Running initial scans

Background

Once you have an Explorer installed, you can start using it for network discovery. While our goal is to configure scheduled scans that we set and forget, we need to go about our first scans in a more structured manner.

The goals of our first scans are to:

  • Verify the Explorer is setup properly and has everything installed
  • Validate Explorer connectivity to varying parts of the network
  • Determine how long scans will take at varying sizes to help with future scheduling

Your first few scans

To get started, you will want to scan a few smaller ranges to make sure everything is working as expected. Start with a few /24 network blocks from each of the RFC 1918 ranges to make sure everything looks good.

For setting up the first scan:

  1. Navigate to Sites > New Site > Create a new temporary site within the Organization
  2. Navigate to Tasks > Scan > Standard Scan to create a scan task
  3. Chose the new site you created in step 1
  4. Include a range of the RFC1918 IP addresses in the Discovery Scope, plus a small network or two that you know is in use. A suggested value for the RFC1918 range includes: 10.0.0.0/24,10.0.255.0/24,10.64.0.0/24,10.64.255.0/24,10.128.0.0/24,10.128.255.0/24,10.192.0.0/24,10.192.255.0/24,10.255.0.0/24,10.255.255.0/24,192.168.0.0/24,192.168.64.0/24,192.168.128.0/24,192.168.192.0/24,192.168.255.0/24,172.16.0.0/24,172.23.0.0/24,172.31.0.0/24,<your networks here>
  5. On the Advanced tab, enable the Subnet sampling option
  6. Click on Initialize Scan

After these scans are complete, you will want to check for these things:

  • Check the ipv4.traceroute value for assets in each RFC1918 range to verify you aren’t sending traffic to an edge router or firewall.
    • Unused private IPs should have routes stubbed out to prevent traffic from being sent to the default gateway which can create a loop. You can also verify this with traceroutes from the Explorer.
  • If your scan results have a large series of somewhat sequential IPs that have only ICMP or a very small number of similar ports open on them, that’s probably a proxy or firewall. Check out those IPs to see if any are real. To find assets with only ICMP enabled use the inventory query alive:t AND service_count:=1 AND service_count_icmp:=1
    • You can add an allow rule for the Explorer IP to properly scan devices on the other side
    • Another option is to add a second Explorer on the other side of the proxy or firewall
  • If you receive reports or alerts about service outages, check for session aware devices such as routers, firewalls, and proxies that are having issues handling the session load. If you run into this, there are multiple ways to approach solving the issue.
    • The simplest solution is to set up another Explorer on the other side of the device and run scans separately
    • Another option is to segment your scans on the existing Explorer, and run smaller, separate scan tasks for the network ranges on the other side of the device with lower packet per second and max group sizes to minimize the number of IPs that will be scanned at once
  • Check how long each scan took to get an idea for how long larger scans would take
  • Verify you see screenshots on ports that accept HTTP/HTTPS requests
    • If you don’t see any, you likely need to install Chrome on the machine
  • Check for MAC addresses
    • If you aren’t seeing them you should configure SNMP
    • If SNMP is configured, you should verify community strings and check for unmanaged switches
Note: Once you have verified that your first scan ran successfully, you can delete the temporary site and set up a real scan.

Full RFC 1918 scans

Once you have completed initial test scans, it’s time to expand scanning to cover all subnets with live assets. One method of discovering all subnets with live assets is to run full RFC 1918 scans.

runZero offers a Full RFC 1918 discovery scan option that will discover assets across the following private address ranges as a single task.

  • 10.0.0.0/8 or 10.0.0.0-10.255.255.255
  • 172.16.0.0/12 or 172.16.0.0-172.31.255.255
  • 192.168.0.0/16 or 192.168.0.0-192.168.255.255
The Full RFC 1918 discovery scan option is only recommended for small networks with limited complexity and should only be leveraged in a single site configuration.

Discovering the entire RFC 1918 private address space in a single scan can takes days, if not weeks, to complete in a large complex network. runZero recommends reviewing the Achieving RFC 1918 coverage playbook for more information on scanning the entire RFC 1918 private address space.

Once you’ve completed scans of your private address space, review Identifying gaps in scanning to learn more about some of our built-in reports that we offer to help you get a better understanding of your network.

Updated