Twigs can discover hosts in two ways as below:
Local Discovery: Discover the current host where is twigs is running. This is called as local host discovery and covered in more detail here.
Remote Discovery: Discover multiple hosts remotely. This is called as remote host discovery and covered in more detail here.
During host discovery, you can perform SSH audit and Host benchmarks as well.
Local Host Discovery
Overview
Host discovery (local) is a fairly straightforward process. It needs twigs to be installed on the required host.
Pre-requisites
Twigs should be installed on the required host.
Steps
Once you have twigs installed on the required host, then you can follow the steps below for discovery local host as an asset in ThreatWorx:
Open a new shell / terminal
Check that twigs is installed and running properly by running below command:
twigs host -h
You can run the command as below:
twigs host [--assetid ASSETID] [--assetname ASSETNAME] [--no_ssh_audit]
[--no_host_benchmark] [--check_vuln CHECK_VULN] [--check_all_vulns]
For information on vulnerabilities supported by twigs plugins, refer here.
After discovery is complete, you can login into ThreatWorx Console to view the newly discovery asset.
Remote hosts discovery
Overview
Twigs can help discover multiple hosts easily using remote hosts discovery.
Pre-requisites
Twigs remote discovery for hosts uses a CSV (comma-separate values) file which provides details about the hosts to be discovered. The CSV format has support for specifying individual remote hosts via hostname or IP address and you can specify a CIDR (Classless Inter-Domain Routing) or subnet range to discover hosts in your GCP cloud. You can read more details about the format of the CSV file here.
It is recommended that you secure the credentials shared in the CSV file using the ‘—secure’ option provided by twigs. This can done by following the steps below:
Assume that you have created remote_hosts.csv which contains credentials in clear text.
Run the following command to secure the file:
twigs host --host_list remote_hosts.csv --secure
Open the remote_hosts.csv file to confirm that the credentials are secured if you want.
Steps
You can follow the steps below for remote hosts discovery:
Open a new shell / terminal
Check that twigs is installed and running properly by running below command:
twigs host -h
You need the following information to run twigs command:
remote_hosts.csv file created earlier as mentioned in pre-requisites section
Run the twigs command as below:
twigs host --remote_hosts_csv <<PATH_TO_REMOTE_HOSTS_CSV>>
[--password PASSWORD]
[--no_ssh_audit]
[--no_host_benchmark]
[--check_vuln CHECK_VULN]
[--check_all_vulns]
For information on vulnerabilities supported by twigs plugins, refer here.
The discovery process may take some time depending on the number of hosts to be discovered.
After discovery is complete, you can login into ThreatWorx Console to view the newly discovered assets.