Skip to content

NodeZero Host Information

This host is where the NodeZero host will operate and where the attack will originate. We strongly recommend using Linux, but you can also use Mac or Windows with a little extra work. Place this host within the part of your network from which you want the attack to originate.

NodeZero Host is a Docker host that runs the NodeZero container. Think of it as the starting point for an attacker. You decide where you want the Attacker’s Perspective to start and drop a NodeZero Host there. This host has to be running before the operation to download and execute NodeZero and must continue running during the operation. Once the operation is complete, you are free to shut down or remove the host from the network.

If a different distribution is desired contact the H3 team to determine suitability. Most distributions will likely run NodeZero without issue, we just haven’t written checks or validated all of them.

Host System Requirements

Machine Specifications

  • 2 CPU (physical or virtual)
  • 8GB RAM
  • 20 GB free HDD space

Operating System

  • Ubuntu Linux 16.x, 18.x, 20.x, or higher (also Debian)
  • Redhat Linux 7.x, 8.x, or higher (also CentOS, Fedora)
  • Synology NAS 6.2, 7.0
  • Other Linux distributions (if Docker supports them)
  • Windows 10 with WSL2 (limited NodeZero functionality)
  • macOS 10.x (limited NodeZero functionality)

Network Access

Docker installed

  • most recent version of Docker
  • See Docker installation instructions below

We have identified intermittent problems running NodeZero on macOS Big Sur (11.x) due to a Docker Engine issue within Docker Desktop for Mac. When the operation starts, it may not be able to communicate outbound to the Internet from within the Docker container. We are working to resolve this problem and will provide updates as soon as possible. To run an operation when this problem arises, we recommend using a virtual machine (such as with VirtualBox, etc.) configured with the required specs above.

Connectivity Requirements

The brains of your personal ethical hacker live in a single-use architecture in the cloud. We call it Core. The NodeZero host needs access to Core over https:443 to communicate with it. Think of this communication as the central nervous system. Your brain must send messages to your hands and your hands need to send feedback to your brain so that it can analyze and decide the next best action.

Service perspective: NodeZero must be able to communicate with Core. We currently utilize AWS SQS, Cognito, and S3 over HTTPS:443.

Assessment Perspective: Do NOT modify your environment. NodeZero is not like any other service or tool. If you wouldn’t modify it for an attacker, don’t modify it for NodeZero…If your firewall is configured to block your marketing VLAN from reaching your finance VLAN, leave it. NodeZero will VERIFY that is happening.

If your environment connects to the internet via a proxy, this will affect NodeZero's ability to communicate out. Contact us to facilitate compatibility.

Outbound Network Access

Uninterrupted network access is required during the entire operation to the following endpoints:

US-Based Operations:

  • cognito-identity.us-east-2.amazonaws.com (over HTTPS port 443)
  • cognito-idp.us-east-2.amazonaws.com (over HTTPS port 443)
  • sqs.us-east-2.amazonaws.com (over HTTPS port 443)
  • *.queue.amazonaws.com (over HTTPS port 443)
  • *.ecr.us-east-2.amazonaws.com (over HTTPS port 443)
  • *.s3.us-east-2.amazonaws.com (over HTTPS port 443)
  • *.s3.amazonaws.com (over HTTPS port 443)
  • *.interacth3.io (over HTTP port 80 – Note no sensitive information of any kind is transmitted over this channel)
  • *.docker.io (over HTTPS port 443)
  • *.docker.com (over HTTPS port 443)
  • api.horizon3ai.com (over HTTPS port 443)
  • downloads.horizon3ai.com (over HTTPS port 443)

EU-Based Operations:

  • cognito-identity.eu-central-1.amazonaws.com (over HTTPS port 443)
  • cognito-idp.eu-central-1.amazonaws.com (over HTTPS port 443)
  • sqs.eu-central-1.amazonaws.com (over HTTPS port 443)
  • *.queue.amazonaws.com (over HTTPS port 443)
  • *.ecr.eu-central-1.amazonaws.com (over HTTPS port 443)
  • *.s3.eu-central-1.amazonaws.com (over HTTPS port 443)
  • *.s3.amazonaws.com (over HTTPS port 443)
  • *.interacth3.eu (over HTTP port 80 – Note no sensitive information of any kind is transmitted over this channel)
  • *.docker.io (over HTTPS port 443)
  • *.docker.com (over HTTPS port 443)
  • api.horizon3ai.eu (over HTTPS port 443)
  • downloads.horizon3ai.com (over HTTPS port 443)

It is possible to run NodeZero through a proxy if necessary. Contact your Horizon3.ai representative for more details.

Inbound Network Access

The following ports should be opened on the NodeZero host/VM to allow traffic in:

  • TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3389, 8080
  • UDP 69

This is required on the NodeZero host and does not pertain to perimeter firewalls.