Configuring the Ethiack Beacon

The Ethiack Beacon allows your organization to extend testing to multiple internal networks. Here's how to configure it.

If your organization's plan supports the Ethiack Beacon, you can click the Beacons button on your assets page. The Ethiack Beacon is powered by the Wireguard open-source technology for improved security and performance. You can also click this link:  https://portal.ethiack.com/assets/beacons

Configuration


1. Configure a VM or a machine with the following requirements:

  • Debian-based Linux distribution (others should work too)
  • Docker
  • 2GB RAM
  • 2 vCPU

2. Run our checker or the following command on the machine you will use as the beacon.

curl https://portal.ethiack.com/scripts/beacon/checker | bash

⚠️ Please do not skip this step if the endpoint port is not reachable. The beacon will not work properly. This port must be forwarded and reachable from the Internet or Ethiack IPs.

3. Click the Add button and fill in the required information provided by the checker:

  • Name: a unique name for this beacon. Examples: beacon-office-1, beacon-cloud-tier-1
  • Endpoint address: The public IP address or hostname of your beacon VM or server
  • Endpoint port: The UDP port that will be used to give our engine access to the internal network. This port must be forwarded to your server and reachable from the Internet. We can assist you in creating this firewall rule on your cloud. For example, you may need only to allow Ethiack IP addresses to connect to this port. Our checker will also validate that this port is open and reachable.
  • Network (CIDR): The Beacon will be authorized to access the internal network range. This doesn't mean we will test every single asset in this range; it's simply an authorization.
  • Network interface: The network interface resolves hosts from the internal network range.
  • DNS Server: This is an optional field. Please leave it blank if you are only interested in testing internal IP addresses. However, this is a huge plus if you have an internal DNS server that will allow us to perform reconnaissance and vulnerability identification in internal web apps. This DNS server must be reachable from the Beacon VM or server.

4.  Click the Add button. A ZIP file will be generated and should be uploaded to your VM or server via SFTP or similar.

5. Extract the ZIP file on your server and run the start.sh script as root:

unzip ethiack-beacon-internal.zip && sudo ./start.sh

6. If all goes well, the beacon will come online after a few minutes:



Beacon Status


Beacon can report with multiple statuses:

  • Active - the beacon is up and running. However, in some scenarios if the port is not forwarded correctly, it may still report as active. If no services are discovered in the assets page after a while, please stop the beacon and run our checker again to verify if the port is reachable
  • Idle - means that the beacon is offline or didn't report as active yet
  • Faulty - means that the beacon is not working properly, check the logs by running docker compose logs in the beacon directory or contact us to troubleshoot

Adding internal assets


Now that the beacon is configured, you must add internal assets. Go to your machine event scope by clicking the Details button on your dashboard and then Edit. Here, you can add private domains or private IP addresses. Wildcards are supported, too, if you added a valid internal DNS server to this beacon.

Note: At this moment, we don't sweep IP ranges to discover alive hosts. You must manually add each IP address, private subdomain, or a wildcard internal domain.


You are all set! Internal assets will start to be tested soon. Keep an eye on your inbox for new findings.