Rumble 1.5.0 Scanning Wider and Searching Deeper

|
Updated

Scanning & Searching #

Version 1.5.0 of Rumble Network Discovery is live with updates in two major areas; wider scanning, through improved protocol support, scan engine enhancements, and more comprehensive decoders; and deeper searching, with the addition of a dozen new search filters and other enhancements to the web console.

Rumble Network Discovery 1.5.0

Wider Scanning #

Whether you use the Rumble Agent or the runZero Scanner, the scan engine improvements in v1.5.0 make discovery more reliable, predictable, and comprehensive. This release adds support for TFTP, NTP, NFS, dTLS, and OpenVPN discovery probes. The dTLS, OpenVPN, and TFTP probes support multiple ports per scan, enabling a wider range of product and protocol detection. The dTLS probe can identify Remote Desktop Gateway services on port 3391 as well as CAPWAP responses from Wireless LAN Controllers.

Remote Desktop Gateway Detection

The SMB, WSD, SunRPC, UPnP, and HTTP probes all received updates in this release; allowing more information to be captured, normalized, and extracted for easy fingerprinting. Scans now report more ports, more protocols, and more normalized fields for queries.

UPnP Device Attributes

The HTTP probe in particular received big updates, enabling same-host redirect follows, disabling screenshots of generic error pages, capturing generator and other meta tags, storing the final redirect separate from the first response page, and extracting icons from both web and UPnP endpoints. The HTTP probe also identifies Remote Desktop Gateway instances exposed via IIS. The screenshot below demonstrates the icon capture feature, which displays captured icons in the web console.

HTTP & UPnP Icon Capture

Deeper Searching #

The web console efforts built on 1.4.0's support for grouped queries by adding the ability to search by numerical ranges and counts of specific fields. Numeric comparisons can be applied to any asset attribute or service detail, as well as port numbers, round-trip-times, TTLs, and the counts of addresses, macs, hostnames, and domains. The screenshot below demonstrates asset filtering by the TCP service count.

Search by TCP Service Count

Applying the numeric comparisons to service inventory fields allows filtering on any value. For example, the query http.code:>=400 AND NOT http.code:404 can return only web servers with error responses, ignoring 404s.

Search by HTTP Code Range

These comparisons also work for image sizes. The example below uses the query screenshot.image.size:>=500000 to limit screenshot results to those where the image is at least 500,000 bytes (less compressible and more interesting).

Search by Screenshot Size

The presence of switch topology information can now be queried using the has:uplink, has:downlink, and has:unmapped search terms. The topology information itself is now displayed on the asset detail page, making it easier to understand how a particular system is wired into the network.

Network Topology Asset Detail

If you would like to explore the full set of search keywords, the Search Query Syntax documentation has been updated with the new keywords and examples.

More Enhancements #

The Scan Configuration page now allows a set of tags to be applied to all assets discovered by that scan. This applies to both single and recurring scans.

Scan Tags

Recurring scans can now be paused and unpaused from the Tasks list.

Scan Pause

Rumble now supports 64-bit ARM on Linux (aarch64), enabling cost and power efficient scans from popular small factor boards and ARM-based cloud instances.

Linux on ARM 64-bit Support

The web interface now applies styles to the print view.

Print Style Support

Last, but not least, every account (trial or otherwise) can now create a pre-populated Demo Organization. This is available via the bottom-left link on the Organizations page. Demo organizations don't count against your licensed assets and can be used to explore new features without running a new scan. Most of the screenshots in this article used the Demo Organization.

Create a Demo Organization

Release Notes #

The complete release notes for v1.5.0 can be found in our documentation at the links below.

If you haven't had a chance to try runZero before, or would like to play with the new features, sign up for a free trial and let us know what you think!

Written by HD Moore

HD Moore is the founder and CEO of runZero. Previously, he founded the Metasploit Project and served as the main developer of the Metasploit Framework, which is the world's most widely used penetration testing framework.

More about HD Moore
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.


Related Articles

runZero Insights
Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats
China's Typhoon cyber attacks are evolving, but runZero helps you stay one step ahead with unmatched visibility and proactive defense.
runZero Insights
Ensure compliance with DORA’s ICT risk framework using runZero
Learn how to uncover unmanaged and unknown assets— including IT, OT, and IoT— to meet DORA's hidden risk requirements using runZero.
Life at runZero
Employee Spotlight: Doug Markiewicz
Doug Markiewicz is a strategic Customer Success Engineer with a passion for solving complex cybersecurity problems. Learn more about his journey as...
runZero Insights
Evolving from IT to IoT: Flax Typhoon preyed on the lesser knowns
A look at Flax Typhoon's latest operations, and how runZero’s unknown and IoT asset visibility can help calm the storm for security teams.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved