisites
  3. Create A Scan
  4. Give Your Scan a Name
  5. Add Scan Targets
  6. Infrastructure Scanner Settings
  7. Notifications
  8. Scheduling
  9. Scanning Hub
  10. Save

Determine the Type of Scan

The first consideration when creating a scan is the scan target.  Is your target an item of infrastructure (such as a server or laptop), a web application, or an API?  This guide will cover scanning infrastructure targets, see How to Scan: Web Applications to learn how to create a scan for a web application.

For more information on types of scan targets, see 3 Types of Scanning - Port Scanning, Web Application Scanning, and Infrastructure Scanning.

It is common to combine both types of scan as a way of adding extra value - your infrastructure scan may include small web application scans and your web application scan may also include a small infrastructure scan.  The question we are asking at this point is what will be the main target of your scan: is it a web application (including APIs) or an item of infrastructure?

A web application scan target will always take the form of a URL, and will always be accessed over HTTP or HTTPS.  http://example.com and https://api.example.com are web application scan targets.

example.com is not a URL, it is simply a fully qualified domain name - it does not identify a web application, it identifies a server, and as such would be an infrastructure scan target.

IP addresses (eg 192.0.2.10), ranges (eg 198.51.100.0-198.51.100.128), and CIDR notation subnets (eg 203.0.113.0/24) are all infrastructure targets.

ftp://example.com/ is a URL, but it does not use HTTP or HTTPS, and so is not a valid scan target.

Once you have determined that your main target is an item, or items, of infrastructure, you can proceed to set up a scan.

Prerequisites

In most cases, the only essential prerequisite is access from the Scan Hubs to your scan targets.  If your targets are available over the public internet then you can use AppCheck's public Scan Hubs.  See Allowing AppCheck Access to Your Network or Applications.

If possible, providing the scanner with credentials to log in to the target hosts will enable more comprehensive scanning.  With the ability to log in the scanner can determine more specific software versions, and therefore provide more accurate vulnerability findings.  See Credentialed Infrastructure Scanning for more information.

If you are scanning a target that is not available over the public internet, or you wish to run a Credentialed Scan and logging in to your target is not allowed over the public internet, then you will need to purchase and install an AppCheck Private Scan Hub.  Contact your account manager to purchase one, then to set one up follow the Private Scan Hub Setup Guide.

Create A Scan

From the main menu in the AppCheck Scanner Portal, select:

  • Scans
    • New Scan
      • Infrastructure

Choose the appropriate profile, Large Range or Small Range, for your intended number of targets.

Give Your Scan a Name

Screenshot 2024-10-10 at 22.49.28.png

Use a naming convention of your choice. Make sure it's unique and helps you immediately identify the purpose of the scan.

Add Scan Targets

Enter your scan targets in the Targets field.  For convenience, the targets registered with your account, your Scanner Scope, are shown on the right hand side, where they can be copied from.

Screenshot 2024-10-10 at 21.30.33.png

Your targets will be colour-coded to indicate the type of target (you may need to press enter to complete adding a target).

You can mouse-over the Targets box to see a count of the total number of potential target hosts.  Consider whether you have chosen the correct scan profile for this number.

Remember that it takes time to scan a target even if no host is online at that address.

In the example above we added targets in the form of a CIDR subnet, copied from the Scanner Scope shown on the right.

Screenshot 2024-10-10 at 21.36.54.png

In this example we added targets in the form of a simple IP address range. The scan will be testing all IP addresses from 198.51.100.0 to 198.51.100.128, inclusive.

The format in which you specify your scan targets does not need to match the format they appear in under Scanner Scope.  In the example above 198.51.100.0-198.51.100.128 is allowed because every address in that range is within the CIDR subnet 198.51.100.0/24, which is in the scanner scope.

In cases like this where the full IP address range cannot be read, we can click the clipboard icon on the right to view and edit the targets list in plain text:

Screenshot 2024-10-10 at 21.43.46.png

Denied Targets

If you added targets in a form of IP range but would like to exclude individual IP addresses within that range from the scan, you can list them in the Denied Targets area:

Screenshot 2024-10-10 at 21.49.23.png

Infrastructure Scanner Settings

Within Infrastructure Scanner Settings, you will see two types of sub-scans that are usually combined to form an Infrastructure Scan.

Vulnerability Scanner

Vulnerability Scanner runs tests against the scan targets in order to discover services and known vulnerabilities associated with particular service versions.

There are three important settings to consider here.

Credentialed Scanning

  • Infrastructure Scanner Settings
    • Vulnerability Scanner
      • Options
        • Credentialed Scanning

You can find more about Credentialed Scanning in this article.

Include 'Info' level vulnerabilities in report

  • Infrastructure Scanner Settings
    • Vulnerability Scanner
      • Options
        • Advanced Settings
          • Include 'Info' level vulnerabilities in report

We recommend enabling this in most circumstances as it provides informational findings which are useful in analysing scan results more effectively.  For example, this section will often contain Software Consolidation reports, which can help you find out how and where some services and software versions were detected.

Automatically perform a passive web app scan against any discovered web applications

  • Infrastructure Scanner Settings
    • Vulnerability Scanner
      • Options
        • Advanced Settings
          • Automatically perform a passive web app scan against any discovered web applications

If enabled, this runs an additional port scan to detect the presence of web servers on each target address, then runs a short web application scan on each discovered web application.  The scans are considered passive, meaning the scanner does not send active attack payloads (such as SQL injection) at the application, it simply observes information presented through passive browsing of the application, such as metadata that might indicate the version of a web server, or missing security headers.

These scans usually take around fives minutes, and so are enabled by default in the Small Range profile, but disabled by default in the Large Range profile.

Even if no applications are found on a host, or a scanned IP address is not in use, it can take minutes just to scan for the presence of web applications.  Therefore it is strongly recommended not to enable this feature for Large Range scans, even if most target addresses are not online hosts.

Port Scanner

In the vast majority of cases, the port scanner should be enabled with the default settings of appropriate scan profile.  If you do make changes to these settings, note the estimated time displayed below the Port Scanner Settings:

Screenshot 2024-10-10 at 22.13.27.png

This is a rough estimate of the time required to run a Port Scan all of the scan targets, in total.  In this example, an inappropriate combination of settings has increased this estimate from just over an hour to over a month (other settings combinations push this close to two years).

Try to keep this to a number of hours - if it starts to go into the days then you may wish to either adjust the settings or create separate scans each with fewer targets.

Notifications

The scan Owner was set at the top of the page in

  • Scan Settings
    • Belongs To

when you created the scan.  As well as changing this, you can also assign Watchers near the bottom of the page in

  • Watcher Settings

The Owner and Watchers will receive email notifications when the scan starts and stops.

Scheduling

A scheduled start time for the scan, including a repeat, can be set in

  • Scan Settings
    • Scheduled Start Date
    • Repeat

This is optional, the scan can be started manually, or via our API.

A scan window can also be set - running scans will automatically be paused outside of a scan window, if specified.  This can be found in

  • Scan Window Settings
    • Add Schedule

Scanning Hub

By default scans are run from AppCheck's public Scanning Hubs.  If you have purchased a Private AppCheck Scanning Hub you will have the option of configuring which hub(s) your scan should run from.  This can be found at

  • Advanced Config Settings
    • Scanning Hub

If you have not purchased a Private AppCheck Scanning Hub this option will not be shown.

Save

To finish creating your scan, click Save, or Save and Scan if you wish to also begin the scan immediately.

You will be able to edit the scan by selecting

  • Scans
    • All Scans

then clicking the pencil icon:

Screenshot 2024-09-20 at 17.21.46.png

Changes made to a scan configuration while the scan is running can be saved but will not take effect until the next time the scan starts.

Related articles

Comments

0 comments

Article is closed for comments.