As described in the earlier blog article – Getting started with twigs, one of the discovery modes supported by twigs is host discovery. In the host discovery mode, twigs will collect required metadata from the host to perform no-scan vulnerability assessments.
The host discovery mode supports local and remote discovery.
Local refers to discovery of the host which is running twigs.
$ twigs --handle firstname.lastname@example.org --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io host
$ twigs --handle email@example.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io --noscan host
$ twigs --handle firstname.lastname@example.org --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io host --remote_hosts_csv ~/remote-hosts.csv
- hostname – This column is mandatory and can contain hostname or IP address or CIDR range. The CIDR range option allows organizations to easily discover multiple hosts in the same subnet.
- userlogin – This specifies an user on the specified host. It is mandatory.
- userpwd – If the user requires password-based login on the specific host, then specify the password in this field. If you have specified a encrypted private key file, then specify the “pass phrase” for private key file in this field. Note it is recommended to secure the information in this field using the ‘–secure’ option.
- privatekey – If the user requires private key based login on the specific host, then specify full path to the private key file.
- assetname – Specify the “Asset Name” for the host.
$ cat remote-hosts.csv hostname,userlogin,userpwd,privatekey,assetname michigan,john,johnpwd,,michigan 192.168.2.1,patrick,patpwd 22.214.171.124,ec2-user,,/root/inventory-key-pair.pem 126.96.36.199/30,sysacc,,/home/sysacc/private-key.pem
- The first line is the column header. It is recommended to simply copy-paste it “as is” in your CSV file.
- The second line is used to discover a host named ‘michigan’. It depicts how one can specify the assetid and assetname values.
- The third line specifies the host using its IP address along with user / password combination for login.
- The fourth line specifies a private key file for login.
- The fifth line specifies a CIDR rage along with user and private key.
Since this file allows host credentials (user name, password) to be specified in plain text, twigs also allows to encrypt the password column using the ‘–secure’ option
This option which asks for a password (interactively or on command line) and encrypts the credentials portion of the CSV file. For e.g.
$ twigs host --host_list remote-hosts.csv --secure
If the CSV already has a records with encrypted credentials, these will be skipped. Also twigs will ensure that the same password is used to encrypt the CSV if it was ever encrypted before. Also the password can be specified on the command line if required using the ‘–password’ option. The CSV file can have a combination of encrypted and non-encrypted data as new records with credentials can be added to the CSV after it has been encrypted.
Host discovery mode in twigs provides organizations with powerful way to discover multiple hosts in a simple and uniform manner.