Zero Networks Labs

TrustMeter and CornerShot, A Perfect Match

Published March 27, 2021 by Sagie Dulce

Better Together

Like peanut butter and jelly or wine and cheese, some things are just better together. Our most recent example of things that go together is our integration of CornerShot into TrustMeter 3.0. While there are many new features added in 3.0, CornerShot significantly increases the power of TrustMeter, allowing it to scan an entire segmented network from a single location.

If you are unfamiliar with TrustMeter, it is best to start here to get a better understanding of the network segmentation tool and its purpose. In short, TrustMeter is a network discovery tool, which helps you assess the level of trust in your network. It is fast, intuitive to use, and presents collected information in an easy to consume report.

CornerShot is a free open source tool, which was presented at BlackHat Europe 2020. It enables a user to “peek” at a remote host’s network permissions without the need to have any special privileges on that host.

In this post we will present how CornerShot integration boosts TrustMeter capabilities, and dive deeper into additional features you can now find in TrustMeter 3.0.

CornerShot Scan Discovers Hidden Assets

One of the biggest challenges that security teams (red and blue) are facing today is the ability to get a good understanding of their network in real time. This usually involves the deployment of multiple sensors or scanning agents across the network, and periodically collecting this information.

TrusMeter uses CornerShot to uncover network access from a remote host, without requiring any special privileges on that host. By collecting network access information from a multitude of remote hosts, it is possible to scan the entire segmented network from a single location.

After running TrustMeter, you will notice that the new report now shows if assets are accessible directly or indirectly:

  • Directly accessible assets are discovered using “classic” TrustMeter capabilities. These are assets for which the scanning host can create a network connection to them (either TCP or UDP).
  • Indirectly accessible assets are discovered using CornerShot. These are assets for which the scanning host can’t establish a network connection but are accessible from at least one other host (which is directly accessible).

Information regarding whether assets are directly or indirectly accessible is summarized at the top of the report. For example, in this execution, 96% of the network is accessible, some of it directly, but many indirectly. If an attacker would have compromised the scanning host, they would have little problem compromising the entire network.

The Networks.xlsx, which is generated after each scan, shows which assets can be used to access the indirectly accessible hosts, under the “Reachable Targets” column.

Gaining Insights

Another major feature in TrustMeter 3.0 is the ability to gain insights from collected data. TrustMeter analyzes the assets information and network properties to build corresponding models that characterize their behavior. The analysis is based on static features (such as Operating System version) and dynamic features (such as open TCP ports). The models are used to provide various types of insights in addition to detection of anomalous characteristics. For example:

  • OS Anomalies: Detection of anomalous OSs adaptively. This is done by identifying OSs that, compared to the rest of the OSs in the organization, appear “rarely" (with respect to their corresponding peer-group of assets).
  • Mixed IP Range detection: Detection of anomalous mixed IP ranges, where the majority of the assets belong to one type of assets (e.g., client machines) and the minority to another type (e.g., server machines).
  • Mixed OU detection: Detection of anomalous mixed OUs, where the majority of the assets belong to one type of assets (e.g., client machines) and the minority to another type (e.g., server machines).
  • Anomalous Client with Server Port: Detection of server-oriented ports, which are learnet automatically and adaptively per organization, that are used by anomalous client machines.

The anomalies, if found, are then printed to a report with a suffix of “Insights.csv”. There is no representation of these insights in the HTML report at this version of TrustMeter.

More Features

There are additional features that were requested by clients and the security community, which made their way into TrustMeter 3.0. These are:

  • LDAP SASL Support: By using the “-x” parameter, TrustMeter will use native capabilities in Windows to retrieve information from Active Directory that enforces LDAP Simple Authentication and Security Layer.
  • IP ranges: Limit the scope of the scan to specific IP ranges with the “-r” parameter.
  • Ports: Add or remove ports to the scan with the “-P” parameter.

Next Steps

We are glad to support the growing community of users that rely on TrustMeter for security assessments. We are always open to ideas, comments and suggestions regarding future versions of TrustMeter, so if you have ideas, don’t hesitate to reach out to us at support@phpstack-717800-4003432.cloudwaysapps.com..