Host discovery image

Host discovery using twigs

by Paresh Borkar

As described in the earlier blog article – Getting started with twigs, one of the discovery modes supported by twigs is host discovery. In the host discovery mode, twigs will collect required metadata from the host to perform no-scan vulnerability assessments.

The host discovery mode supports local and remote discovery.

Local refers to discovery of the host which is running twigs.

Example of local discovery:

$ twigs --handle roadrunner@acme.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io host

The above command will discover the host on which twigs command is run. For example if we run this command on a Ubuntu Box say “Ubuntu-Box”, then twigs will collect required metadata from “Ubuntu-Box” and create an asset for it in ThreatWatch.
Note you can indicate to start a scan after the asset discovery is complete via the “–scan” option as below:

$ twigs --handle roadrunner@acme.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io --scan quick host

Remote discovery allows twigs to be run on a host while discovering other hosts in the network. For remote discovery, one needs to specify the “–remote_hosts_csv” option  with twigs in “host” mode.
Example of remote discovery:

$ twigs --handle roadrunner@acme.com --token c8dddddd-eeee-eeee-eeee-aaca617649cc --instance acme.threatwatch.io host --remote_hosts_csv ~/remote-hosts.csv

The format of the remote hosts CSV file is as follows: hostname,userlogin,userpwd,privatekey,assetid,assetname
 
The first line in the CSV file is the column header record and it has the columns as mentioned above. The subsequent lines in the CSV file are data records.
Here are details about the respective columns in the remote hosts CSV file:
  • hostname – This column is mandatory and can contain hostname or IP address or CIDR range. The CIDR range option allows organizations to easily discover multiple hosts in the same subnet.
  • userlogin – This specifies an user on the specified host. It is mandatory.
  • userpwd – If the user requires password-based login on the specific host, then specify the password.
  • privatekey – If the user requires private key based login on the specific host, then specify full path to the private key file.
  • assetid – Specify an “Asset ID” for the host.
  • assetname – Specify the “Asset Name” for the host.
 
Here is a sample remote hosts CSV file:
$ cat remote-hosts.csv
hostname,userlogin,userpwd,privatekey,assetid,assetname
michigan,john,johnpwd,,michigan,michigan
192.168.2.1,patrick,patpwd
54.133.4.23,ec2-user,,/root/inventory-key-pair.pem
128.45.67.64/30,sysacc,,/home/sysacc/private-key.pem
Let us better understand the sample remote hosts CSV file:
  • The first line is the column header. It is recommended to simply copy-paste it “as is” in your CSV file.
  • The second line is used to discover a host named ‘michigan’. It depicts how one can specify the assetid and assetname values.
  • The third line specifies the host using its IP address along with user / password combination for login.
  • The fourth line specifies a private key file for login.
  • The fifth line specifies a CIDR rage along with user and private key.

Host discovery mode in twigs provides organizations with powerful way to discover multiple hosts in a simple and uniform manner.

Leave a Reply

Your email address will not be published. Required fields are marked *