Host discovery using twigs

As described in the earlier blog article – Getting started with twigs, one of the discovery modes supported by twigs is host discovery. In the host discovery mode, twigs will collect required metadata from the host to perform no-scan vulnerability assessments.

The host discovery mode supports local and remote discovery.

Local refers to discovery of the host which is running twigs.

Example of local discovery:

$ twigs --handle roadrunner@acme.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io host
The above command will discover the host on which twigs command is run. For example if we run this command on a Ubuntu Box say “Ubuntu-Box”, then twigs will collect required metadata from “Ubuntu-Box” and create an asset for it in ThreatWatch.
An impact assessement task will be triggered automatically for the newly discovered or updated host. If you don’t wish to trigger this task you may use the “–noscan” option.
$ twigs --handle roadrunner@acme.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io --noscan host
Remote discovery allows twigs to be run on a host while discovering other hosts in the network. For remote discovery, one needs to specify the “–remote_hosts_csv” option  with twigs in “host” mode.
Example of remote discovery:

$ twigs --handle roadrunner@acme.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io host --remote_hosts_csv ~/remote-hosts.csv
The format of the remote hosts CSV file is as follows: hostname,userlogin,userpwd,privatekey,assetid,assetname
 
The first line in the CSV file is the column header record and it has the columns as mentioned above. The subsequent lines in the CSV file are data records.
Here are details about the respective columns in the remote hosts CSV file:
  • hostname – This column is mandatory and can contain hostname or IP address or CIDR range. The CIDR range option allows organizations to easily discover multiple hosts in the same subnet.
  • userlogin – This specifies an user on the specified host. It is mandatory.
  • userpwd – If the user requires password-based login on the specific host, then specify the password in this field. If you have specified a encrypted private key file, then specify the “pass phrase” for private key file in this field. Note it is recommended to secure the information in this field using the ‘–secure’ option.
  • privatekey – If the user requires private key based login on the specific host, then specify full path to the private key file.
  • assetname – Specify the “Asset Name” for the host.
 
Here is a sample remote hosts CSV file:
$ cat remote-hosts.csv
hostname,userlogin,userpwd,privatekey,assetname
michigan,john,johnpwd,,michigan
192.168.2.1,patrick,patpwd
54.133.4.23,ec2-user,,/root/inventory-key-pair.pem
128.45.67.64/30,sysacc,,/home/sysacc/private-key.pem
Let us better understand the sample remote hosts CSV file:
  • The first line is the column header. It is recommended to simply copy-paste it “as is” in your CSV file.
  • The second line is used to discover a host named ‘michigan’. It depicts how one can specify the assetid and assetname values.
  • The third line specifies the host using its IP address along with user / password combination for login.
  • The fourth line specifies a private key file for login.
  • The fifth line specifies a CIDR rage along with user and private key.

Since this file allows host credentials (user name, password) to be specified in plain text, twigs also allows to encrypt the password column using the ‘–secure’ option

This option which asks for a password (interactively or on command line) and encrypts the credentials portion of the CSV file. For e.g.

$ twigs host --host_list remote-hosts.csv --secure

If the CSV already has a records with encrypted credentials, these will be skipped. Also twigs will ensure that the same password is used to encrypt the CSV if it was ever encrypted before. Also the password can be specified on the command line if required using the ‘–password’ option. The CSV file can have a combination of encrypted and non-encrypted data as new records with credentials can be added to the CSV after it has been encrypted.

Host discovery mode in twigs provides organizations with powerful way to discover multiple hosts in a simple and uniform manner.

Tagged