Network Scanning
Network scanning is the foundation of infrastructure discovery in Tripl-i. Using multiple protocols and intelligent scanning techniques, the platform automatically discovers devices, maps network topology, and identifies services running across your network.
Scanning Protocols
🔌 WMI (Windows Management Instrumentation)
Overview WMI provides deep Windows system information through a standardized interface. It's the primary protocol for discovering Windows servers and workstations.
Collected Information
Hardware:
- CPU specifications and utilization
- Memory configuration and usage
- Disk drives and partitions
- Network adapters and configuration
- BIOS/UEFI information
Software:
- Installed applications
- Windows features and roles
- Running services and processes
- Windows updates and patches
- Registry information
System:
- Event logs
- Performance counters
- User accounts
- Scheduled tasks
- Firewall rules
Configuration Requirements
# Enable WMI on target systems
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts * -Force
Enable-NetFirewallRule -DisplayName "Windows Management Instrumentation (WMI-In)"
# Required ports
TCP 135 (RPC Endpoint Mapper)
Dynamic RPC ports (49152-65535)
🐧 SSH (Secure Shell)
Overview SSH enables secure discovery of Linux, Unix, and network devices. It provides command-line access for comprehensive system interrogation.
Collected Information
System Information:
- OS version and kernel
- Hardware details (dmidecode)
- CPU and memory info
- Network configuration
- Disk and filesystem data
Software Inventory:
- Package manager listings
- Running processes
- System services
- Configuration files
- Installed libraries
Performance Data:
- Resource utilization
- Network statistics
- Disk I/O metrics
- System load averages
Best Practices
# Create dedicated discovery user
sudo useradd -m -s /bin/bash discovery_user
sudo usermod -aG sudo discovery_user
# Configure sudoers for specific commands
echo "discovery_user ALL=(ALL) NOPASSWD: /usr/sbin/dmidecode, /bin/netstat, /sbin/ip" >> /etc/sudoers.d/discovery
# Use SSH keys for authentication
ssh-keygen -t rsa -b 4096 -f discovery_key
ssh-copy-id -i discovery_key.pub discovery_user@target_host
📡 SNMP (Simple Network Management Protocol)
Version Support
- SNMPv1: Basic, community-based (not recommended)
- SNMPv2c: Community-based with improvements
- SNMPv3: Secure with authentication and encryption
Common OIDs Collected
System Information:
- sysDescr (1.3.6.1.2.1.1.1): System description
- sysObjectID (1.3.6.1.2.1.1.2): Device type
- sysUpTime (1.3.6.1.2.1.1.3): Uptime
- sysContact (1.3.6.1.2.1.1.4): Contact info
- sysName (1.3.6.1.2.1.1.5): Hostname
- sysLocation (1.3.6.1.2.1.1.6): Physical location
Interface Data:
- ifTable (1.3.6.1.2.1.2.2): Network interfaces
- ifSpeed: Interface speeds
- ifOperStatus: Operational status
- ifInOctets/ifOutOctets: Traffic counters
Device-Specific:
- Cisco MIBs for Cisco devices
- HP MIBs for HP equipment
- Vendor-specific extensions
SNMPv3 Configuration
# Configure SNMPv3 user
snmpusm -v 3 -u discovery_user -l authPriv \
-a SHA -A "auth_password" \
-x AES -X "priv_password" \
target_device create
Scanning Techniques
IP Range Scanning
Subnet Discovery
Scanning Strategy:
Small Networks (/24 - /22):
- Full range scan
- All ports checked
- Deep discovery
Medium Networks (/21 - /16):
- Intelligent sampling
- Common ports only
- Parallel execution
Large Networks (/15 and larger):
- Segmented scanning
- Priority targeting
- Scheduled phases
Smart Scanning Algorithm
Port Scanning Strategies
Common Service Ports
Web Services:
- 80 (HTTP)
- 443 (HTTPS)
- 8080, 8443 (Alternative)
Database Services:
- 1433 (SQL Server)
- 3306 (MySQL)
- 5432 (PostgreSQL)
- 1521 (Oracle)
- 27017 (MongoDB)
Infrastructure:
- 22 (SSH)
- 23 (Telnet)
- 161 (SNMP)
- 3389 (RDP)
- 5985 (WinRM)
Application Services:
- 25 (SMTP)
- 110 (POP3)
- 143 (IMAP)
- 389 (LDAP)
- 636 (LDAPS)
Scanning Profiles
{
"quick_scan": {
"ports": [22, 80, 443, 3389],
"timeout": 1000,
"retries": 1
},
"standard_scan": {
"ports": "top_100_common",
"timeout": 2000,
"retries": 2
},
"deep_scan": {
"ports": "1-65535",
"timeout": 3000,
"retries": 3,
"service_detection": true
}
}
Service Detection
Banner Grabbing
# Example service identification
def identify_service(ip, port):
banners = {
"SSH-": "SSH Server",
"220 ": "SMTP Server",
"HTTP/": "Web Server",
"Microsoft-IIS": "IIS Web Server",
"Apache": "Apache Web Server",
"nginx": "Nginx Web Server"
}
# Connect and read banner
banner = grab_banner(ip, port)
for signature, service in banners.items():
if signature in banner:
return service
return "Unknown Service"
AI-Enhanced Detection
Traditional Detection:
- Port 1433 open → SQL Server
- Basic identification
AI Detection:
- Port 1433 open
- Banner analysis
- Response patterns
- Behavioral analysis
→ SQL Server 2019 Enterprise Edition
→ Clustered instance "PROD-SQL-01"
→ Part of AlwaysOn Availability Group
Discovery Optimization
Performance Tuning
Parallel Scanning
Configuration:
Concurrent Threads: 50
Timeout per Host: 5 seconds
Retry Attempts: 2
Queue Size: 1000
Performance Metrics:
Hosts/Minute: 600
Network Usage: < 10 Mbps
CPU Usage: < 30%
Memory: < 2GB
Adaptive Throttling
// Dynamic scan rate adjustment
{
"throttling_rules": {
"network_congestion": {
"threshold": "80%",
"action": "reduce_threads",
"factor": 0.5
},
"target_overload": {
"indicator": "timeouts > 20%",
"action": "increase_timeout",
"adjustment": "+50%"
},
"business_hours": {
"schedule": "09:00-17:00",
"max_threads": 25,
"priority": "critical_only"
}
}
}
Intelligent Scheduling
Time-Based Discovery
Production Servers:
Schedule: "Every 4 hours"
Window: "Any time"
Priority: "High"
Method: "Agent-based"
User Workstations:
Schedule: "Daily"
Window: "19:00-07:00"
Priority: "Medium"
Method: "Agentless"
Network Devices:
Schedule: "Every 2 hours"
Window: "Any time"
Priority: "High"
Method: "SNMP"
Development/Test:
Schedule: "Weekly"
Window: "Weekend"
Priority: "Low"
Method: "Mixed"
Advanced Techniques
Topology Mapping
Layer 2 Discovery
Techniques:
- CDP (Cisco Discovery Protocol)
- LLDP (Link Layer Discovery Protocol)
- STP (Spanning Tree Protocol)
- ARP table analysis
- MAC address tables
Generated Data:
- Physical connections
- VLAN assignments
- Switch port mappings
- Network segments
- Redundancy paths
Layer 3 Discovery
Techniques:
- Routing table analysis
- OSPF/BGP neighbor discovery
- Traceroute mapping
- Next-hop analysis
- Subnet identification
Generated Data:
- Logical network paths
- Router relationships
- Network boundaries
- Default gateways
- Route redundancy
Cloud Discovery
AWS Integration
# Discover AWS resources
def discover_aws_resources():
regions = ec2.describe_regions()
for region in regions['Regions']:
ec2_regional = boto3.client('ec2', region_name=region['RegionName'])
# Discover EC2 instances
instances = ec2_regional.describe_instances()
# Discover VPCs
vpcs = ec2_regional.describe_vpcs()
# Discover security groups
security_groups = ec2_regional.describe_security_groups()
# Process and store in CMDB
process_aws_resources(instances, vpcs, security_groups)
Azure Discovery
Resource Types:
- Virtual Machines
- Virtual Networks
- Storage Accounts
- SQL Databases
- App Services
- Load Balancers
API Endpoints:
- management.azure.com
- Resource Graph queries
- Metadata service
- Tag information
Security Considerations
Credential Management
Secure Storage
Credential Vault:
Encryption: AES-256
Key Management: HSM-backed
Access Control: Role-based
Audit Logging: All access
Rotation: Automated
Best Practices:
- Use read-only credentials
- Implement least privilege
- Regular rotation schedule
- Monitor usage patterns
- Alert on anomalies
Network Impact
Minimizing Disruption
Scan Impact Mitigation:
Rate Limiting:
- Max 100 connections/second
- Per-host limit: 5 concurrent
- Backoff on failure
IDS/IPS Friendly:
- Slow scan option
- Whitelisting support
- Signature avoidance
- Official scan windows
Resource Protection:
- CPU threshold monitoring
- Memory limit checks
- Connection pooling
- Graceful degradation
Troubleshooting
Common Issues
No Response from Target
Possible Causes:
1. Firewall blocking
2. Service disabled
3. Network unreachable
4. Incorrect credentials
Resolution Steps:
1. Test network connectivity (ping)
2. Verify port access (telnet/nc)
3. Check firewall logs
4. Validate credentials
5. Review service status
Incomplete Discovery
Symptoms:
- Partial data collection
- Missing attributes
- Timeout errors
Solutions:
- Increase timeout values
- Use alternative protocols
- Deploy discovery agent
- Check resource constraints
- Review permissions
Performance Issues
Slow Scanning
Diagnosis:
- Monitor scan queue depth
- Check network utilization
- Review thread count
- Analyze timeout rates
Optimization:
- Increase parallel threads
- Optimize timeout values
- Use caching for repeat scans
- Implement scan priorities
- Segment large networks
Best Practices
1. Planning
- ✅ Document network topology
- ✅ Identify scan windows
- ✅ Prepare credentials
- ✅ Notify stakeholders
2. Implementation
- ✅ Start with small segments
- ✅ Monitor scan impact
- ✅ Validate discovered data
- ✅ Adjust parameters as needed
3. Maintenance
- ✅ Regular credential updates
- ✅ Performance monitoring
- ✅ Coverage analysis
- ✅ Security reviews
Next Steps
- 📖 Agent Deployment - Installing discovery agents
- 📖 Credential Management - Secure credential handling
- 📖 Discovery Patterns - Custom discovery rules