Skip to content

NodeZero Host Information

The NodeZero host serves as the operating platform and starting point for Horizon3.ai's autonomous pentesting solution. We highly recommend using Linux, but customers have successfully employed Windows and MacOS with Docker. Position the NodeZero host within the network segment where you want the pentest to begin. Before starting the operation, ensure that the host is running to download and execute NodeZero, and maintain its operation throughout the process. Once the operation is complete, you may shut down or remove the host from the network.

If you prefer a different distribution, please contact the Horizon3 team for compatibility assessment. Although most distributions should run NodeZero smoothly, we have not yet performed checks or validations for all of them.

Host System Recommendations

Minimum Specifications

  • 2 CPU (x86-64, physical or virtual)
  • 8GB RAM
  • 20 GB free HDD space

Operating System

  • Ubuntu Linux 18.x, 20.x, or higher
  • Redhat Linux 7.x (EoL Jun 2024)

It is possible to run the NodeZero on other OSs, however, we will not provide support in the event issues arise while using them.

Network Access

  • Various HTTPS (443/tcp) access to AWS services (SQS, Cognito, S3, ECR, etc)
  • See Connectivity Requirements for more information

Docker installed

  • Most recent version of Docker
  • Minimum required version: 20.10
  • See Docker installation instructions here

Connectivity Requirements

The Core service, which serves as the central intelligence for NodeZero, resides in a single-use architecture within the cloud. The NodeZero host needs access to Core via HTTPS on port 443 to facilitate communication. This connection can be likened to a central nervous system, with the brain sending messages to the hands and receiving feedback to analyze and determine the next appropriate action.

From a service perspective, NodeZero must be able to communicate with Core. We currently use AWS SQS, Cognito, and S3 over HTTPS on port 443.

Regarding assessment perspective, it is crucial not to modify your environment. NodeZero is a unique service and tool, and you should not alter your settings for it as you wouldn't for an attacker. For example, if your firewall is set to block the marketing VLAN from accessing the finance VLAN, leave it as is. NodeZero will verify that this configuration is in place.

If your environment connects to the internet via a proxy, this will affect NodeZero's ability to communicate out. Directions to configure NodeZero for use with a proxy can be found here.

Outbound Network Access

Network access requirements are based on what portal instance generates the test, and not where the NodeZero host is being run. Uninterrupted network access is required during the entire operation to the following endpoints:

For US-Based Logins: (portal.horizon3ai.com)

  • HTTPS - 443/tcp
    api.horizon3ai.com
    cognito-identity.us-east-2.amazonaws.com
    cognito-idp.us-east-2.amazonaws.com
    downloads.horizon3ai.com
    sqs.us-east-2.amazonaws.com
    *.docker.com
    *.docker.io
    *.ecr.us-east-2.amazonaws.com
    *.queue.amazonaws.com
    *.s3.amazonaws.com
    *.s3.us-east-2.amazonaws.com
    *.s3-w.us-east-2.amazonaws.com
    
  • HTTP - 80/tcp
    *.interacth3.io
    

For EU-Based Logins: (portal.horizon3ai.eu)

  • HTTPS - 443/tcp
    api.horizon3ai.eu
    cognito-identity.eu-central-1.amazonaws.com
    cognito-idp.eu-central-1.amazonaws.com
    downloads.horizon3ai.com
    sqs.eu-central-1.amazonaws.com
    *.docker.com
    *.docker.io
    *.ecr.eu-central-1.amazonaws.com
    *.queue.amazonaws.com
    *.s3.amazonaws.com
    *.s3.eu-central-1.amazonaws.com
    *.s3-w.eu-central-1.amazonaws.com
    *.execute-api.eu-central-1.amazonaws.com
    *.elb.eu-central-1.amazonaws.com
    *.s3-r-w.eu-central-1.amazonaws.com
    
  • HTTP - 80/tcp
    *.interacth3.eu
    

For NodeZero Runner EU and US based

  • HTTPS - 443/tcp
    raw.githubusercontent.com
    github.com
    

Note: HTTP use

No sensitive information of any kind is transmitted over this channel

Consolidated Endpoint

Beta

This feature will need to be enabled for your account. Please contact your CS rep.
User experience is subject to change.

If you are operating the NodeZero host within a restricted network environment, the consolidated endpoint feature can simplify networking requirements. Instead of opening outbound network traffic to all the AWS services listed above, you will only need to allow traffic for the two static IP addresses associated with these domains:

US-Based

  • Domains
    gateway.horizon3ai.com
    interact.gateway.horizon3ai.com
    
  • IPs
    15.197.206.82
    3.33.191.122
    

EU-Based

  • Domains
    gateway.horizon3ai.eu
    interact.gateway.horizon3ai.eu
    
  • IPs
    52.223.20.205
    99.83.187.197
    

Inbound Network Access

The following ports should be opened on the NodeZero host/VM to allow traffic in:

  • TCP 21, 23, 25, 53, 80, 88, 110, 135, 139, 143, 389, 443, 445, 587, 1433, 3306, 3389, 5900, 5985, 8080, 8443, 8888, 28069, 45000-49999
  • UDP 69

This is required on the NodeZero host and does not pertain to perimeter firewalls.