See runZero in action

Contact us to book a demo with our team.

There and Back Again with the Subnet Grid Report

(updated ), by HD Moore
icon

ToneLoc #

The Subnet Grid Report introduced in Rumble 1.7.0 is copied from one of my favorite security tools of time, ToneLoc! ToneLoc (the tone locator) is MS-DOS wardialer written by Minor Threat and Mucho Maas that was released in the early 90s. ToneLoc was (and sometimes still is) one of the best ways to sweep telephone ranges to find accessible modems.

One of the coolest features is ToneMap; a 100x100 pixel grid display of a 10,000 telephone number block. For a given number block (1-512-XXX-XXXX), the top left pixel would represent 1-512-000-0000, while the bottom right would be 1-512-999-9999.

The ToneMap visualization made it easy to identify anomalies and detect patterns in the allocation of phone numbers. The image below is a screenshot of ToneLoc’s ToneMap (1.10) running in DOSBox with a sample data file.

ToneMap of SAMPLE2.DAT

WarVOX #

Fast forward to 2011 and I borrowed the ToneMap visualization when building out WarVOX (a VoIP-powered wardialer, currently unmaintained). Visualizing the peak frequency and silence-to-noise ratio as a ToneMap-style grid uncovered interesting patterns in phone number allocations. Similar audio (errors, answering machine, voicemail boxes) could be quickly extracted, while the peak frequency grid view made it easy to find dial tones, modems, and other digital endpoints. This feature never made it into the application, but was heavily used as part of the development process.

WarVOX 2.0 Frequency Map

Rumble #

Rumble takes a similar approach in the Subnet Grid Report. This grid view differs in few ways, but the core concept is the same. In contrast to telephone numbers that are often organizated on multiples of 10 boundaries, IP addresses are organized on powers of two subnet sizes. The Rumble report aligns the grid to standard CIDR subnet sizes and can scale from 16 to 512 columns as needed.

The screenshot below shows a public IPv4 subnet with the OS color map applied. The blue squares on the left and right edges are Cisco routers while most of the remaining IP space is full of Huawei Home Gateways, mapping to a typical residential ISP block, at least in Iceland where this subnet is allocated.

Rumble Subnet Grid Report - OS

Cycling between different color modes can highlight interesting patterns. The default mode is to color map by TCP service count. Darker nodes have less services, while brighter nodes have more. If you are trying to identify potential exposure, more services generally correlates with a higher risk. The Services color map does not differ much from the OS map; we can see that Cisco routers on the network boundaries have no TCP services, while most of the Huawei devices have exactly one.

Rumble Subnet Grid Report - Services

Given that the assets on this network are mostly detected as Huawei Home Gateways, lets filter those out and apply the OS color map:

Rumble Subnet Grid Report - Not Huawei - OS

Neat! Our Cisco routers on the boundaries are still there, but now we see a scattering of “different” devices. Most are these are still hosted behind the Huawei Gateways, but the use of port forwarding causes Rumble to reclassify them as something else, based on what ports are forwarded and the device listening on the far end.

In this case we see a QNAP NAS device exposed to the internet through port forwarding.

It looks like there might be a diagonal allocation pattern of responsive IPs. Lets try zooming out further:

Rumble Subnet Grid Report - Zoomed Out

Wow! Yup. Whatever this ISP is doing for DHCP allocation is causing addresses to be staggered from one subnet to the next. Some of the insights that can be pulled from a grid visualization are nearly impossible to notice through other analysis methods.

Although we have been using an external IPv4 subnet for this example, this type of analysis is incredibly useful for internal networks too. Anomalies are easy to spot and the filtering capability can be used to remove noise as needed. This final example is from a typical office network, with the Type color map applied.

Rumble Subnet Grid Report - Internal

The blue blocks are Windows desktops, the pockets of red and orange are printers and network scanners, while the gray items are Linux servers. A quick glance gives us an idea of how this network is used and makes the outliers obvious.

Full Circle #

ToneLoc (and ToneMap) have been weirdly influential on my work and I thought it might be fun to bring a bit of 2020 back to 1995. We are going to need DOSBox, a ZIP download of ToneLoc from Github, and some data.

First thing we do is install DOSBox and open the DOSBox terminal.

DOSBox

Next we create a local directory and extract the ToneLoc ZIP file into it. I picked C:\MSDOS\ToneLoc.

ToneLoc Files

Now we need some data. Head to the Subnet Grid Report for your favorite subnet, click the OS color map, and use the TL link in the bottom right to download a os.dat file. If you prefer, you can use my sample data instead.

ToneLoc DAT Download

Copy this file into the ToneLoc directory (C:\MSDOS\ToneLoc) as os.dat.

Now mount the ToneLoc directory in DOSBox and change into it:

DOSBox Mount

Finally, run tonemap os.dat:

ToneMap of Rumble os.dat

You can switch the color map to Service mode and get a different perspective by loading services.dat:

ToneMap of Rumble services.dat

Success! We have IPv4 network scan data from 2020 visualized in a 1990s wardialer.

What is old is new again.

Thanks for reading!

-HD

HD Moore
Written by HD Moore

HD Moore is the co-founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

Similar Content

July 12, 2022

Rumble 2.15: Sync assets, software, and vulnerability data from Rapid7, scan external domains from our cloud, and report on external assets and services

What’s new with Rumble 2.15? # Sync assets, software, and vulnerability data from Rapid7 InsightVM and Nexpose Quickly identify and report externally exposed assets and services Navigate your inventory faster with an updated Rumble Console Gathering vulnerability data …

Read More

June 7, 2022

Rumble 2.14: Sync assets, software, and vulnerability data from Tenable, run external discovery from our cloud, and extend your Microsoft Azure coverage

What’s new with Rumble 2.14? # Sync assets, software, & vulnerability data from Tenable Discover external assets with Rumble cloud-hosted scanners Track Azure Function Apps through the Microsoft Azure integration Sync assets, software, and vulnerability data from …

Read More

May 10, 2022

Rumble 2.13: Sync assets & software from SentinelOne, track more cloud resources, view cross-organization inventory, and schedule automated reports

What’s new with Rumble 2.13? # Sync asset and software inventory from SentinelOne Explore software identified through runZero scans Track more cloud resources from AWS, Azure, and GCP Work with your asset inventory across organizations Schedule and email the …

Read More

Subscribe and stay in the loop!

We won't share your email.

Unsubscribe at any time.