See runZero in action

Contact us to book a demo with our team.

Hunting for Network Bridges with Rumble

(updated ), by HD Moore
icon

Thanks to the wonderful user feedback from Beta 5, a handful of bug fixes and improvements have been deployed along with a new feature: Network Bridge Detection!

runZero Scanner Bridges Report

The bridge report shows external networks in red, internal networks in green, and multihomed assets that bridge these networks in orange. Zooming in will show asset and subnet details, while clicking a node will take you to the asset page for bridge nodes and to a CIDR-based inventory search for network nodes. This view is not a typical network map, but instead shows possible paths that can be taken through the network by traversing multihomed assets. Assets where Rumble only detected a single IP address are not shown in order to keep the graph readable.

Bridge detection is useful when validating network segmentation and ensuring that an attacker can’t reach a sensitive network from an untrusted network or asset. Examples of this include laptops plugged into the internal corporate network that are also connected to a guest wireless segment and systems connected to an untrusted network, such as a coffee shop’s wireless network that also have an active VPN connection to the corporate network.

Rumble detects network bridges by looking for extra IP addresses in responses to common network probes (NetBIOS, SNMP, MDNS, UPnP, and others) and only reports bridges when there is at least one asset identified with multiple IP addresses. Typical hardening steps, such as desktop firewalls and disabled network services will usually prevent multihomed assets from being detected by Rumble. The screenshot below shows how to search for multihomed assets in the Rumble inventory.

Rumble Multihomed Asset Detection

Bridge reports can be found in the Inventory under the new Reports drop-down menu.

Rumble Report Menu

Network segmentation is a critical security control for many businesses, but verifying that segmentation is working correctly can be challenging, especially across large and complex environments. Common techniques to validate segmentation, such as reviewing firewall rules and spot testing from individual systems can only go so far, and comprehensive testing, such as running full network scans from every segment to every segment, can be time intensive and are hard to justify on a regular basis. For businesses subject the PCI DSS requirements, validating cardholder data environment (CDE) segmentation is an important part of the security audit process. The image below is from the PCI guidance on scoping and segmentation and demonstrates a common CDE administration model.

Logical Data Flow: Administration of CDE Systems from a Security-Impacting System in the Corporate LAN

The network bridge detection in Rumble is opportunistic and far from perfect, but it may highlight areas where segmentation is broken, and can cut down on the number of surprises encountered in a future security audit. We hope you find this report useful and we would love your feedback.

Happy scanning!

Other changes since Beta 5 #

  • The Search Query Syntax documentation has been overhauled for readability and clarity.

  • The Inventory now supports queries for network ranges using the net:CIDR/MASK syntax.

  • The Inventory now supports queries for the Last Seen and First Seen fields using relative and absolute dates (lastseen:>5days or firstseen:<2019-06-01).

  • The new Subnet Utilization Report can provide a quick breakdown of where assets were found.

  • Scans now support individual network ranges up to a /8 (16.7 million IPs). Scans can support multiple ranges to encompass even larger address space.

  • The urls.txt file generated by the scanner now uses the fully qualified host name, if DNS names were used as scan targets.

  • A race condition that could cause large scans to crash was identified and resolved.

  • An issue scanning services that produce large responses was identified and resolved.

  • Scan exclusions were not working properly, this has been corrected and new test cases put in place.

  • Empty output directories would be created if the scanner was run without targets, this is now fixed.

  • The Nmap XML output has been updated to be slightly more correct (utf-8, prevent invalid values for the down host count).

  • The npcap package has been upgraded to version 0.9982.

HD Moore
Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

Similar Content

July 12, 2022

Rumble 2.15: Sync assets, software, and vulnerability data from Rapid7, scan external domains from our cloud, and report on external assets and services

What’s new with Rumble 2.15? # Sync assets, software, and vulnerability data from Rapid7 InsightVM and Nexpose Quickly identify and report externally exposed assets and services Navigate your inventory faster with an updated Rumble Console Gathering vulnerability data …

Read More

June 7, 2022

Rumble 2.14: Sync assets, software, and vulnerability data from Tenable, run external discovery from our cloud, and extend your Microsoft Azure coverage

What’s new with Rumble 2.14? # Sync assets, software, & vulnerability data from Tenable Discover external assets with Rumble cloud-hosted scanners Track Azure Function Apps through the Microsoft Azure integration Sync assets, software, and vulnerability data from …

Read More

May 10, 2022

Rumble 2.13: Sync assets & software from SentinelOne, track more cloud resources, view cross-organization inventory, and schedule automated reports

What’s new with Rumble 2.13? # Sync asset and software inventory from SentinelOne Explore software identified through runZero scans Track more cloud resources from AWS, Azure, and GCP Work with your asset inventory across organizations Schedule and email the …

Read More

Subscribe and stay in the loop!

We won't share your email.

Unsubscribe at any time.