Skip to content

Scanning your external attack surface with runZero

While runZero is mostly used for asset inventory behind the firewall, you can also use its scanner to discover your external attack surface.

External scans are beneficial for a number of use cases, such as:

  • Getting visibility into external hosts and exposed services
  • Assessing infrastructure of corporate acquisition targets
  • Performing vendor security screening
  • Reconnaissance for penetration testing

Differences between runZero and EASMs

New users sometimes wonder about the differences between runZero and solutions for external attack surface management (EASM), such as Censys and ShodanHQ. Many of these solutions scan the whole world so you can query their host database. However, network owners can ask to exclude their IP ranges for all users (i.e., not all hosts show up in your search). Some vendors will have tools or services that discover all of your externally-facing assets.

By contrast, runZero:

  • Is primarily an internal asset inventory and network discovery tool, but also has the ability to discover public-facing hosts.
  • Collects data through a combination of active scanning and integrations.
  • Takes inputs in the form of ASNs, domains, IPs, and FQDNs (as well as public IPs discovered in internal scans).
  • Can integrate with Shodan & Censys to identify hosts and augment data.
  • Augments scans with other sources through integrations (e.g., cloud hosting providers, vulnerability scanners, and EDR platforms).
  • Offers a much richer data set per asset.

How to scan your public-facing hosts

If you don’t have access to runZero Enterprise Edition, you can sign up for a free 21-day trial to follow this walkthrough. The free Starter Edition doesn’t contain some of the features described in this blog post.

Step 1: Determining domains and ASNs to scan

The easiest way to get started with external scans is through:

  • Domains – There are several options for finding the domains associated with your organization. Best to check with the person who’s managing your domain registrations and renewals. Doing a reverse WhoIs lookup hasn’t been a good option for a couple of years now, but if you lack alternatives, use Whoxy to find all domains registered to the same company.
  • ASNs – If you don’t know the ASN for your company, you can use a lookup service, such as ASNLookup to identify the ASNs for your organization.

For this example, let’s scan the external attack surface of a real organization and its properties, but blur any identifying data to ensure that the organization doesn’t become a target as a result of this post.

ASN lookup

Step 2: Adding Censys or Shodan integrations

You can also discover your external hosts via Shodan or Censys integration. The integration can pull in additional machines that may not be in your ASN or domain scope. To use the integration, go to Inventory > Assets in your navigation menu and select Censys search or Shodan search from the Connect dropdown menu. You’ll have to set up credentials with an API key to build the query.

Censys Search configuration

In the Censys configuration, we query acme.org in our search. This will also find any hosts that use the string acme.org in the common name of a TLS certificate. You can run this import either once or on a schedule.

Alternatively, you can set the Censys search mode to All external assets, which will not discover new assets, but enrich the assets already captured in runZero with Censys data. However, for this use case, we’ll go with the former setting.

The import will pull any information about the matching hosts, including services and attributes, into your inventory. You should now see some assets with limited data being populated in your runZero inventory. You can view the details for one of the imported hosts and see the following information:

Censys attributes

Step 4: Starting an external scan using hosted zones

In runZero, set up a new organization or project, then go to the inventory, click the Scan button and select Standard scan.

From the scan configuration page:

  • Choose US – New York as the Hosted zone (this is a runZero-hosted Explorer in the cloud).
  • Increase the scan rate from 1,000 to 5,000 (to accelerate the scan).
  • In the Discovery scope, enter the following data:
    • public:all: This will scan all the public IPs that were pulled in via Shodan or Censys in the previous step. If you are scanning your internal network with runZero, this will also add all public IPs discovered by any other means into the scope.
    • asn4:12345: Enter all ASNs in this format to target all IP addresses registered to this ASN. Note the digit 4 after ASN in the notation.
    • domain:acme.org: Add all domains that you are targeting. runZero will add all subdomains connected to these domains.
Scan configuration

Click Initialize scan. runZero now looks up both the IPs registered under the ASNs as well as all subdomains associated with the domains you are looking to scan and displays a sample for confirmation. Confirm your scan settings.

Scan configuration confirmation

Once the scan task has completed, go view your populated inventory.

View your populated inventory

runZero hosted zones are deployed with Digital Ocean. If you prefer to host your own Explorer, we recommend Digital Ocean because AWS, Azure, and GCP all rate-limit or filter outbound scan traffic in a way that impacts the quality of scan results. The runZero hosted zones performed much better than running a scan from an ISP as well, regardless of whether a VPN was used or not.

Step 5: Digging into your inventory

Looking at this data set, there are quite a few hosts with EOL operating systems. You can use the following query to find these:

os_eol:<now

Some operating system vendors will enable you to purchase extended support services. To only view systems that are outside the extended support period, use the following query:

os_eol_extended:<now

Assets can often leak secondary IP addresses, often within the RFC 1918 range. These machines are potential pivot points into private network spaces. To find those quickly, use the query:

has_private:t

Best practices are to have as few services on a single host as possible, especially when they are public-facing, to avoid the risk of one vulnerable service compromising another one. Sorting the column with the number of services per host reveals one host with eight services. After opening the Asset Details page, we can see these in the Services section.

Services list

Each one of these services has an extensive list of attributes that provide more information.

Step 6: Finding problematic SSH services

Looking at the SSH service on port 22, we see that it supports the authentication method of both password and public key. Allowing a simple password authentication may indicate elevated risk to your infrastructure.

SSH service

Clicking on the magnifying glass with the + sign next to the attribute name reveals that there are a total of 24 hosts that allow this kind of authentication.

Auth method results

Clicking on the attribute value or the count will display a list of hosts that match the query.

Back on the Asset Details page, clicking the magnifying glass next to the banner shows an overview of all the different SSH versions deployed in the infrastructure.

SSH versions

This works for all of the banner versions for other protocols as well. For example, you can very quickly and easily get a list of all of the Microsoft SQL Servers deployed in the environment, sorted by version number.

Going back to the Asset Details page, clicking the magnifying glass next to ssh.hostKey.md5 displays the frequency report for this attribute. It shows that several machines share the same SSH private key. This presents a security risk because if one of the hosts is compromised, it would also compromise other hosts sharing the same SSH private key. This typically happens when virtual machines are cloned without regenerating the SSH keys.

SSH host keys

Step 7: Identifying databases exposed to the Internet

Generally, databases should be accessible only to the applications that require access. They should never be accessible on a public IP. The same host exposes MariaDB version 10.5.15 on port 3306, which has several associated security vulnerabilities.

Identify databases exposed to the Internet
Is runZero a vuln scanner?

runZero is an asset inventory and network discovery solution, not a vulnerability scanner, but its findings can sometimes point to security vulnerabilities.

Step 8: Looking at exposed services

Let’s move on to the Services Inventory now. A great way to find unusual services exposed on an external IP is to sort the ports by high numbers first.

Services Inventory

In this environment, we’re seeing a Prometheus Node Exporter metrics server on port 9100, three IRC services, a mySQL/MariaDB service, NFS on port 2049, and RSYNC on three different machines. These may all provide options to an attacker. For example, insecurely configured Rsync servers are found during network penetration tests about a third of the time.

Step 9: Browsing web service screenshots

The Screenshots Inventory lists all screenshots taken from Web services. runZero uses the Google Chrome browser to render and screenshot any web pages. If you are using the cloud-hosted explorer as described above, you’re all set. If you are hosting your own explorer, please ensure that you have Chrome installed on the same machine to enable this feature.

Screenshots Inventory

Browsing through the screenshots is a great, visual way to inspect exposed websites. In our example, we’re seeing Jitsi Meet and GitLab sites, which may be OK to host externally as long as they’re updated and use strong authentication.

Step 10: Looking at software inventory

runZero can also infer installed software if it can be deduced either from a network scan or an integration. runZero’s Software Inventory provides a great way to get insight into software installed on hosts that are reachable over the Internet.

Software Inventory

A view that may be even better in understanding your product exposure is the Most seen products report on the dashboard. To access the report, go to the Dashboard and look for the Most seen products card. After you find it, click View more.

Most Products Seen

The results for least seen products are actually more interesting than the most seen ones because these show the long tail of the software inventory. If a piece of software is only installed once in your environment, it is less likely to be well configured and patched.

Step 11: Create a report for your external assets

Now that you have discovered and analyzed all of your externally-facing assets, you can also generate a report for others to review. Go to Reports, find the External Assets Report, and launch it.

External Assets Report configuration

From the External Assets Report configuration screen, you can choose what you’d like to include in the results. Additionally, if you need to view it regularly, you can set up a schedule and email it to yourself (and any other runZero user who wants a copy). Initialize the report when you’ve finished configuring the settings. The generated report will display and show you the results. You can save the report as a PDF to easily share with others.

External Assets Report

Step 12: Get alerted on changes to your external asset inventory

If you work in enterprise security, you probably want to know about any changes to your external asset inventory. In this case, you should set up a Censys or Shodan import and run the hosted scan on a schedule. Then, you can set up alerts to trigger post-scan, so you know everything that has changed in your environment.

In this example we’ll use email as the method of communication. To set up an alert, go to Alerts > Channels and click Create channel. Pick a name for your channel, select Email as Channel type and enter the email address you want to notify. Then click Save channel.

New channel

Go Alerts > Rules, and click Create rule. Select new-assets-found and click Configure rule.

Rule event

When the New rule configuration page appears, enter the following:

  • Name:
    • A name for your rule.
  • Conditions:
    • Enter 0 to the right of is greater than. This will trigger the rule if there are any changes to assets.
    • In Limit to organization, select an organization if you have several in your account. You may choose a different organization (or site) for your external point of view rather than your internal assets.
  • Action:
    • Choose the notification channel you just created.
New rule

You’ll now be notified after each import or scan if the assets have changed.

Use runZero for your internal asset inventory

runZero is primarily made for discovering your internal asset inventory. As you can see, it can also be useful for understanding your externally-facing assets.

As a next step, you should set up another organization and to scan your internal network to get a better understanding of your asset inventory. You can sign up for the free 21-day trial of runZero Enterprise Edition (no credit card required). If you are a private user or work for a company with less than 256 assets, you can use runZero Starter Edition for free.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero 3.1: Sync Active Directory, import assets from Shodan, and launch integrations from Explorers

What’s new with runZero 3.1?

  • Sync your Active Directory users, groups, and machines with runZero
  • Import assets and external services from Shodan
  • Launch integrations from Explorers

Connect and sync Active Directory with runZero

runZero Professional and Enterprise users can now enrich their inventory with asset data from Microsoft Active Directory and Azure AD. runZero Enterprise users will also be able to view, search, analyze, and export users and groups imported from Active Directory. This integration brings Active Directory context to your existing assets and simplifies the process of identifying unmanaged assets. Once the sync completes users can query the asset inventory to identify unmanaged assets on the network. Using a query like source:runzero AND NOT (source:azuread OR source:ldap) will return a list of assets that weren’t in the integration results. Enterprise users can also leverage queries to search the attributes of users and groups. For example, to find accounts that have never logged in, you can use the following query: last_logon_at:<1. To get started, set up a connection to Azure AD or your Active Directory domain controller. Active Directory integrations runZero Enterprise users can now sync data about their public-facing assets from Shodan Search. Assets and services pulled in from Shodan can be correlated against public-facing assets in your runZero inventory. All Shodan users can craft custom queries to gather Shodan data about public assets and services, and licensed Shodan users can also add filters for more specific criteria. Licensed Shodan users can also have runZero automatically build a filtered query to search all external IP addresses in your inventory. This correlation supports cyber hygiene and attack surface management efforts across IT and security teams. The external view of your environment provided by Shodan may not match the current state of your assets. By first importing the public data for your external IP addresses from Shodan then scanning them with runZero, you can determine what has changed. Reviewing the Assets changed section of a completed task will let you see what has changed on your public-facing assets since the last scan. To start pulling asset and service data from Shodan, set up a connection. Shodan Search integration

Launch integrations from Explorers

You can now run third-party integrations from your runZero Explorers as well as the runZero cloud. This feature is useful for IT and security teams that restrict the allowed network traffic connecting to the APIs of their various tools and platforms. This capability also allows integrations to on-premise tools to run as an independent connector in addition to being run as part of network scans. To run an integration from an Explorer, use the Connect menu to choose the source and then select an available Explorer from the configuration dialog. Connector Tasks on Explorers

Add custom fingerprints to runZero

runZero users that have a self-hosted platform or standalone scanner now have the ability to add custom asset and service fingerprints. Following the structure and format of the open-source Recog fingerprint database, users can author their own fingerprint XML files and add them to a directory that the runZero platform or scanner can access. This capability can be useful in adding new fingerprint coverage for unique or custom assets and services, such as a device prototype or a proprietary, internal-use application or service. Custom fingerprints can also be configured to override similar runZero fingerprints by using a same-or-higher certainty value.

Release notes

The runZero 3.1 release includes a rollup of all the 3.0.x updates, which includes all of the following features, improvements, and updates.

New features

  • runZero Enterprise customers can now sync assets from Shodan.
  • runZero Enterprise customers can now sync assets from Azure Active Directory.
  • runZero Enterprise customers can now sync assets from Microsoft Active Directory via LDAP.
  • Connector tasks now can optionally be run from an Explorer on a network.
  • The Events datatable has been redesigned and is now more performant.
  • The Qualys integration now provides a more descriptive error message when rate-limited by the Qualys API.
  • Network File System (NFS) protocol detection on TCP ports has been improved.
  • A bug that prevented editing certain probe options when configuring a scan has been resolved.
  • Fingerprint updates.

Product improvements

  • Event details have been added to alert templates by default.
  • Task statistics for asset counts are now included in CSV exports and can be used in task searches.
  • The license-limit-exceeded event has been added to alert when the live asset count exceeds an accounts license.
  • Dashboard metrics now account for unscanned assets imported from third-party integrations.
  • Internal recurring tasks for metrics calculation no longer show in the recurring task count.
  • A notice was added to the MFA page to inform users that they can continue to use the old rumble.run domain until they re-enroll their authenticators for the new runzero.com domain.
  • Font rendering in Safari browsers now matches Firefox and Chrome.
  • UI improvements were made to the queries table.
  • Inventory searches now support runZero as an asset source type.

Performance improvements

  • The Events datatable has been redesigned and is now more performant.
  • The Asset Route Pathing Report is now more performant due to improved algorithm cycle detection.
  • Web screenshots are now limited to a maximum of 16 concurrent processes.
  • Web screenshots will now run concurrently on arm64 macOS systems.
  • Improved error handling for the GCP integration.
  • Improved parsing of input hostnames.
  • Dashboard insights have been limited to a maximum of three rows.
  • Processing performance for foreign asset data has been improved.

Fingerprinting changes

  • Improved Network File System (NFS) protocol detection on TCP ports.
  • Added OS fingerprinting support for our new Active Directory and Azure AD integrations.
  • Added a new ldap.notes attribute for assets with exposed LDAP/ActiveDirectory services, decoding well-known oids into a user-friendly representation to help with asset hunting.
  • Improved Endpoint Mapper (EPM) fingerprinting, including new service/configuration coverage and support for Unix domain sockets.
  • Improved VMware guest asset fingerprinting coverage.
  • Improved GitLab fingerprinting to include version information, when available.
  • A bug where a TLS common name (CN) field could contain more than the hostname has been resolved.
  • A bug where a Pegasystems version fingerprint could capture additional data has been resolved.
  • Additional support added for products by Amcrest, Aruba, ASUS, AudioCodes, Avaya, Bosch, Brother, CAREL, Continia Software, D-Link, Datapath, Dell, Epiphan Video, ESET, eufy, HikVision, Honeywell, HP, IBM, iRobot, KE2, Kirk Telecom, Kong, Lenovo, Lorex, Meross, MSB Technology, Netgear, NVIDIA, Panasonic, Proofpoint, Roku, Saia-Burgess Controls, Samsung, Soundweb London, Spectrum Instrumentation, TP-LINK, TRENDnet, Uniview, Vikylin, VMware, XAC Automation, Yamaha, and Zyxel.

Integration improvements

  • The Qualys integration now provides a more descriptive error message when rate limited by the Qualys API.
  • A new optional filter has been added to the Crowdstrike connector.
  • The performance of the Qualys connector has been improved.
  • The Tenable integration now excludes terminated and deleted assets.
  • The timeout for Qualys connection tasks has been increased from 60 seconds to 5 minutes.

Bug fixes

  • A bug that prevented editing certain probe options when configuring a scan has been resolved.
  • A bug where a TLS common name (CN) field could contain more than the hostname has been resolved.
  • A bug where a Pegasystems version fingerprint could capture additional data has been resolved.
  • A bug that could cause the browser to freeze when viewing assets with many attributes has been resolved.
  • A bug that could prevent rendering dashboard insights has been resolved.
  • A bug that could result in minimal assets being skipped has been resolved.
  • A bug that could result in the wrong insight counts on the dashboard has been resolved.
  • A bug that could cause attributes and screenshots to be removed from offline assets has been resolved.
  • A bug that prevented using certain organization and export tokens has been resolved.
  • A bug that caused the token to be missing from password reset emails has been resolved.
  • A bug that could cause query timeouts has been resolved.
  • A bug that could cause large Qualys imports to timeout has been resolved.
  • A bug that prevented Qualys from being fully imported from large sites has been resolved.
  • A bug that led to slow exports and job processing has been resolved.
  • A bug that affected formatting of _asset.match values has been resolved.
  • A bug that caused internal tasks for metrics calculation to generate scan-completed events has been resolved.
  • A bug that prevented reports for specific asset attributes has been resolved.
  • A bug that could prevent exporting asset attributes has been resolved.
  • A bug that could prevent CrowdStrike tasks from processing has been resolved.
  • A bug that could prevent the generation of some asset attribute reports has been resolved.
  • A bug that could cause offline self-hosted platform updates to fail has been resolved.
  • A bug that could prevent exporting selected assets and asset search results has been resolved.
  • A bug that could prevent starter accounts from setting up recurring tasks has been resolved.
  • A bug affecting organization selection when a default organization is set has been resolved.
  • A bug that could cause SSH probes to occasionally deadlock has been resolved.
  • A bug that prevented WebAuthn from registering correctly on console.runzero.com has been resolved.
  • A bug that could cause the topology in the asset details page to be mangled has been resolved.
  • A bug that could affect the default probes selector functionality has been resolved.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

What I’ve learned working at runZero as a UX/UI designer

When I joined the company a little over a year ago, I knew almost nothing about networking. For example, I couldn’t tell you the difference between an authenticated and unauthenticated scan. Most of my networking knowledge came from working with my own home network. I could identify my modem, knew how to connect it to the router, and then set up my network from there. I understood that I had a designated IP address, and that I could connect to the Internet through an Ethernet cable or through my WiFi. I also knew that the Internet and mobile data came from the giant lines and towers outside. Joining runZero unlocked a huge opportunity for me to expand my perspective and learn more about networks.

I know every company says that they have great people, but I feel like runZero has an exceptional team that really prioritizes collaboration and knowledge sharing. runZero cultivates a culture of learning, making it easy for me to pick up so much information about networking and network discovery. The things I’ve learned are practical, which means I can use in my everyday life. For example, one time, I scanned a local nail salon’s network (with their permission, of course), and I discovered a PAX point-of-sale (POS) device. Thanks to runZero I knew about a worrisome incident involving PAX POS devices. I was able to explain the issue to the owners and helped them understand how using PAX devices could affect their business. I’ve also gotten into the habit of scanning new devices that I come across or acquire, like a new phone or printer. I love that I am able to practically use the knowledge I learn at runZero in my everyday life.

Something I really appreciate about runZero is the investment in our people. runZero sent a bunch of us to DEFCON recently, which provided a great opportunity for us to immerse ourselves in the security world. Without my recent experience in the industry, I would have been a fish out of water. While I spent a lot of time attending talks, I was also reeled into other things, like learning to solder and participating in CTFs (capture the flag). Working through CTF challenges was an exciting way to drive personal growth and bond with my colleagues. Attending security conferences in the future will be invaluable for my professional growth, as well as writing blog posts like this one! Professional development is crucial for my role because it helps me better understand the industry, and as a result, design and deliver better user interfaces and experiences for our customers.

My journey at runZero has taken me deep into the world of networking and network discovery. I’ve enjoyed both applying and sharing what I have learned, as well as continuing to grow. And now I can tell you the difference between authenticated and unauthenticated scanning! The tech world is constantly evolving, and so am I.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Transient assets: managing the unmanageable

Transient assets can introduce unique challenges to tracking asset inventory and securing your network, especially in the education sector. Students and faculty rely on a diverse range of personal devices and expect to be able to use them everywhere, resulting in high ratios of transient devices on those networks. The term “transient assets” refers to assets that regularly connect and disconnect from your network or other assets. As defined by Applied Risk, a “transient cyber asset is a portable device, such as an operational laptop, which is capable of processing or transporting executable code.” While laptops are often thought of first, mobile devices, IoT devices, and many other device types can be transient if they aren’t always connected to your network. While the surge of remote work and resultant bring-your-own-device (BYOD) has brought the challenge to the doorstep of many industries, the educational sector has been juggling the security implications of transient assets for years.

What’s the problem?

Transient devices aren’t inherently problematic, but failing to track them as part of your inventory can cause security gaps. While organizations that commonly have short-term visitors can segregate a guest network from the rest of the environment, some organizations that see a lot of transient devices need to allow authenticated access to their internal network and data.

Educational organizations tend to see some of the highest ratios of transient devices as students and faculty come and go. Students and faculty are often provisioned accounts and accesses much like staff or employees. As a result, it is especially important to effectively inventory and track these transient devices so that access to internal assets or data can be monitored.

The core security concern related to transient assets is that they are often unknown and unmanageable. While unmanaged devices are a challenge in their own right, transient devices are sometimes better described as unmanageable. Normal BYOD or device provisioning policies can require enrollment in management platforms, but that isn’t typically an option for handling transient devices. As an example in the education sector, students (and their parents or guardians) are unlikely to agree to have their personal devices monitored at the host-level, so the institution needs to be able to build their inventory from network scanning.

On the radar

Grabbing the list of unique MAC addresses connecting to your network over time is a common first step to understanding the scope of transient devices, but that method won’t tell you much about the asset or give you a complete inventory over time. Network scanning is essential to fill in the gaps, and an effective scanning tool can provide detailed information about the assets discovered. Not only will you have a list of IP:MAC address pairings, but you’ll know about device types, hardware, operating systems, and first and last seen dates. Once you have a sense of the scope of those attributes and network traits like commonly detected ports, protocols, and services, you can start categorizing assets until you have a clear picture of what assets show up where and when. From this baseline, you can better identify anomalies and abnormalities, supplementing your security tools with accurate asset attributes so that you can track down problems or security violations.

Zero unknown assets

Building a complete inventory of assets connecting to your network is easy with runZero. The unique combination of unauthenticated active network scanning with comprehensive asset fingerprinting will help you build and maintain a context-rich asset inventory. From there, you can leverage sites, tags, and rules to categorize assets based on the unique needs of your organization. runZero readily detects when assets get new IP addresses and can even notify you by email or Slack, reducing asset duplication in environments with high numbers of transient devices being assigned IP addresses dynamically. Paired with detailed asset attributes, you can use your runZero inventory to really understand what’s on your network at any given time.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

Strengthen your vulnerability management program with asset inventory

Vulnerability scanning plays a crucial role in any enterprise security program, providing visibility into assets that are unpatched, misconfigured, or vulnerable to known exploits. Customers tell us that they can take action on their vulnerability scan results most effectively when paired with comprehensive asset and network context.

runZero’s vulnerability management integrations let Enterprise users:

  • Add asset and network context to their vulnerability data
  • Identify gaps in vulnerability scan coverage
  • Expedite response to new vulnerabilities

Adding context to your vulnerability data

Just like the other inventory views, the vulnerability inventory supports the use of queries to filter your results. You can craft a query using the supported tags, Boolean operators, and numeric comparison operators. A query like this one will list the critical vulnerability results found on your Cisco hardware: hw:Cisco AND severity:critical. Try this one to identify vulnerabilities with a CVSSv2 score of 6.5 or more on EOL assets: os_eol:<now AND cvss2_base_score:>6.5.

Some organizations find it helpful to prioritize remediating vulnerabilities on public-facing assets. With runZero you can easily find them by querying your vulnerability results using fields related to IP addresses. Not only can you use filters like cidr: to include or exclude particular address ranges, but you can also use has_public:t to find results on assets with public IP addresses. Just like in the other inventories, these query parameters can be combined to find exactly the results you need.

Closing vulnerability scan gaps

Being able to track down assets impacted by newly disclosed vulnerabilities is great, but how can you be sure you’re scanning everything by addressing gaps in your scan policies? As a starting point, you can evaluate the assets that have been identified by runZero but are not included in your vulnerability results. You can leverage the source column to identify assets that are known by runZero but are not included in your vulnerability scan results. Try out this query in your asset inventory to see which IP addresses you may not be vulnerability scanning (if you changed the minimum severity setting in your integration configuration, this may not be as accurate for you): source:runZero AND NOT source:[VM vendor]. Swap [VM vendor] with the name of your integrated vulnerability management vendor in any query to find the right results:

  • Qualys: source:runZero AND NOT source:qualys
  • Rapid7: source:runZero AND NOT source:rapid7
  • Tenable: source:runZero AND NOT source:tenable

The same logic can be used to find high-value assets or subnets that are not covered by your vulnerability scanning. If you’ve been using sites or tags to organize your assets, you could use the site: or tag: query fields with AND NOT source:[VM vendor] to find matching assets that have not been vulnerability scanned. You can also search for services or protocols that might be a cause for concern, such as protocol:smb AND NOT source:[VM vendor] to find SMB services on assets that haven’t been vulnerability scanned. The query logic also supports filtering by IP address ranges or subnets, meaning you could use cidr:192.168.30.0/24 AND NOT source:[VM vendor] to find unscanned assets in that subnet.

Since many vulnerability management solutions support importing a line-delimited list of IP addresses into a scan policy, you could use the results of these queries as a scan range. Simply export them to a CSV from the runZero Console then copy the address column into a text file. Or, if you’d prefer to use the export API, the following command will pull the results into JSONL format, filter for the address field, and clean up the extra characters. Just switch [VM vendor] in the URL to the right value and you’ll be left with a line-delimited text file of all the addresses that you might not be vulnerability scanning.

curl --location --request GET 'https://console.runzero.com/api/v1.0/export/org/assets.jsonl?search=source%3A%22runzero%22%20AND%20NOT%20source%3A%22[VM vendor]%22&fields=addresses' \
 --header 'Authorization: Bearer <EXPORT API TOKEN>' \
 |  jq -r ".addresses[]?" | sort | uniq > IPsNotVulnScanned.txt

Expediting your response

When the latest vulnerability hits the news, you can use runZero in many cases to quickly check for impacted assets. runZero’s Rapid Response series is a great way for readers to stay on top of breaking security news and track down affected assets. The ability to query across vulnerability and asset details can help you find impacted assets while you’re getting your vulnerability scanner ready for a full analysis. This is just one example of how a comprehensive asset inventory can work in tandem with your vulnerability management tools.

runZero’s rich datasets of devices, manufacturers, and operating systems, coupled with our highly-tuned scanning and processing logic, provides high quality and high confidence asset and service fingerprints. Pulling your vulnerability data into runZero lets you leverage our extensive fingerprinting capabilities to enrich your vulnerability scan results with the asset and network data being gathered by your runZero Explorers, letting you find vulnerabilities impacting specific operating systems, hardware, or services.

With the data already collected by your runZero Explorers, you can quickly identify vulnerable or exploitable assets based on various datapoints, like vendor name and service version. For example, you can use the following query to find BIG-IP assets that might be vulnerable to authentication bypass without having to run a new scan.

_asset.protocol:http AND protocol:http AND (service.vendor:F5 OR html.title:"=BIG-IP%" OR html.copyright:"F5 Networks, Inc" OR http.body:"/tmui/" OR favicon.ico.image.md5:04d9541338e525258daf47cc844d59f3)

When updated vulnerability scan data is available, you can use queries to find results that match a specific CVE or scan plugin ID to better prioritize your remediation efforts. For example, this query can help you find external-facing assets with vulnerable Log4Shell installations: has_public:t AND cve:CVE-2021-44228.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero release notes v3.0.5

A bug that could cause offline self-hosted platform updates to fail has been resolved.
The timeout for Qualys connection tasks has been increased from 60 seconds to 5 minutes.
Fingerprint updates.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

runZero release notes v3.0.4

A notice was added to the MFA page to inform users that they can continue to use the old rumble.run domain until they re-enroll their authenticators for the new runzero.com domain.
Font rendering in Safari browsers now matches Firefox and Chrome.
UI improvements were made to the queries table.
A bug that could prevent exporting selected assets and asset search results has been resolved.
A bug that could prevent starter accounts from setting up recurring tasks has been resolved.
A bug affecting organization selection when a default organization is set has been resolved.
A bug that could cause SSH probes to occasionally deadlock has been resolved.

About Version 2 Limited
Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.