Endpoint discovery (uncredentialed)

Overview

Twigs supports discovering assets from your environment using nmap.

Pre-requisites

You need to have nmap installed on your host (where you will be running twigs). Nmap needs to be available as /usr/bin/nmap. If you are using the twigs docker image, nmap is pre-bundled with it.

Steps

The steps involved to discover assets using nmap in your environment are as below:

  • Open a new shell / terminal.
  • Check that twigs is installed and running properly by running below command:

twigs nmap -h

  • You can run the command below:

twigs nmap [-h] [--hosts HOSTS] [--timing {0,1,2,3,4,5}] [--discovery_scan_type {N,S,A,U,Y,O,E,P,M}] [--discovery_port_list DISCOVERY_PORT_LIST] [--no_ssh_audit]

where

HOSTS can be single hostname, IP address or CIDR range

TIMING allows fine grained control on performance. For details refer link.

DISCOVERY_SCAN_TYPE allows user to customize the host discovery scan. For details refer link.

DISCOVERY_PORT_LIST can be used to specify port(s) to be used in the host discovery scan.

  • After discovery is complete, you can login into ThreatWorx Console to view the newly discovery assets.

This discovery mode is a best effort to identify the endpoint operating system and services based on fingerprinting techniques offered by nmap. Twigs augments these by using its own NSE scripts for better coverage of obscure services. If you think this coverage can be augmented by adding more of these scripts, please reach out to us at support@threatworx.io

Discovery of operating systems and services will not be as accurate as running a credentialed scan using twigs. This may result in false positives. ThreatWorx console will try and adjust the confidence score of vulnerability findings resulting from nmap discovery which will allow you to filter / hide some of these these results from the console as required. Depending on the size of the network and number of active endpoints, this discovery mode can also take a significant amount of time to complete.