Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
Authentication Verifier Agents

Installing Authentication Verifier Agent on Linux (Debian Distribution)

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

To run authenticated scans in your local environment, install an Authentication Verifier Agent. For scanning internal websites inaccessible from the internet, set up a Scan Agent on your network. The Scan Agent performs the scan and sends results to Invicti Enterprise. Use an Internal Verifier Agent to ensure the scan is authenticated.

For further information about the internal authentication verifier, refer to our Streamline authenticated scanning Invicti verifier agents document.

NOTE: To install the Authentication Verifier Agent on Linux, you need to install .NET.

This document covers installing, updating, and uninstalling Authentication Verifier Agents on Linux (Debian). For other systems, refer to the installation guides for Windows and RedHat.

TIP

The Authentication Verifier Agent is optional.

Install it if you need to scan websites using Form, Basic, or OAuth2 authentication. It also supports Authentication Profiles, Custom Scripts for Form Authentication, CyberArk Vault, HashiCorp Vault, and Azure Key Vault.

This process involves three steps:

  1. Download the Authentication Verifier Agent
  2. Install the Authentication Verifier Agent
  3. Set the Authentication Verifier Agent as a Linux service

Before proceeding, ensure you review the prerequisites below.

Prerequisites

Hardware Requirements

  • Processor: 1.4 GHz minimum (2.0 GHz or faster recommended)
  • Memory: 4 GB or higher recommended
  • Storage: 10 GB free disk space per internal agent
  • If NTLM is used as the authentication method, Ubuntu version 24.04 or its equivalent must be used at a minimum.

Network Requirements

  • The agent must access your internal website via HTTP/HTTPS.
  • The agent must connect to the Invicti Enterprise Authentication Verifier Server over HTTP(S) (port 443).

Allowlisting Requirements

  • Domains:
  • www.invicti.com
  • r87.me
  • Regional IPs:
  • US: 34.237.50.127, us-avservice.netsparkercloud.com
  • EU: 18.193.27.197, eu-avservice.netsparker.cloud
  • CA: 52.60.130.46, ca-avservice.netsparker.cloud

Required Access

  • Root privileges are required to execute the necessary commands.

Step 1: Download the Authentication Verifier Agent

To download the installation files for the Authentication Verifier Agent follow the steps below.

  1. In Invicti Enterprise, select Agents > Manage Agents from the left-side menu.
  2. Click Configure New Agent.

  1. From the Authentication Verifier section, select Linux to download the required files to install the verifier agent.

Step 2: Install the Authentication Verifier Agent

To install the Authentication Verifier Agent follow these instructions:

  1. Open a terminal window.
  2. Update the operating system's application repositories:

sudo apt update && sudo apt upgrade -y

  1. Install the required dependent packages:

sudo apt install -y p7zip-full wget gss-ntlmssp nano mono-complete apt-transport-https

  1. Create a folder for the Invicti Verifier dependency:

sudo mkdir -p /home/[YOUR_USER]/.local/share/Netsparker_Ltd

  1. Change the ownership of the folder:

sudo chown -R [YOUR_USER] /home/[ YOUR_USER]/.local/share

NOTE:  Make sure that [YOUR_USER] in this step matches the [YOUR_USER] in the unit file described later in this guide.

  1. To install the necessary dependencies for Headless Chrome, run the following commands:

IMPORTANT:

If the operating system is Ubuntu 24.04 or higher, the following must be used:

sudo apt install -y libasound2t64 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libnss3 lsb-release xdg-utils libgdiplus

  1. Update the system repositories:

sudo apt update

  1. Install required libraries for Headless Chrome:

sudo apt install -y wget curl unzip

sudo apt install -y libnss3 libgconf-2-4 libx11-xcb1 libxcomposite1 libxrandr2 libatk-bridge2.0-0 libatk1.0-0 libcups2 libnspr4 libgbm1

  1. Install additional dependencies for better performance (optional but recommended):

sudo apt install -y libappindicator3-1 libasound2 libatk1.0-0 libgdk-pixbuf2.0-0

After installing the dependencies, you can download and configure the Headless Chrome browser.

WARNING FOR KALI DISTRIBUTIONS
You may encounter an issue while installing the libappindicator1 dependency specified in step 7. If this happens, refer to the section Adding Debian Repository to the Sources.List in Kali Rolling for instructions on how to resolve it.

  1. Extract the Authentication Verifier Agent TAR file by running the following commands:

cd /home/[YOUR_USER]

sudo tar -xvf Invicti_Enterprise_Scanner_Agent.tar --one-top-level

sudo chown -R [YOUR_USER]:[YOUR_USER] /home/[YOUR_USER]/Invicti_Enterprise_Scanner_Agent

  1. Open the appsettings.json file using your preferred text editor to enter the required information (e.g., ApiToken):

cd /home/[YOUR_USER]/Invicti_Enterprise_Verifier_Agent

nano appsettings.json

NOTE

Changing the default data folder for the Authentication Verifier Agent

To change the default data folder, add the following attribute under AgentInfo in the appsettings.json file:

"ScanDataFolderPath": "FullPath"

For example, you can set the path like this:

/home/[YOUR_USER]/[data folder]/

  • If you modify an existing agent's appsettings.json file, you must restart the service after making the change.
  • If you are adding this line to a new agent, you can continue with the installation process as usual.

These settings will be used by the agent:

  • AgentName: You can set this to any name you prefer. It will be displayed when starting a new scan. If installing multiple instances of the agent, ensure each has a unique AgentName that you will reference later.
  • AgentType: This can be set to either Standard or Cloud. If you plan to use a Cloud Provider for scanning, set AgentType to Cloud.
  • ApiToken: The ApiToken corresponds to the Agent Token displayed in the Configure New Agent window of Invicti Enterprise. Copy this value into the ApiToken field.

WARNING
Do not edit the ApiRootUrl address. Modifying it may cause the Authentication Verifier Agent to stop working.

Ensure that the ApiRootUrl is allowlisted so the Authentication Verifier Agents can access the verifier server for form authentication.

Also, verify that the machine where the Authentication Verifier Agent is installed can access the ApiRootUrl.

2.1 Setting a Proxy for the Authentication Verifier Agent

To configure a proxy for the Authentication Verifier Agent in Invicti Enterprise:

  1. Open the appsettings.json file using your preferred text editor.
  2. Manually enter the proxy settings as required.

NOTE: Invicti supports Basic Authentication for proxies but does not support Digest or NTLM authentication.

These are the proxy configuration fields and their description:

  • Proxy Mode - Specifies how the agent interacts with the proxy. Options are:
  • NoProxy: The agent does not use a proxy, even if the server has proxy settings configured.
  • SystemProxy: The agent uses the system-defined proxy settings on the server.
  • CustomProxy: The agent uses custom proxy settings defined in the appsettings.json file.
  • Use Default Credentials - Set to true if proxy authentication uses the credentials of the user-defined for the agent service.
  • Username - Enter the username for proxy authentication.
  • Password - Enter the password for proxy authentication.
  • Domain - Enter the domain name for proxy authentication.
  • Address - Enter the proxy address (IP or hostname). Do not include schema (http://) or port.
  • Port - Enter the port for the proxy server.
  • Bypass on Local - Indicates whether to bypass the proxy for local addresses.
  • Bypass List - Specify addresses that should bypass the proxy server.

2.2 Using Proxy Auto-Configuration (PAC)

You can configure your proxy using a Proxy Auto-Configuration (PAC) file. PAC files allow you to define proxy settings using JavaScript, making proxy management more flexible and efficient. To use a PAC file, set the Proxy Mode to SystemProxy in the appsettings.json file.

WARNING:

Proxy Auto-Configuration is not supported in Linux CLI distributions. It can only be configured through the Linux GUI.

How to Use a Proxy Auto-Configuration File in Linux (Debian Distribution)

  1. Open Settings and navigate to Network > Network Proxy.
  2. In the Network Proxy window, select Automatic.
  3. Enter the PAC file's URL in the Configuration URL field.

  1. Close the window to save the changes.

Adding Debian Repository to the Source.List in Kali Rolling Distribution

To install libappindicator1 for Headless Chrome browser dependencies, add the Debian Repository to the sources.list in Kali Rolling using these instructions:

  1. Open a terminal and run this command.

sudo nano /etc/apt/sources.list

  1. Add the following lines to the sources.list file:

deb http://deb.debian.org/debian buster main contrib non-free  

deb-src http://deb.debian.org/debian buster main contrib non-free

  1. Save and close the file.
  2. Update the repositories:

sudo apt update

  1. Install libappindicator1:

sudo apt install libappindicator1

  1. After installing libappindicator1, you can resume the agent installation starting from step 2 point 8 above.

Step 3: Set the Authentication Verifier Agent as a Linux service

An internal agent must be set up as a Linux service to regularly poll the Invicti Enterprise servers and receive scan initiation commands.

You can complete this configuration in three steps:

  1. Add a unit file for an Invicti Agent
  2. Configure Sudoers for an Invicti Agent
  3. Start Invicti Enterprise Agent as a Linux Service

3.1 Add a unit file for an Invicti Agent

Follow these steps to add a unit file fon the Invicti Agent:

  1. Open a terminal
  2. cd /etc/systemd/system
  3. sudo touch [YOUR_AGENT_NAME].service
  4. sudo nano [YOUR_AGENT_NAME].service

IMPORTANT:

The AgentName specified in the appsettings.json file must match the unit file name of the agent. Consistency between these names is required for proper operation.

  1. Add the following script into [YOUR_AGENT_NAME].service:

# For internal agents version 2.0.2.157 and newer:

[Unit]

Description=netsparker.service description

[Service]

Type=notify

KillMode=process

Restart=always

RestartSec=30

SyslogIdentifier=[YOUR_USER]

KillSignal=SIGINT

User=[YOUR_USER]

WorkingDirectory= [YOUR_AGENT_DIRECTORY_PATH]

ExecStart = ./[Your Agent Directory path]/Netsparker.Cloud.Agent

ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"

[Install]

WantedBy=multi-user.target

  1. Save and close the document.

3.2 Configure Sudoers for an Invicti Agent

To configure Sudoers for the Invicti agent, follow these steps:

  1. Navigate to the sudoers directory:

sudo cd /etc/sudoers.d

  1. Create a new sudoers file:

sudo touch [YOUR_AGENT_NAME]-systemctl

  1. Edit the file with visudo:

sudo visudo -f [YOUR_AGENT_NAME]-systemctl

  1. Add the following script to grant the necessary permissions:

[YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl start [YOUR_AGENT_NAME].service  

[YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl stop [YOUR_AGENT_NAME].service

  1. Save and close the file.

3.3 Start Invicti Enterprise Agent as a Linux Service

  1. Reload the system daemon to recognize the new service:

sudo systemctl daemon-reload

  1. Start the agent service:

sudo systemctl start [YOUR_AGENT_NAME].service

TIP:

To ensure the scanning agent service remains active after a machine reboot:

  1. Open a terminal.
  2. Enable the agent service to start automatically:

    sudo systemctl enable [YOUR_AGENT_NAME].service

  1. You can now verify the connection between Invicti Enterprise and the authentication verifier agent by navigating to the Agents menu and selecting Manage Verifier.

Updating Authentication Verifier Agents

There are three methods to update your Authentication Verifier Agent:

  1. Manual Update - When a new version is available, manually update the agent by downloading and installing the latest version on the machines where the agent is installed.
  2. Update Agent - If the Enable Auto Update feature is not configured, you can manually update the agent by selecting Update Agent. This option is only visible when a new version is available. During the update, the State field will show "Updating."
  3. Enable Auto Update - The agent will automatically update itself when it is idle if auto-update is enabled.

Follow the steps below to enable Automatic Authentication Verifier Agent Updates:

  1. From the main menu, navigate to Agents > Manage Verifiers.
  2. Next to the relevant agent, click the Command drop-down and select Enable Auto Update.

Installing multiple Authentication Verifier Agents on Linux

You can install multiple authentication verifier agents on Linux by following these steps:

TIP: Ensure that each agent has a unique name.

  1. Open a terminal window and create a new folder for the new agent:

mkdir /home/[YOUR_USER]/[new_agent_folder]

  1. Copy the TAR file into the new folder and extract it:

tar -xvf [TAR_FILE] -C /home/[YOUR_USER]/[new_agent_folder]

  1. Follow the instructions in Step 2: Installing Authentication Verifier Agent and Step 3: Setting Authentication Verifier Agent as a Linux Service to complete the installation process.

Uninstalling Authentication Verifier Agent

To uninstall a verifier agent, follow these steps:

  1. Open a terminal window and stop the agent service:

sudo systemctl stop [your-agent-name].service

  1. Navigate to the system folder:

cd /etc/systemd/system

  1. Remove the service file:

sudo rm [your-agent-name].service

  1. Reload the system daemon:

sudo systemctl daemon-reload

  1. This will stop and delete the verifier agent service. If needed, you can also delete the related folder.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports