Rumble Two Ways with Beta 5 #
The last few months have been incredible thanks to our wonderful beta community and their vocal feedback. Quite a few folks asked for a version of Rumble they could use independent of the cloud and Beta 5 delivers it.
The runZero Scanner has undergone a makeover and now handles fingerprinting, asset correlation, and rudimentary reporting, making it far more adaptable for restrictive environments and security consulting. We want the runZero Scanner to be the best possible option for any advanced network discovery task. If you haven't tried the Scanner yet, download a binary and let us know what you think.
The runZero Scanner now generates a directory of output files by default. This directory includes
-
scan.rumble.gz
: The raw scan data, this can be imported or reprocessed via--import
-
assets.jsonl
: The new optimized format for correlated, fingerprinted assets. -
nmap.xml
: A Nmap XML compatible data file that can be imported into various security tools. -
urls.txt
: A list of discovered web services in URL format. -
assets.html
: A rudimentary HTML report with screenshots. -
screenshots
: A directory of raw screenshot images, headers in JSON format, and HTML bodies. - Various lists including
addresses.txt
,addresses_all.txt
,hostnames.txt
, anddomains.txt
We are continuing to invest the Rumble asset inventory platform, and this release includes many improvements to the infrastructure, agents, and cloud console.
The inventory now supports asset tags, allowing metadata such as asset owners, locations, and field notes to be set, cleared, and queried. Tags provide a simple way to organize, flag, and communicate with colleagues about assets.
Two new export formats are available; JSONL
, a more efficient option for processing large exports, and Nmap® XML
, a format widely supported by security tools. Exports are now streamed on download, making more efficient clients easier to implement.
User profiles can now be configured to required FIDO2 WebAuthn security tokens for multi-factor authentication. We believe WebAuthn is the best standard available today, but if you prefer something else for MFA, please let us know.
Check out the release notes below for a complete list of changes since Beta 4 and drop us a line if you have any questions, suggestions, or feedback.
Release Notes #
-
The runZero Scanner has been revamped with a fancy new terminal interface and updated options. Major changes include support for asset correlation, fingerprinting, and artifact generation. The runZero Scanner documentation has been updated to match.
-
The Inventory now supports setting, clearing, and searching based on Tags. Tags are key-value pairs that can signify organization structure or process. Good uses of Tags include setting the location of an asset, indicating the asset owner, or noting that an asset is part of a critical business process.
-
The Inventory now displays Comments as a column by default, making it easy to set, view, clear, and search for quick notes. Comments can be useful for coordinating remediation or maintenance tasks.
-
The Inventory now supports searching and exporting based on Site names (
site:"Name"
). -
The default export format is now JSONL. This format requires less memory to process in most client applications, as each record is separated by a newline.
-
Exports (API and via Inventory) now stream their responses, allow for more efficient client applications.
-
The Inventory can now export a Nmap® XML compatible document, complete with an XSL template that produces a lovely report.
-
User profiles can be configured to require FIDO2 WebAuthn compatible security tokens, such as the Yubico YubiKey and Google Titan devices.
-
The Tasks screen now shows failed tasks by default and can list all failed tasks via a new tab.
-
The original scan data for a given task can be downloaded from the Task details page. This data can be fed into the new runZero Scanner, re-uploaded as an Import, or used in your own internal processes.
-
AWS S3 is now used for screenshots, scan data, and change reports. This should improve performance and help us maintain a consistent approach to server-side data encryption and data lifecycles.
-
Agents try much harder to deliver their scan data. The default is a direct upload to AWS S3 using a per-scan pre-signed URL, with a fallback method that uses an endpoint of the Rumble Hub instead.
-
Agents will now load environment settings from $install/.env, allowing for easier configuration of proxy support and other environment-based settings.
-
FreeBSD is now a supported platform for the runZero Scanner. We are still looking into full support of BSD-like platforms for the agent and would love to know if there any specific platforms you would like us to support first.
-
The scan engine now reports the overall progress more accurately. The progress is based on the percent of target hosts completed, which has subtle differences for routed versus local segment discovery speeds.
-
The scan engine now detects TCP services via UDP discovery, improving overall coverage with minimal performance costs.
-
The default TCP port list has been adjusted based on real-world scan data of internal networks in order to provide a better trade-off of coverage versus performance.
-
The scan engine received numerous fingerprint and protocol negotiation improvements, including multicast MDNS, improved Ubiquiti discovery, and bug fixes to tje Memcache, Redis, and AMQP handlers.
-
The Agent and Scanner have been upgraded to npcap v0.9981.
* NMAP is a registered trademark of Insecure.Com LLC (and an awesome network scanner!).