NodeZero Host Information
The NodeZero host serves as the operating platform and starting point for Horizon3.ai's autonomous pentesting solution. We highly recommend using Linux, but customers have successfully employed Windows and MacOS with Docker. Position the NodeZero host within the network segment where you want the pentest to begin. Before starting the operation, ensure that the host is running to download and execute NodeZero, and maintain its operation throughout the process. Once the operation is complete, you may shut down or remove the host from the network.
If you prefer a different distribution, please contact the Horizon3 team for compatibility assessment. Although most distributions should run NodeZero smoothly, we have not yet performed checks or validations for all of them.
Host System Recommendations
- 2 CPU (x86-64, physical or virtual)
- 8GB RAM
- 20 GB free HDD space
- Ubuntu Linux 18.x, 20.x, or higher
- Redhat Linux 7.x (EoL Jun 2024)
It is possible to run the NodeZero on other OSs, however, we will not provide support in the event issues arise while using them.
- Various HTTPS (443/tcp) access to AWS services (SQS, Cognito, S3, ECR, etc)
- See Connectivity Requirements for more information
- Most recent version of Docker
- Minimum required version: 20.10
- See Docker installation instructions here
Core service, which serves as the central intelligence for NodeZero, resides in a single-use architecture within the cloud. The NodeZero host needs access to Core via HTTPS on port 443 to facilitate communication. This connection can be likened to a central nervous system, with the brain sending messages to the hands and receiving feedback to analyze and determine the next appropriate action.
From a service perspective, NodeZero must be able to communicate with Core. We currently use AWS SQS, Cognito, and S3 over HTTPS on port 443.
Regarding assessment perspective, it is crucial not to modify your environment. NodeZero is a unique service and tool, and you should not alter your settings for it as you wouldn't for an attacker. For example, if your firewall is set to block the marketing VLAN from accessing the finance VLAN, leave it as is. NodeZero will verify that this configuration is in place.
If your environment connects to the internet via a proxy, this will affect NodeZero's ability to communicate out. Directions to configure NodeZero for use with a proxy can be found here.
Outbound Network Access
Network access requirements are based on what portal instance generates the test, and not where the NodeZero host is being run. Uninterrupted network access is required during the entire operation to the following endpoints:
For US-Based Logins: (portal.horizon3ai.com)
- HTTPS - 443/tcp
api.horizon3ai.com cognito-identity.us-east-2.amazonaws.com cognito-idp.us-east-2.amazonaws.com downloads.horizon3ai.com sqs.us-east-2.amazonaws.com *.docker.com *.docker.io *.ecr.us-east-2.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.us-east-2.amazonaws.com
- HTTP - 80/tcp
For EU-Based Logins: (portal.horizon3ai.eu)
- HTTPS - 443/tcp
api.horizon3ai.eu cognito-identity.eu-central-1.amazonaws.com cognito-idp.eu-central-1.amazonaws.com downloads.horizon3ai.com sqs.eu-central-1.amazonaws.com *.docker.com *.docker.io *.ecr.eu-central-1.amazonaws.com *.queue.amazonaws.com *.s3.amazonaws.com *.s3.eu-central-1.amazonaws.com
- HTTP - 80/tcp
Note: HTTP use
No sensitive information of any kind is transmitted over this channel
Inbound Network Access
The following ports should be opened on the NodeZero host/VM to allow traffic in:
- TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999
- UDP 69
This is required on the NodeZero host and does not pertain to perimeter firewalls.