Leveraging scan probes
When performing a scan, runZero Explorers and scanners use probes to extract information from open scanned ports. Many probes can be configured using the
Probes and SNMP tab of a scan task configuration. All the ports included in the scan scope with an enabled probe will be sent a request and the response will be collected. Some probes will perform additional checks when certain protocols, services, or software are detected in the response.
Most probes can be configured differently for TCP and UDP ports:
- TCP ports: These scan probes will run automatically when the specific protocol is detected in the response from a TCP port.
- UDP ports: Most scan probes allow you to disable performing requests against UDP ports.
The table below breaks out the following for each scan probe:
- Probe: Name of the protocol, service, or software, linked to a source for additional details.
- Port(s): Ports the scanner automatically run these probes on. This is configurable for many UDP probes.
- UDP supported: Allows you to disable the probe on UDP, but TCP will still occur if the port is in the scan configuration.
- Additional details: Any additional context about the probe.
|Banner match, and any key/value pairs returned by the service.
|Detection of the AJP protocol via the Shodan integration.
|Integration with Amazon Web Services (AWS) APIs, can be run as scan probe or a connector task.
|Integration with Microsoft Azure APIs, can be run as scan probe or a connector task.
|Integration with Microsoft Azure Active Directory (Azure AD) via Azure AD API, can be run as scan probe or a connector task.
|Integration with Censys Search and Censys Universal Internet Dataset, can be run as scan probe or a connector task.
|Discovers Checkmk services and reports agent version, asset OS, running services, and process names.
|Integration with CrowdStrike Falcon, can be run as scan probe or a connector task.
|Probes Dahua assets with the proprietary binary DHIP protocol and reports any details received (version, serial number, addresses)
|Integration with Microsoft 365 Defender, can be run as scan probe or a connector task
|Probes the Docker API for version and system details
|Integration with Google Cloud Platform (GCP), can be run as scan probe or a connector task
|Generic UDP module for internal research purposes
|Integration with Google Workspace, can be run as scan probe or a connector task
|Integration with Rapid7 InsightVM, can be run as scan probe or a connector task; Nexpose data can be pulled into runZero by importing files that were exported from a Nexpose instance
|Integration with Microsoft Intune, can be run as scan probe or a connector task
|Discovers and attempts to pull details from assets responding to IPMI
|Detect and query limited version and config info from a LANDESK agent
|Integration with Miradore MDM via Miradore API, can be run as scan probe or a connector task
|Gathers some of the supported x-plugin capabilities of the remote service,
|Gathers some basic info, like version and status, from the service.
|Gathers any JSON key/value data available from the service.
|Sony PlayStation Discovery Protocol, our probe tried to learn things like the type of PS unit, OS version, ID, hostname, MAC address
|Integration with Qualys Vulnerability Management, Detection, and Respons (VMDR) via Qualys KnowledgeBase API, can be run as scan probe or a connector task
|Integration with SentinelOne API, can be run as scan probe or a connector task
|Integration with Shodan API, can be run as scan probe or a connector task
|SYN TCP port scan
|Integration with Tenable.io and Tenable Nessus Professional via Tenable cloud API , can be run as scan probe or a connector task; all versions of Tenable Nessus are supported through .nessus file imports
|443, 3389, 8443, others
|Discovery protocol used by EdgeRouter devices (and possible other Ubiquiti devices)
|Integration with VMware vCenter and ESXi instances, can be run as scan probe or a connector task
|Discovers and probes webmin web services
|Discovers WiFi networks within range of Explorers or scanners with wireless NICs
|Discovers wsd services, which can include ONVIF data and additional ports to probe
|Reports any data discovered from a wsman endpoint
|Captures the version of discovered Zabbix agents