Skip to main content
This document is for:
Invicti Enterprise on-demand, Invicti Enterprise on-premises

Install scan agents on Linux - Debian Distribution

To scan websites in a demilitarized zone (DMZ) or internal networks that are not publicly accessible, install an Invicti scan agent on your network. The agent performs the scan and reports the results to Invicti Enterprise.

Optionally, you can install an authentication verifier agent to verify form authentication on your website.

You can install the scan agent on a Linux operating system. For Debian distributions, ensure the required dependencies are met.

This document focuses on installing a scan agent on Debian-based systems. For Red Hat distributions, refer to Install a scan agent on Linux - RedHat.

This process involves three steps:

  1. Download the Invicti Enterprise agent
  2. Install the Invicti agent
  3. Set the agent as a Linux service

Prerequisites

Ensure you meet all of these prerequisites.

Hardware requirements

  • Processor: 1.4 GHz minimum (2.0 GHz or faster recommended)
  • Memory: 4 GB or higher recommended
  • Storage: 10 GB free disk space per internal agent
  • If NTLM is used as the authentication method, Ubuntu version 24.04 or its equivalent must be used at a minimum.

Network requirements

  • The agent must access your internal website via HTTP/HTTPS
  • The agent must connect to the Invicti Enterprise Authentication Verifier Server over HTTP(S) (port 443)

Trustlisting requirements

Required access

  • Users must have root privileges to execute the required commands. If root privileges are unavailable, use the Docker-based scan agent instead. For instructions, refer to Install a Docker scan agent.

Step 1: Download the Agent

To install the scan agent, download the installation files to a machine on your internal network. These are the steps to download a Scan Agent in Invicti Enterprise on-demand:

  1. In Invicti Enterprise, select Agents  > Manage Agents from the left-side menu.
  2. Click Configure New Agent.
  3. From the Agent - Direct Download section, select Linux to download the required files to install the verifier agent.

Step 2: Install the Agent

To install the Invicti Agent follow these instructions:

  1. Open a terminal window.
  2. Update the operating system's application repositories: 
    sudo apt update && sudo apt upgrade -y
  3. Install the required dependent packages: 
    sudo apt-get install p7zip-full  
    sudo apt install -y wget gss-ntlmssp nano mono-complete apt-transport-https
  4. Create a folder for the Agent dependency: 
    sudo mkdir -p /home/[YOUR_USER]/.local/share/Netsparker_Ltd
  5. Change the ownership of the folder: 
    sudo chown -R [YOUR_USER] /home/[YOUR_USER]/.local/share
note

Make sure that [YOUR_USER] in this step matches the [YOUR_USER] in the unit file described later in this guide.

  1. To install the necessary dependencies for Headless Chrome, run one of the following commands: For Ubuntu 24.04. or higher: 
    sudo apt install -y linux-libc-dev binutils binutils-common binutils-x86-64-linux-gnu openssl unzip p7zip-full gss-ntlmssp libasound2t64 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libnss3 lsb-release xdg-utils libc6-dev libgdiplus libx11-dev mono-complete libgbm-dev libssl3 dirmngr gnupg ca-certificates libarchive-tools
    For Debian-based distributions: 
    sudo apt install -y gconf-service libasound2 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils libgdiplus libgbm-dev
    Check the notes at the end of this document if your operating system is Kali Rolling.
  2. After installing the dependencies, you can download and configure the Headless Chrome browser.
  3. Extract the Agent TAR file by running the following commands: 
    cd /home/[YOUR_USER]
    sudo tar -xvf Invicti_Enterprise_Docker_Scanner_Agent_{Version}.tar --one-top-level
    sudo chown -R [YOUR_USER]:[YOUR_USER] /home/[YOUR_USER]/Invicti_Enterprise_Scanner_Agent
  4. Open the appsettings.json file using your preferred text editor to enter the required information (for example, ApiToken): 
    cd /home/[YOUR_USER]/Invicti_Enterprise_Scanner_Agent
    nano appsettings.json

Change the default data folder for the scanner agent

To change the default data folder, add the following attribute under AgentInfo in the appsettings.json file: "ScanDataFolderPath": "FullPath"

For example, you can set the path like this: /home/[YOUR_USER]/[data folder]/

If you modify an existing agent's appsettings.json file, you must restart the service after making the change. If you are adding this line to a new agent, you can continue with the installation process as usual.

These settings are going to be used by the agent:

  • AgentName: You can set this to any name you prefer. It is going to be displayed when starting a new scan. If installing multiple instances of the agent, ensure each has a unique AgentName that you are going to reference later
  • AgentType: This can be set to either Standard or Cloud. If you plan to use a Cloud Provider for scanning, set AgentType to Cloud.
  • ApiToken: The ApiToken corresponds to the Agent Token displayed in the Configure New Agent window of Invicti Enterprise. Copy this value into the ApiToken field.
  • ApiRootUrl: The URL of Invicti Enterprise or the Invicti Enterprise on-premises
info

To enable detection of Out-of-Band (OOB) vulnerabilities using Invicti Hawk, ensure the following ports are trustlisted on your agent server:

  • TCP Ports: 80 and 443
  • UDP Port: 53

For more details about Invicti Hawk and its vulnerability detection capabilities, refer to How Invicti Hawk Finds Vulnerabilities.

Step 3: Set the Agent as a Linux service

An internal agent must be set up as a Linux service to regularly poll the Invicti Enterprise servers and receive scan initiation commands.

You can complete this configuration in three steps:

  1. Add a unit file for an Invicti Agent
  2. Configure Sudoers for an Invicti Agent
  3. Start Invicti Enterprise Agent as a Linux Service

Add a unit file for an Invicti Agent

Follow these steps to add a unit file for the Invicti Agent:

  1. Open a terminal and do the following: 
    cd /etc/systemd/system
    sudo touch [YOUR_AGENT_NAME].service
    sudo nano [YOUR_AGENT_NAME].service
important

The AgentName specified in the appsettings.json file must match the unit file name of the agent. Consistency between these names is required for proper operation.

  1. Add the following into [YOUR_AGENT_NAME].service: 
    # For internal agents version 2.0.2.157 and newer:
    [Unit]
    Description=netsparker.service description
    [Service]
    Type=notify
    KillMode=process
    Restart=always
    RestartSec=30
    SyslogIdentifier=[YOUR_USER]
    KillSignal=SIGINT
    User=[YOUR_USER]
    WorkingDirectory=[YOUR_AGENT_DIRECTORY_PATH]
    ExecStart=[Your Agent Directory path]/Netsparker.Cloud.Agent
    ExecStop=/usr/bin/pkill -f "[YOUR_AGENT_DIRECTORY_PATH]/Nhs/NetsparkerHelperService.exe"
    [Install]
    WantedBy=multi-user.target
  2. Save and close the document.

Configure Sudoers for an Invicti Agent

To configure sudoers for the Invicti agent, follow these steps:

  1. Navigate to the sudoers directory: 
    sudo su -
    cd /etc/sudoers.d
  2. Create a new sudoers file: 
    sudo touch [YOUR_AGENT_NAME]-systemctl
  3. Edit the file with visudo: 
    sudo visudo -f [YOUR_AGENT_NAME]-systemctl
  4. Add the following to grant the necessary permissions: 
    [YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl start [YOUR_AGENT_NAME].service  
    [YOUR_USER] ALL=(ALL:ALL) NOPASSWD: /usr/bin/systemctl stop [YOUR_AGENT_NAME].service
  5. Save and close the file.

Start Invicti Enterprise Agent as a Linux Service

  1. Reload the system daemon to recognize the new service, and start the agent service: 
    sudo systemctl daemon-reload
    sudo systemctl start [YOUR_AGENT_NAME].service
tip

To ensure the scanning agent service remains active after a machine reboot:

  1. Open a terminal.
  2. Enable the agent service to start automatically: 
    sudo systemctl enable [YOUR_AGENT_NAME].service

You can now verify the connection between Invicti Enterprise and the scan agent by navigating to the Agents menu and selecting Manage Agents.

Install multiple Agents on the same operating system

You can install multiple agents on a Linux system by following these steps:

  1. Open a Terminal Window: Launch the terminal on your Linux operating system.
  2. Create a folder for the New Agent: Create a separate directory to house the files for the new agent. For example: 
    mkdir /path/to/new-agent
    cd /path/to/new-agent
  3. Copy and Extract the TAR File: Move the TAR file for the agent to the newly created folder and extract it: 
    tar -xvf /path/to/agent.tar.gz
  4. Install and Configure the Agent: Follow the instructions provided in Install the Agent and Set the Agent as a Linux service to complete the installation.
  5. Set a Unique Name for the New Agent: Ensure the new agent is assigned a unique name during configuration to avoid conflicts with existing agents.

For more details about managing agents, refer to Managing Groups.

Notes for Kali Rolling

You may encounter an issue while installing the libappindicator1 dependency. You can overcome this by adding the Debian repository to your package manager.

Add Debian Repository to the Source.List in Kali Rolling Distribution

To install libappindicator1 for Headless Chrome browser dependencies, add the Debian Repository to the sources.list in Kali Rolling using these instructions:

  1. Open a terminal and run this command. 
    sudo nano /etc/apt/sources.list
  2. Add the following lines to the sources.list file: 
    deb http://deb.debian.org/debian buster main contrib non-free  
    deb-src http://deb.debian.org/debian buster main contrib non-free
  3. Save and close the file.
  4. Update the repositories: 
    sudo apt update
  5. Install libappindicator1: 
    sudo apt install libappindicator1

After installing libappindicator1, you can resume the agent installation.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?