# Uncovering Unknowns Through Topology Analysis

November 19, 2019

Version 1.1.5 of the Rumble platform is live! This release includes a new Switch Topology report, updates to the Network Bridges report, and improvements to how SNMP data is collected during scans. Combined, these updates can shine a light on misconfigured network segmentation and help identify assets that may not have been scanned at all. This post will walk through these updates and highlight how these reports can be used to identify unknown risks.

The Switch Topology report uses data enumerated via SNMP to map switch ports to assets. In environments where SNMP v2 with public or private communities are in use, this enumeration happens automatically, but non-default communities can also be provided in the scan configuration, with SNMP v3 support planned for the near future SNMP v3 support available. Clicking on a node in this report will highlight its connections, while mousing over the connections will indicate the specific switch interface associated with the connection. This report is available for all organizations with SNMP-enabled switches and covered by a recent scan (Rumble Agent/Scanner v1.1.4 or newer).

This topology view is helpful when trying to understand how a given asset or switch is connected, but also provides a critical data point related to risk; the number of unmapped assets. An unmapped asset is a MAC address connected to a switch, but not found in an ARP cache or through any of the other techniques Rumble uses for remote MAC address discovery. For environments where a Rumble agent is connected to each network segment, unmapped assets may highlight VLANs or network segments that are missing from the scan scope. In environments where Rumble is scanning assets multiple hops away, the unmapped asset count can provide an estimate of how well the remote segment is being identified.

In the graph above, we can see that Rumble identified five unmapped assets across five different switch ports. These unmapped assets could not be correlated with scan data and should be investigated to determine where they are coming from and why they aren’t turning up as part of a normal scan. Ports with unmapped assets are identified as red diamonds on the map, with the total count summarized at the bottom.

In more complex environments, the Switch Topology report makes it possible identify subnets missing from the discovery scope. In the graph above, we can see that for two switches, our visibility is almost perfect, but there are two segments with limited visibility, and another with almost none. To improve the discovery process, the IP ranges of those subnets should be identified and rescanned.

This graph also highlights broadcast domain visibility for connected assets. The highlighted asset in the center can see layer-2 broadcast data across four different switches. This may highlight a risk; an attacker running NetBIOS or LLMNR spoofing tools such as Responder or Metasploit could launch attacks against a large number of assets from this node.

The Network Bridges report received an overhaul in this update, with changes to weights, layouts, and interactivity. Assets that have been identified as network switches are now shown as orange squares to match the Switch Topology report, multi-homed assets are now shown as gray hexagons, and assets are now weighted based on the number of networks they bridge. In the graph above, we can see four internet-facing subnets (red circles) are bridged into the internal network, along with seven highly interconnected assets (the larger gray hexagons). From a risk perspective, these may be worth investigating, as a breach of one of these assets could provide across to the rest of the environment.

We hope you find these updates useful and we would love your feedback about what we can improve.

Don’t have a Rumble account? Sign up for a free trial and let us know what you think!

### Similar Content

ToneLoc The Subnet Grid Report introduced in Rumble 1.7.0 is copied from one of my favorite security tools of time, ToneLoc! ToneLoc (the tone locator) is MS-DOS wardialer written by Minor Threat and Mucho Maas that was released in the early 90s. ToneLoc was (and sometimes still is) one of the best ways to sweep telephone ranges to find accessible modems. One of the coolest features is ToneMap; a 100x100 pixel grid display of a 10,000 telephone number block.
Overview Version 1.7.0 of Rumble Network Discovery is live with big updates to reporting. The Analysis Reports introduced in version 1.6.2 are now joined by a new Subnet Grid Report, linked off the main Subnets Report under the Explore menu. The Query Library has been updated with small tweaks and new built-in query for finding expired TLS certificates, supported by improvements to the scan engine. The Rumble backend has been upgraded to support our larger customers as well as all of our new Starter Edition users.
Overview Today’s update comes with two significant features: Analysis Reports and the Query Library. This work brings practical analytic capabilities to the inventory data and makes it easier than ever to create and share custom queries with your team and the wider community. Analysis Reports Analysis Reports are now accessible via the Explore link in the navigation menu. This section includes the three existing reports (Topology, Subnets, Bridges) and introduces two new ones.