Running initial scans

Background

Once you have an explorer installed, you can start using it for network discovery. While our goal is to configure scheduled scans that we set and forget, we need to go about our first scans in a more structured manner.

The goals of our first scans are to:

  • Verify the explorer is setup properly and has everything installed
  • Validate explorer connectivity to varying parts of the network
  • Determine how long scans will take at varying sizes to help with future scheduling

Your first few scans

To get started, you will want to scan a few smaller ranges to make sure everything is working as expected. Start with a few /24 network blocks from each of the RFC1918 ranges to make sure everything looks good.

For setting up the first scan:

  1. Navigate to Sites > New Site > Create a new temporary site within the Organization
  2. Navigate to Tasks > Scan > Standard Scan to create a scan task
  3. Chose the new site you created in step 1
  4. Include a range of the RFC1918 IP addresses in the Discovery Scope, plus a small network or two that you know is in use. A suggested value for the RFC1918 range includes: 10.0.0.0/24,10.0.255.0/24,10.64.0.0/24,10.64.255.0/24,10.128.0.0/24,10.128.255.0/24,10.192.0.0/24,10.192.255.0/24,10.255.0.0/24,10.255.255.0/24,192.168.0.0/24,192.168.64.0/24,192.168.128.0/24,192.168.192.0/24,192.168.255.0/24,172.16.0.0/24,172.23.0.0/24,172.31.0.0/24,<your networks here>
  5. On the Advanced tab, enable the Subnet Ping option
  6. Click on Initialize Scan

After these scans are complete, you will want to check for these things:

  • Check the ipv4.traceroute value for assets in each RFC1918 range to verify you aren’t sending traffic to an edge router or firewall.
    • Unused private IPs should have routes stubbed out to prevent traffic from being sent to the default gateway which can create a loop. You can also verify this with traceroutes from the explorer.
  • If your scan results have a large series of somewhat sequential IPs that have only ICMP or a very small number of similar ports open on them, that’s probably a proxy or firewall. Check out those IPs to see if any are real. To find assets with only ICMP enabled use the inventory query alive:t AND service_count:=1 AND service_count_icmp:=1
    • You can add an allow rule for the explorer IP to properly scan devices on the other side
    • Another option is to add a second explorer on the other side of the proxy or firewall
  • If you receive reports or alerts about service outages, check for session aware devices such as routers, firewalls, and proxies that are having issues handling the session load. If you run into this, there are multiple ways to approach solving the issue.
    • The simplest solution is to set up another explorer on the other side of the device and run scans separately
    • Another option is to segment your scans on the existing explorer, and run smaller, separate scan tasks for the network ranges on the other side of the device with lower packet per second and max group sizes to minimize the number of IPs that will be scanned at once
  • Check how long each scan took to get an idea for how long larger scans would take
  • Verify you see screenshots on ports that accept HTTP/HTTPS requests
    • If you don’t see any, you likely need to install Chrome on the machine
  • Check for MAC addresses
    • If you aren’t seeing them you should configure SNMP
    • If SNMP is configured, you should verify community strings and check for unmanaged switches
Note: Once you have verified that your first scan ran successfully, you can delete the temporary site and set up a “real” scan.

Full RFC 1918 scan

Once you have completed the initial test scans, it’s time to do a full network scan. This will help give you further insight into all of the routable IP space the explorer will be able to run discovery on.

A couple quick things to do after the full scan is complete include:

  • Run the queries in the query library, especially the high and medium severity ones. These could show vulnerabilities you want to address straight away.
  • Use the view more button underneath the frequency tables on the dashboard and track down the hardware, OS, protocols, products, etc. that have low counts. These outliers may not belong on your network.

Once you have done that, you can move onto these larger tasks: