Scanning & Searching #
Version 1.5.0 of Rumble Network Discovery is live with updates in two major areas; wider scanning, through improved protocol support, scan engine enhancements, and more comprehensive decoders; and deeper searching, with the addition of a dozen new search filters and other enhancements to the web console.
Wider Scanning #
Whether you use the Rumble Agent or the runZero Scanner, the scan engine improvements in v1.5.0 make discovery more reliable, predictable, and comprehensive. This release adds support for TFTP, NTP, NFS, dTLS, and OpenVPN discovery probes. The dTLS, OpenVPN, and TFTP probes support multiple ports per scan, enabling a wider range of product and protocol detection. The dTLS probe can identify Remote Desktop Gateway services on port 3391 as well as CAPWAP responses from Wireless LAN Controllers.
The SMB, WSD, SunRPC, UPnP, and HTTP probes all received updates in this release; allowing more information to be captured, normalized, and extracted for easy fingerprinting. Scans now report more ports, more protocols, and more normalized fields for queries.
The HTTP probe in particular received big updates, enabling same-host redirect follows, disabling screenshots of generic error pages, capturing generator and other meta tags, storing the final redirect separate from the first response page, and extracting icons from both web and UPnP endpoints. The HTTP probe also identifies Remote Desktop Gateway instances exposed via IIS. The screenshot below demonstrates the icon capture feature, which displays captured icons in the web console.
Deeper Searching #
The web console efforts built on 1.4.0's support for grouped queries by adding the ability to search by numerical ranges and counts of specific fields. Numeric comparisons can be applied to any asset attribute or service detail, as well as port numbers, round-trip-times, TTLs, and the counts of addresses, macs, hostnames, and domains. The screenshot below demonstrates asset filtering by the TCP service count.
Applying the numeric comparisons to service inventory fields allows filtering on any value. For example, the query http.code:>=400 AND NOT http.code:404 can return only web servers with error responses, ignoring 404s.
These comparisons also work for image sizes. The example below uses the query screenshot.image.size:>=500000 to limit screenshot results to those where the image is at least 500,000 bytes (less compressible and more interesting).
The presence of switch topology information can now be queried using the has:uplink, has:downlink, and has:unmapped search terms. The topology information itself is now displayed on the asset detail page, making it easier to understand how a particular system is wired into the network.
If you would like to explore the full set of search keywords, the Search Query Syntax documentation has been updated with the new keywords and examples.
More Enhancements #
The Scan Configuration page now allows a set of tags to be applied to all assets discovered by that scan. This applies to both single and recurring scans.
Recurring scans can now be paused and unpaused from the Tasks list.
Rumble now supports 64-bit ARM on Linux (aarch64), enabling cost and power efficient scans from popular small factor boards and ARM-based cloud instances.
The web interface now applies styles to the print view.
Last, but not least, every account (trial or otherwise) can now create a pre-populated Demo Organization. This is available via the bottom-left link on the Organizations page. Demo organizations don't count against your licensed assets and can be used to explore new features without running a new scan. Most of the screenshots in this article used the Demo Organization.
Release Notes #
The complete release notes for v1.5.0 can be found in our documentation at the links below.
If you haven't had a chance to try runZero before, or would like to play with the new features, sign up for a free trial and let us know what you think!
