Better TCP Scans Through UDP Discovery
One of the trickiest parts of network discovery is balancing thoroughness with speed. We strive to provide a fast, low-impact scan by default, but also try to include as many services and protocols as possible.
Today we released version
0.7.5 of the Rumble Agent and Rumble Scanner. This version increases the default port coverage from 100 TCP ports to more than 400, while also supporting discovery and fingerprinting of
additional TCP services by leveraging UDP discovery protocols.
Rumble will now automatically scan and fingerprint TCP services identified through multicast ZeroConf (mDNS) SRV records, advertised via UPnP SSDP locations, returned in Microsoft SQL Server discovery responses, enumerated via SunRPC portmapper responses, included in WSD probe replies, and identified via HTTP redirects. Combined, these discovery methods substantially improve TCP service coverage without a major impact on scan durations.
Multicast ZeroConf discovery is now used to identify Apple macOS version and hardware model information, along with a ton of useful information from ZeroConf-enabled network devices.
In addition to increased port coverage and UDP-based TCP discovery, the default scan parameters have been slightly tweaked to improve performance while also increasing scan reliability of low-power devices. The default
Scan Rate has been increased from
1000 while the Max Host Rate dropped from
As part of the UPnP SSDP changes, the UPnP device description (XML) is also automatically retrieved and recorded.
0.7.6 of the Rumble Agent and Rumble Scanner will also track how the TCP service was discovered. An example of a TCP service found via SSDP is shown below.
Going forward we plan to leverage cross-service discovery whenever possible while also aiming to keep scan speeds consistent with their current levels. Candidates for future cross-service discovery include the Netstat daemon, SNMP v1/v2c, and the Microsoft RPC Endpoint Mapper. Existing recurring scans will continue to use the old port settings, but as of Beta 4, can be updated via the
Modify action on the Tasks screen.
To update an existing scan to match the new defaults, set the Scan Rate to
1000, the Max Host Rate to
40, and the TCP Ports to following list:
April 13, 2021
Rumble 2.1: Notification Templates, AWS EC2 Enrichment, and Cisco SNTC Exports
Rumble Network Discovery 2.1 Rumble 2.1 is now live with support for custom notification templates, AWS EC2 scan enrichment, Cisco serial number exports for SNTC, faster exports, more flexible imports, an updated Splunk Addon, and much more! Custom notification emails and …Read More
March 16, 2021
Rumble 2.0: Automation, Subnet Discovery, ServiceNow, and More!
Rumble Network Discovery 2.0 Rumble 2.0 is now live with alert and asset automation via the Rules Engine, ridiculously fast scans with subnet discovery, cross-organization management via the Account API, support for ServiceNow CMDB integration, an automated query dashboard, …Read More
August 6, 2020
Recog Development with Rumble
Overview Recog may be one of the most underrated open source security projects of all time. Recog started off in the early 2000s as the fingerprinting backend for Rapid7’s Nexpose (aka InsightVM) vulnerability scanner. It was released as open source in 2014 and …Read More