Twigs can help perform deep discovery of your Windows hosts in a credentialed manner. This enables you to discover your Windows hosts through twigs running on a Linux system. Note you can always use Twigs Powershell script to discover Windows hosts from a Windows machine.
Pre-requisites
Twigs should be installed on the required host. It can be scheduled to run on a regular basis (daily, weekly) using cron or similar service.
The Windows hosts to be discovered should have Powershell Remoting / WinRM enabled.
Twigs remote discovery for hosts uses a CSV (comma-separate values) file which provides details about the hosts to be discovered. The CSV format has support for specifying individual remote hosts via hostname or IP address and you can specify a CIDR (Classless Inter-Domain Routing) or subnet range to discover hosts in your environment.
Host CSV file
The format of the remote hosts CSV file is as follows: hostname,userlogin,userpwd
The first line in the CSV file is the column header record and it has the columns as mentioned above. The subsequent lines in the CSV file are data records.
Here are details about the respective columns in the remote hosts CSV file:
- hostname – This column is mandatory and can contain hostname or IP address or CIDR range. The CIDR range option allows organizations to easily discover multiple hosts in the same subnet.
- userlogin – This specifies an user on the specified host. It is mandatory.
- userpwd – This is the password of the specified user for remote login. Note it is recommended to secure the information in this field using the ‘–-secure’ option.
Here is a sample remote hosts CSV file:
$ cat remote-hosts.csv
hostname,userlogin,userpwd
michigan,john,johnpwd
192.168.2.1,domain\patrick,patpwd
Let us better understand the sample remote hosts CSV file:
- The first line is the column header. It is recommended to simply copy-paste it “as is” in your CSV file.
- The second line is used to discover a host named ‘michigan’ with local user on the Windows machine.
- The third line specifies the host using its IP address along with domain user / password combination for domain login.
Since this file allows host credentials (user name, password) to be specified in plain text, twigs also allows to encrypt the password column using the ‘-–secure’ option
This option which asks for a password (interactively or on command line) and encrypts the credentials portion of the CSV file. For e.g.
twigs win_host --host_list remote-hosts.csv --secure
If the CSV already has a records with encrypted credentials, these will be skipped. Also twigs will ensure that the same password is used to encrypt the CSV if it was ever encrypted before. Also the password can be specified on the command line if required using the ‘–-password’ option. The CSV file can have a combination of encrypted and non-encrypted data as new records with credentials can be added to the CSV after it has been encrypted.
Window host discovery mode in twigs provides organizations with powerful way to discover multiple Windows hosts in a simple and uniform manner.
It is recommended that you secure the credentials shared in the CSV file using the ‘–secure’ option provided by twigs.
Steps involved
You can follow the steps below for remote Windows hosts discovery:
- Open a new shell / terminal
- You need the following information to run twigs command:
- remote_hosts.csv file created earlier as mentioned in pre-requisites section
- Run the twigs command as below:
twigs win_host --remote_hosts_csv <<PATH_TO_REMOTE_HOSTS_CSV>> [--password PASSWORD]
- The discovery process may take some time depending on the number of hosts to be discovered.
- After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.
Examples
$ twigs win_host --remote_hosts_csv C:\my_cidrs.csv
Discover all hosts enumerated in “my_cidrs.csv” as assets in ThreatWorx.