Support
Scans

Installing internal agents

This document is for:
Invicti Enterprise On-Demand

In order to scan a website located on your internal network, and not accessible from the internet, you can install and configure a scan agent on your network. The agent will conduct the actual scan job and then report the results back to Invicti Enterprise.

In addition to the scanning agent, you can add an authentication verifier agent that will verify the form authentication on your website. For further information, see Authentication Verifier for Internal Agents.

There are three stages to this process:

  1. Download and configure the Invicti Enterprise agent
  2. Run the agent on your local network where it can reach the internal website you want to scan
  3. Define and scan your internal website

You can install internal agents in Linux and Docker, too. For further information about installing agents in Linux, see Installing a Scan Agent on Linux. For the docker, see Installing a Scan Agent via Dockerization.

Downloading and Configuring the Agent

First, you need to download the installation files of the agent and install them on a machine in your internal network.

Prerequisites

Software Requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)
  • .NET Core 3.1

Hardware Requirements

  • 1.4 GHz Processor (2.0 GHz or faster recommended)
  • 4 GB RAM or higher recommended
  • 10 GB Free Disk space for each internal agent

If you select TLS 1.3 as a security protocol from the Scan Policy, make sure you have Windows 10 v1903 or higher versions.

Network Requirements

  • Agent should be configured so that it can reach your internal website through HTTP/HTTPS
  • Agent needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443) port

Allowlisting Requirements

  • www.invicti.com
  • r87.me
  • Allowlist the following addresses according to your region:
    • US region: 54.88.149.100 and www.netsparkercloud.com
    • EU region: 3.122.90.89 and eu.netsparker.cloud
    • CA region: 35.182.99.171 and ca.netsparker.cloud

Required Access

  • User(s) must have administrator privileges to run the required commands and agent service.

How to Download and Configure the Scanning Agent

  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Agents Manage Agents > Configure New Agent.
  3. From the Agent section, select Windows to download the Invicti Enterprise Scanner Agent. Your Agent Token is also displayed
    • Extract the contents of the zip file to C:\NC_Agent. (You can use another location, but these instructions will use this path.)
    • Open the C:\NC_Agent\appsettings.json file with your preferred text editor.
    • You need to edit two attributes before running the agent, listed under AgentInfo:
      • AgentName: This can be anything you want. This text will be displayed when you are starting a new Scan. (If you are going to install more than one instance of the agent make sure you set a unique AgentName value for each instance, something you will remember later.)
      • ApiToken: In Invicti, the Agent Token is displayed in the Configure New Agent window. Copy it into the ApiToken.

Configuring New Agent page

    • Save and close the C:\NC_Agent\appsettings.json.

To detect Out of band vulnerabilities via Invicti Hawk, please whitelist the following ports on your agent server: TCP 80 and 443, UDP 53. For further information about Invicti Hawk, see How Invicti Hawk Finds Vulnerabilities.

Setting Agent as a Windows Service

An internal agent should be configured as a Windows service, so that it can poll the Invicti Enterprise servers regularly, and can take the scan initiation command from the server.

How to Set the Agent as a Windows Service
  1. Open a command prompt in Administrator mode and navigate the agent’s folder.
  2. Run the command below to install the Invicti Enterprise Scanning Agent as a Windows Service:
Netsparker.Cloud.Agent.exe -i
  1. Press Windows+R, type ‘services.msc’ and press Enter.
  2. Find ‘Netsparker Cloud Scanning Service – [YOUR_AGENT_NAME]’.
  3. Right-click on it, and select Properties.
  4. Make sure Startup type is set to Automatic, and select Start.

Please note that although this service is set to start automatically, it will not restart until the PC is restarted too.

  1. Select Apply and OK, then exit the Properties window.

The Invicti Enterprise Agent is now running on your network, shortly it will be registered to Invicti Enterprise.

You can uninstall the Windows Service by specifying the -u argument instead of the -i argument used during the installation process.

Any changes in the appsetting.json file, such as setting proxy and changing API Token, require restarting the service so that the changes can take effect.

Installing multiple scanner agents on Windows

How to install multiple scanner agents on Windows
  1. Copy all files from the default scanner agent’s folder to the new agent’s folder. For this example, the path is: C:\Invicti Enterprise Agent. If you decided to use Agent-2 as the new Agent name, you could use this command to copy all files to new Agent’s folder:
xcopy "C:\Invicti Enterprise Agent\*.*" "C:\Invicti Enterprise Agent-2" /yie

This will create a new directory in C:\Invicti Enterprise Agent-2 and copy in all the required files.

  1. Locate the new Agent’s folder and open the appsettings.json file with a text editor. Set the new Agent’s name.
  2. Open a command prompt in Windows with Administrator rights and install the new Agent as a Windows Service using these commands:
    • This command changes the current folder to the new Agent’s folder:
    cd C:\Invicti Enterprise Agent-2
    • This command installs the new Agent as a Windows Service:
    Netsparker.Cloud.Agent.exe -i
  3. Press Windows+R, type ‘services.msc’ and press Enter.
  4. Find ‘Netsparker Enterprise Scanning Service – [YOUR_AGENT_NAME]’.
  5. Right-click on it and select Properties.
  6. Make sure Startup type is set to Automatic, and select Start.

Uninstalling scanner agent

You may uninstall scanner agents.

How to uninstall the scanner agent
  1. Open a command prompt in Administrator mode and navigate to the agent’s folder.
  2. Run the following command to stop and delete the Invicti Enterprise Scanner Agent as a Windows Service:
sc stop "Netsparker Cloud Scanning Service - YourAgentName"
sc delete "Netsparker Cloud Scanning Service - YourAgentName"

This command will delete the scanner agent service. If required, you can delete the related folder.

Managing Groups

In the Manage Groups window, you can search for and view the names of the different agent groups. You can also edit or delete their details, and add a new agent group.

How to Add a New Agent Group

  1. From the main menu, select Agents > Manage Groups.
  2. From the Agent Groups window, select New Agent Group.
  3. Complete the Name and Agents fields.
  4. Select Save.

How to Edit Agent Groups

  1. From the main menu, select Agents > Manage Groups.
  2. From the Agent Groups window, click Edit on the field of the group you want to edit.
  3. In the New Agent Group window, make your edits.
  4. Select Save.

How to Delete Agent Groups

  1. From the main menu, click Agents Manage Groups.
  2. From the Agent Groups window, select Delete.
  3. Select Yes, Delete in the dialog.

Auto-Update Support for Scanner Agents

Invicti Enterprise On-Demand users can install Invicti Enterprise Scanning Agents on their own network, while Invicti Enterprise On-Premises users can use their own Agents with Invicti Enterprise in their own environments.

  • When a new Agent version has been published, users can update their Agents manually using installation files on the machines on which Agents are installed. Alternatively, users can update Agents manually by clicking Update Agent (visible only when the Enable Auto Update is not configured and the new version of the Agent is available).

  • While the update is in progress, the State field will display ‘Updating’.

  • Alternatively, enabling Auto Update means that when the new version of the Invicti Enterprise Scanning Agent is available, the target Agent will update itself as soon as possible when it’s idle.
How to Enable Automatic Agent Updates
  1. From the main menu, select Agents Manage Agents.
  2. Next to the relevant Agent, select the Command drop-down, then Enable Auto Update.
How to Disable Automatic Agent Updates
  1. From the main menu, select Agents Manage Agents.
  2. Next to the relevant Agent, select the Command drop-down, then Disable Auto Update.

Setting Proxy in Scanner Agents

You can set a proxy for the scanning agent in Invicti Enterprise. You are required to enter proxy settings manually to the appsettings.json file with your preferred text editor.

Invicti supports Basic Authentication but not Digest and NTLM.

  "ProxySettings": {
    "ProxyMode": "SystemProxy",
    "UseDefaultCredentials": true,
    "Username": "",
    "Password": "",
    "Domain": "",
    "Address": "127.0.0.1",
    "Port": "8888",
    "ByPassOnLocal": false,
    "ByPassList": []
  },

This table lists and explains the fields in the Proxy settings.

Field Description
Proxy Mode Enter your proxy settings if you want the Agent to use or not to use the proxy. There are three modes:
NoProxy: The Agent does not use a proxy even if you configure the server’s proxy settings.
SystemProxy:
The Agent uses the System Proxy that was defined on the server.
CustomProxy:
The Agent uses Custom Proxy that you define in the appsettings.json file.
Use Default Credentials Enter true if you authenticate to the proxy via the user that the Agent service is defined.
Use System Default Enter true if you authenticate the agent via operating system credential
Username Enter a username for authentication
Password Enter a password for authentication
Domain Enter a domain name
Address Enter a proxy address. Only IP address or hostname without schema and port is allowed.
Port Enter a port for the proxy
Bypass on Local Enter a value that indicates whether to bypass the proxy server for local addresses.
Bypass List Enter the address(es) that do not use the proxy server.

Any changes in the appsetting.json file, such as setting proxy and changing API Token, require restarting the service so that the changes can take effect.

Using Proxy Auto-Configuration file

You can use Proxy Automatic Configuration (PAC) to configure your proxy. A PAC file lets you describe the proxy configuration in a file using JavaScript, so you can centrally manage your proxy settings.

To use a PAC file, you must set the Proxy Mode to System Proxy in the appsetting.json file. For further information about proxy setting, see Setting Proxy in Scanner Agents.

How to use a Proxy Auto-Configuration file in Windows
  1. Go to Settings > Network & Internet > Proxy.
  2. Turn on the Use setup script toggle.
  3. In the Script address field, enter the PAC file’s URL address.

  1. Select Save.
How to use a Proxy Auto-Configuration file  in Linux (Debian Distribution)
  1. Go to Settings > Network > Network Proxy.
  2. From the Network Proxy window, select Automatic.
  3. In the Configuration URL field, enter the PAC file’s URL address.

  1. Close the window.

Malware Analysis with ClamAV

If you want a Invicti Enterprise scan agent to carry out malware analysis, you need to download and install ClamAV. For further information, see Malware Analysis with ClamAV in Invicti Enterprise.

Defining and Scanning an Internal Website in Invicti Enterprise

Now, you have installed a scanning agent into your infrastructure, you should configure Invicti Enterprise to let it know which websites should be scanned with an internal agent rather than with the built-in agents.

How to Define an Internal Website in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Websites > New Website.
  3. Enter your internal website details (see Adding a Website in Invicti Enterprise).
  4. From the Agent mode field, select Internal.
  5. Select Save.
How to Scan an Internal Website with Agent
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. From the Target URL field, select your Internal Website (if the field is not already populated).
  4. The Preferred Agent field is already selected by default. Your newly installed scanning Agent is displayed as an option. If you installed more than one instance, select the one which can access your Internal Website. If any of them can access your Internal Website, select the default option Any of the available agents. By selecting this, one of the idle agents will scan your website.
  5. Select Launch. (For simplicity, optimization and other settings are ignored in this procedure.)

Your scan has been started in the Queued state. Shortly, you will see that its status changes to Scanning. Once it is completed, you will be able to explore the vulnerabilities found on your website.

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.