Leveraging scan probes

When performing a scan, runZero Explorers and scanners use probes to extract information from open scanned ports. Many probes can be configured using the Probes and SNMP tab of a scan task configuration. All the ports included in the scan scope with an enabled probe will be sent a request and the response will be collected. Some probes will perform additional checks when certain protocols, services, or software are detected in the response.

Most probes can be configured differently for TCP and UDP ports:

TCP ports: These scan probes will run automatically when the specific protocol is detected in the response from a TCP port.
UDP ports: Most scan probes allow you to disable performing requests against UDP ports.

Probes

The table below breaks out the following for each scan probe:

Probe: Name of the protocol, service, or software, linked to a source for additional details.
Port(s): Ports the scanner automatically run these probes on. This is configurable for many UDP probes.
UDP supported: Allows you to disable the probe on UDP, but TCP will still occur if the port is in the scan configuration.
Additional details: Any additional context about the probe.

Probe	Port	UDP supported	Additional details
activemq			Banner match.
adb			Banner match, and any key/value pairs returned by the service.
airplay
ajp			Detection of the AJP protocol via the Shodan integration.
amqp			Banner match.
arp
aws-instances		Y	Integration with Amazon Web Services (AWS) APIs, can be run as scan probe or a connector task.
azure		Y	Integration with Microsoft Azure APIs, can be run as scan probe or a connector task.
azuread		Y	Integration with Microsoft Azure Active Directory (Azure AD) via Azure AD API, can be run as scan probe or a connector task.
backupexec
bacnet	468,084,780,848,808	Y
bedrock		Y
bitdefender-app
cassandra
censys		Y	Integration with Censys Search and Censys Universal Internet Dataset, can be run as scan probe or a connector task.
checkmk	6556		Discovers Checkmk services and reports agent version, asset OS, running services, and process names.
chromecast
citrix
click
coap		Y
couchdb
crestron	41794	Y
crowdstrike		Y	Integration with CrowdStrike Falcon, can be run as scan probe or a connector task.
dahua-dhip		Y	Probes Dahua assets with the proprietary binary DHIP protocol and reports any details received (version, serial number, addresses)
dcerpc
defender365		Y	Integration with Microsoft 365 Defender, can be run as scan probe or a connector task
dns	53	Y
docker			Probes the Docker API for version and system details
dotnet-remoting
drbd
drobo-nasd			Banner match
dtls	44,333,914,433,524,600	Y
echo			Banner match
echo (icmp)		Y
elasticsearch
epm
ftp
gcp		Y	Integration with Google Cloud Platform (GCP), can be run as scan probe or a connector task
genudp		Y	Generic UDP module for internal research purposes
giop			Banner match
googleworkspace		Y	Integration with Google Workspace, can be run as scan probe or a connector task
gpsd			Banner match
http
http2
icmp	623
ike	500	Y
imap
infinispan
influxdb
insightvm		Y	Integration with Rapid7 InsightVM, can be run as scan probe or a connector task; Nexpose data can be pulled into runZero by importing files that were exported from a Nexpose instance
intune		Y	Integration with Microsoft Intune, can be run as scan probe or a connector task
ipmi		Y	Discovers and attempts to pull details from assets responding to IPMI
irc			Banner match
java-rmi			Banner match
jdbc-hsqldb			Banner match
jdwp			Banner match
jetdirect
jms			Banner match
kerberos	88	Y
knxnet		Y
l2t	2228	Y
l2tp		Y
landesk			Detect and query limited version and config info from a LANDESK agent
lantronix	30718	Y
layer2	22,80,135,179,443,3389,5040,7547,62078	Y
ldap		Y
lockdownd
lpd
mdns	5353	Y
memcache	11211	Y
minecraft
miradore		Y	Integration with Miradore MDM via Miradore API, can be run as scan probe or a connector task
mongodb			Banner match
mountd
mssql	1434	Y
munin
mysql
mysqlx			Gathers some of the supported x-plugin capabilities of the remote service,
natpmp	5351	Y
ndmp	10000		Gathers some basic info, like version and status, from the service.
neo4j	7474		Gathers any JSON key/value data available from the service.
nessus		Y
netbios	137	Y
nfs
ntp	123	Y
openvpn	1194	Y
oracledb
pca	5632	Y
pop3
postgresql
pptp
psdisco	987, 9302	Y	Sony PlayStation Discovery Protocol, our probe tried to learn things like the type of PS unit, OS version, ID, hostname, MAC address
qualys		Y	Integration with Qualys Vulnerability Management, Detection, and Respons (VMDR) via Qualys KnowledgeBase API, can be run as scan probe or a connector task
rdp
rdns		Y
redis
rexec
riak
riak-http
rpcbind	111, 2049	Y
rsyncd
rtsp
sentinelone		Y	Integration with SentinelOne API, can be run as scan probe or a connector task
shodan		Y	Integration with Shodan API, can be run as scan probe or a connector task
sip	5060	Y
smb1
smb2
smb3
smtp
snmp	161	Y
sonicwall-sgms
spice
spotify-connect
ssdp	1900	Y
ssh	22	Y
subversion
sunrpc
SYN TCP port scan		Y
teamviewer
telnet
tenable		Y	Integration with Tenable.io and Tenable Nessus Professional via Tenable cloud API , can be run as scan probe or a connector task; all versions of Tenable Nessus are supported through .nessus file imports
tftp	69	Y
tls	443, 3389, 8443, others
ubnt	10001	Y	Discovery protocol used by EdgeRouter devices (and possible other Ubiquiti devices)
upnp	1900, others
vmauthd			Banner match
vmware		Y	Integration with VMware vCenter and ESXi instances, can be run as scan probe or a connector task
vnc
webmin	10000	Y	Discovers and probes webmin web services
wlan-list		Y	Discovers WiFi networks within range of Explorers or scanners with wireless NICs
wsd	3702	Y	Discovers wsd services, which can include ONVIF data and additional ports to probe
wsman			Reports any data discovered from a wsman endpoint
zabbix-agent			Captures the version of discovered Zabbix agents
zookeeper			Banner match

Updated March 23, 2023

Previous: Scanning SNMP Next: Managing Explorers