Skill

runZero Services

Lists and filters RunZero-discovered services by port or protocol, identifies vulnerabilities, and audits exposed services across sites.

security

Install

npx claudepluginhub wyre-technology/msp-claude-plugins --plugin runzero

Tool Access

This skill uses the workspace's default tool permissions.

Preview

RunZero discovers services running on every asset -- open ports, protocols, software versions, and TLS configurations. Service data is critical for vulnerability assessment, compliance auditing, and attack surface management. This skill covers listing, filtering, and analyzing discovered services.

SKILL.md

Similar Skills

cache-components

Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.

cache-components

139.0k

claude-opus-4-5-migration

2 files

Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.

claude-opus-4-5-migration

83.2k

bmad-index-docs

Generates or updates index.md listing all files and subdirectories in a target folder with 3-10 word descriptions from file contents. Use for indexing documentation directories.

bmad-pro-skills

43.8k

Stats

Parent Repo Stars12

Parent Repo Forks8

Last CommitApr 5, 2026

Actions

View Source View Plugin View on GitHub View README

RunZero Services

Overview

Key Concepts

Service Attributes

Each discovered service includes:

Attribute	Description
`port`	TCP/UDP port number
`protocol`	Application protocol (HTTP, SSH, RDP, etc.)
`transport`	Transport layer (TCP, UDP)
`summary`	Service banner or description
`software`	Detected software and version
`tls`	TLS/SSL configuration details
`asset_id`	The asset this service runs on
`first_seen`	When the service was first discovered
`last_seen`	When the service was last observed

Common Protocols

Protocol	Default Port	Risk Considerations
`ssh`	22	Check for weak ciphers, old versions
`rdp`	3389	High-risk if exposed externally
`http`	80	Check for unencrypted admin panels
`https`	443	Verify TLS version and certificate
`smb`	445	Ransomware vector if exposed
`snmp`	161	Check for default community strings
`telnet`	23	Unencrypted; should be disabled
`ftp`	21	Unencrypted; check for anonymous access

Vulnerability Indicators

RunZero flags services with security concerns:

Expired or self-signed TLS certificates
Outdated software versions with known CVEs
Insecure protocols (Telnet, FTP, SNMPv1)
Default credentials detected
Exposed management interfaces

API Patterns

List Services

runzero_services_list

Parameters:

site_id -- Filter by site
search -- RunZero query string
count -- Results per page
offset -- Pagination offset

Example response:

{
  "services": [
    {
      "id": "svc-uuid-123",
      "asset_id": "asset-uuid-456",
      "port": 3389,
      "transport": "tcp",
      "protocol": "rdp",
      "summary": "Microsoft Terminal Services",
      "software": "Windows RDP 10.0",
      "first_seen": "2026-01-15T10:00:00Z",
      "last_seen": "2026-03-27T08:30:00Z"
    }
  ]
}

Get Service Details

runzero_services_get

Parameters:

service_id -- The specific service UUID

Export Services

runzero_services_export

Parameters:

search -- RunZero query to filter services
site_id -- Filter by site

Use for bulk service data retrieval.

Service Query Examples

protocol:rdp AND alive:true
port:445 AND NOT address:10.0.0.0/8
protocol:ssh AND software:OpenSSH AND software:<8
protocol:telnet
port:443 AND tls.version:TLSv1.0

Common Workflows

Exposed Service Audit

Search for high-risk services: protocol:rdp OR protocol:telnet OR protocol:ftp
Filter to externally-facing assets if possible
Flag services that should not be exposed
Generate remediation recommendations

TLS Certificate Audit

Search for HTTPS services: protocol:https
Check for expired certificates, weak TLS versions
Identify self-signed certificates
Generate certificate expiry report

Port Scan Summary

Export all services for a site
Aggregate by port and protocol
Count unique assets per service type
Identify unexpected or unauthorized services

Vulnerability Surface Analysis

Search for services with known vulnerable software versions
Cross-reference with CVE databases
Prioritize by severity and exposure
Generate actionable remediation report

SMB/RDP Exposure Check

Search: protocol:rdp OR protocol:smb
Identify assets exposing these services
Check if any are externally reachable
Recommend firewall rules or VPN-only access

Error Handling

Service Not Found

Cause: Invalid service UUID or service no longer detected Solution: Search by port/protocol on the asset instead

Large Result Sets

Cause: Broad queries returning thousands of services Solution: Add site or protocol filters; use the Export API

Best Practices

Use the Export API for service inventories across large environments
Focus security audits on high-risk protocols (RDP, SMB, Telnet, FTP)
Monitor for new services appearing between scans
Track TLS certificate expiry dates proactively
Cross-reference discovered services with firewall rules
Generate per-client service reports for security reviews

Related Skills

api-patterns - Query language and pagination
assets - Assets running the services
sites - Sites containing the services
tasks - Scans that discover services