Leveraging scan probes

When performing a scan, runZero Explorers and scanners use probes to extract information from open scanned ports. Many probes can be configured using the Probes and SNMP tab of a scan task configuration. All the ports included in the scan scope with an enabled probe will be sent a request and the response will be collected. Some probes will perform additional checks when certain protocols, services, or software are detected in the response.

Most probes can be configured differently for TCP and UDP ports:

  • TCP ports: These scan probes will run automatically when the specific protocol is detected in the response from a TCP port.
  • UDP ports: Most scan probes allow you to disable performing requests against UDP ports.

Probes

The table below breaks out the following for each scan probe:

  • Probe: Name of the protocol, service, or software, linked to a source for additional details.
  • Port(s): Ports the scanner automatically run these probes on. This is configurable for many UDP probes.
  • UDP supported: Allows you to disable the probe on UDP, but TCP will still occur if the port is in the scan configuration.
  • Additional details: Any additional context about the probe.
Probe Port UDP supported Additional details
activemq Banner match.
adb Banner match, and any key/value pairs returned by the service.
airplay
ajp Detection of the AJP protocol via the Shodan integration.
amqp Banner match.
arp
aws-instances Y Integration with Amazon Web Services (AWS) APIs, can be run as scan probe or a connector task.
azure Y Integration with Microsoft Azure APIs, can be run as scan probe or a connector task.
azuread Y Integration with Microsoft Azure Active Directory (Azure AD) via Azure AD API, can be run as scan probe or a connector task.
backupexec
bacnet 468,084,780,848,808 Y
bedrock Y
bitdefender-app
cassandra
censys Y Integration with Censys Search and Censys Universal Internet Dataset, can be run as scan probe or a connector task.
checkmk 6556 Discovers Checkmk services and reports agent version, asset OS, running services, and process names.
chromecast
citrix
click
coap Y
couchdb
crestron 41794 Y
crowdstrike Y Integration with CrowdStrike Falcon, can be run as scan probe or a connector task.
dahua-dhip Y Probes Dahua assets with the proprietary binary DHIP protocol and reports any details received (version, serial number, addresses)
dcerpc
defender365 Y Integration with Microsoft 365 Defender, can be run as scan probe or a connector task
dns 53 Y
docker Probes the Docker API for version and system details
dotnet-remoting
drbd
drobo-nasd Banner match
dtls 44,333,914,433,524,600 Y
echo Banner match
echo (icmp) Y
elasticsearch
epm
ftp
gcp Y Integration with Google Cloud Platform (GCP), can be run as scan probe or a connector task
genudp Y Generic UDP module for internal research purposes
giop Banner match
googleworkspace Y Integration with Google Workspace, can be run as scan probe or a connector task
gpsd Banner match
http
http2
icmp 623
ike 500 Y
imap
infinispan
influxdb
insightvm Y Integration with Rapid7 InsightVM, can be run as scan probe or a connector task; Nexpose data can be pulled into runZero by importing files that were exported from a Nexpose instance
intune Y Integration with Microsoft Intune, can be run as scan probe or a connector task
ipmi Y Discovers and attempts to pull details from assets responding to IPMI
irc Banner match
java-rmi Banner match
jdbc-hsqldb Banner match
jdwp Banner match
jetdirect
jms Banner match
kerberos 88 Y
knxnet Y
l2t 2228 Y
l2tp Y
landesk Detect and query limited version and config info from a LANDESK agent
lantronix 30718 Y
layer2 22,80,135,179,443,3389,5040,7547,62078 Y
ldap Y
lockdownd
lpd
mdns 5353 Y
memcache 11211 Y
minecraft
miradore Y Integration with Miradore MDM via Miradore API, can be run as scan probe or a connector task
mongodb Banner match
mountd
mssql 1434 Y
munin
mysql
mysqlx Gathers some of the supported x-plugin capabilities of the remote service,
natpmp 5351 Y
ndmp 10000 Gathers some basic info, like version and status, from the service.
neo4j 7474 Gathers any JSON key/value data available from the service.
nessus Y
netbios 137 Y
nfs
ntp 123 Y
openvpn 1194 Y
oracledb
pca 5632 Y
pop3
postgresql
pptp
psdisco 987, 9302 Y Sony PlayStation Discovery Protocol, our probe tried to learn things like the type of PS unit, OS version, ID, hostname, MAC address
qualys Y Integration with Qualys Vulnerability Management, Detection, and Respons (VMDR) via Qualys KnowledgeBase API, can be run as scan probe or a connector task
rdp
rdns Y
redis
rexec
riak
riak-http
rpcbind 111, 2049 Y
rsyncd
rtsp
sentinelone Y Integration with SentinelOne API, can be run as scan probe or a connector task
shodan Y Integration with Shodan API, can be run as scan probe or a connector task
sip 5060 Y
smb1
smb2
smb3
smtp
snmp 161 Y
sonicwall-sgms
spice
spotify-connect
ssdp 1900 Y
ssh 22 Y
subversion
sunrpc
SYN TCP port scan Y
teamviewer
telnet
tenable Y Integration with Tenable.io and Tenable Nessus Professional via Tenable cloud API , can be run as scan probe or a connector task; all versions of Tenable Nessus are supported through .nessus file imports
tftp 69 Y
tls 443, 3389, 8443, others
ubnt 10001 Y Discovery protocol used by EdgeRouter devices (and possible other Ubiquiti devices)
upnp 1900, others
vmauthd Banner match
vmware Y Integration with VMware vCenter and ESXi instances, can be run as scan probe or a connector task
vnc
webmin 10000 Y Discovers and probes webmin web services
wlan-list Y Discovers WiFi networks within range of Explorers or scanners with wireless NICs
wsd 3702 Y Discovers wsd services, which can include ONVIF data and additional ports to probe
wsman Reports any data discovered from a wsman endpoint
zabbix-agent Captures the version of discovered Zabbix agents
zookeeper Banner match
Updated