Network scanning from agents
Use a deployed agent to scan private-RFC-1918 / corporate-only networks that the Pentestas cloud can't reach.
Flow
- Admin creates a
NetworkAgentin the UI with the target workstation's public IP in the allowlist. - Admin or user dispatches a server-scan job via the UI or API.
- The agent receives the job over its WebSocket, runs the scan locally, and streams findings back in real time.
Dispatch from the UI
Agents β pick an agent β Run network scan β enter targets.
Accepts:
- Hostnames (
mail.corp.local) - IPv4 addresses (
10.0.0.5) - CIDRs (
10.0.0.0/24,192.168.0.0/16)
Dispatch from the API
bash
curl -X POST \
"https://app.pentestas.com/api/agents/{agent_id}/server-scan" \
-H "X-API-Key: aa_..." \
-H "Content-Type: application/json" \
-d '{
"targets": ["10.0.0.0/24", "fileserver.corp.local"],
"config": {
"ports": "common",
"brute_force": false,
"cve_check": true,
"protocol_checks": true
}
}'
Response:
json
{
"status": "scan_dispatched",
"scan_id": "c4e6f0b3-β¦",
"agent_id": "a1b2c3d4-β¦",
"agent_name": "corp-fra-01",
"targets": 1
}
What the agent actually runs
- TCP connect scan on common ports (configurable).
- Banner grab + protocol handshake per open port.
- CVE lookup (done server-side, not on the agent).
- Protocol checks β SSH weakness, TLS profile, RDP hardening, SMB signing, etc.
- Optional brute-force against common defaults (admin:admin, root:toor, Cisco defaults, etc.) β requires explicit opt-in.
Safety
- IP allowlist applies to the agent's connection source, not scan targets β the agent can scan any host it can reach on the LAN.
- Scan targets must still belong to the tenant's verified domains or IP allowlist. The backend refuses cross-tenant target lists.
- Scope tags on a scan (
/scope=internal) are propagated to findings for easier filtering.
Output
Same as a cloud-run network scan. Open ports, CVE matches, protocol weaknesses β all written to the standard findings list and visible in the Scan detail page.