Rumble 1.5.0: Scanning Wider and Searching Deeper

(updated ), by HD Moore
icon
Rumble, Inc. is now runZero!

Rumble Network Discovery is now runZero!

Scanning & Searching

Version 1.5.0 of Rumble Network Discovery is live with updates in two major areas; wider scanning, through improved protocol support, scan engine enhancements, and more comprehensive decoders; and deeper searching, with the addition of a dozen new search filters and other enhancements to the web console.

Rumble Network Discovery 1.5.0

Wider Scanning

Whether you use the Rumble Agent or the runZero Scanner, the scan engine improvements in v1.5.0 make discovery more reliable, predictable, and comprehensive. This release adds support for TFTP, NTP, NFS, dTLS, and OpenVPN discovery probes. The dTLS, OpenVPN, and TFTP probes support multiple ports per scan, enabling a wider range of product and protocol detection. The dTLS probe can identify Remote Desktop Gateway services on port 3391 as well as CAPWAP responses from Wireless LAN Controllers.

Remote Desktop Gateway Detection

The SMB, WSD, SunRPC, UPnP, and HTTP probes all received updates in this release; allowing more information to be captured, normalized, and extracted for easy fingerprinting. Scans now report more ports, more protocols, and more normalized fields for queries.

UPnP Device Attributes

The HTTP probe in particular received big updates, enabling same-host redirect follows, disabling screenshots of generic error pages, capturing generator and other meta tags, storing the final redirect separate from the first response page, and extracting icons from both web and UPnP endpoints. The HTTP probe also identifies Remote Desktop Gateway instances exposed via IIS. The screenshot below demonstrates the icon capture feature, which displays captured icons in the web console.

HTTP & UPnP Icon Capture

Deeper Searching

The web console efforts built on 1.4.0’s support for grouped queries by adding the ability to search by numerical ranges and counts of specific fields. Numeric comparisons can be applied to any asset attribute or service detail, as well as port numbers, round-trip-times, TTLs, and the counts of addresses, macs, hostnames, and domains. The screenshot below demonstrates asset filtering by the TCP service count.

Search by TCP Service Count

Applying the numeric comparisons to service inventory fields allows filtering on any value. For example, the query http.code:>=400 AND NOT http.code:404 can return only web servers with error responses, ignoring 404s.

Search by HTTP Code Range

These comparisons also work for image sizes. The example below uses the query screenshot.image.size:>=500000 to limit screenshot results to those where the image is at least 500,000 bytes (less compressible and more interesting).

Search by Screenshot Size

The presence of switch topology information can now be queried using the has:uplink, has:downlink, and has:unmapped search terms. The topology information itself is now displayed on the asset detail page, making it easier to understand how a particular system is wired into the network.

Network Topology Asset Detail

If you would like to explore the full set of search keywords, the Search Query Syntax documentation has been updated with the new keywords and examples.

More Enhancements

The Scan Configuration page now allows a set of tags to be applied to all assets discovered by that scan. This applies to both single and recurring scans.

Scan Tags

Recurring scans can now be paused and unpaused from the Tasks list.

Scan Pause

Rumble now supports 64-bit ARM on Linux (aarch64), enabling cost and power efficient scans from popular small factor boards and ARM-based cloud instances.

Linux on ARM 64-bit Support

The web interface now applies styles to the print view.

Print Style Support

Last, but not least, every account (trial or otherwise) can now create a pre-populated Demo Organization. This is available via the bottom-left link on the Organizations page. Demo organizations don’t count against your licensed assets and can be used to explore new features without running a new scan. Most of the screenshots in this article used the Demo Organization.

Create a Demo Organization

Release Notes

The complete release notes for v1.5.0 can be found in our documentation at the links below.

If you haven’t had a chance to try runZero before, or would like to play with the new features, sign up for a free trial and let us know what you think!

Similar Content

March 14, 2023

runZero 3.6: Introducing organizational hierarchies

What’s new with runZero 3.6? Organizational hierarchies CrowdStrike integration improvements Operating system CPE assignment New protocols and fingerprints New Rapid Response queries Organizational hierarchies Organizational hierarchies help streamline user and …

Read More

February 14, 2023

runZero 3.5: Automatic asset ownership mapping

What’s new with runZero 3.5? Automatic asset ownership mapping and tracking Integration performance and scalability User interface enhancements New protocols and fingerprints New Rapid Response queries Automatic asset ownership mapping and tracking runZero Enterprise …

Read More

December 13, 2022

runZero 3.4: Vulnerability import from CrowdStrike Spotlight (plus something for everyone)

What’s new with runZero 3.4? Vulnerability import from CrowdStrike Spotlight Integration performance improvements and enhancements Automatic expiration of ephemeral AWS assets Processing performance improvements Enrichment-only integration support OAuth Client Secret …

Read More