Using the Scanner

The Rumble Scanner

Rumble includes a standalone command-line Scanner that can be used to perform network discovery without access to the internet. The Scanner has the same options and similar performance characteristics to the agent. The Scanner output file named scan.rumble can be uploaded to the Rumble Console through the Inventory Import menu.

The Scanner works best with root privileges on Linux/macOS and Administrator privileges on Windows. Although the scanner will function without privileged access, many probe types will be unavailable. The sudo command can be used to run the scanner as root on Linux and macOS, while the tool is best run from an elevated command shell on Windows. On the Windows platform, the Rumble Scanner will look for an existing npcap installation and try to install it if the software is not found. This behavior can be disabled with the --nopcap flag.

The Rumble Scanner defaults to a semi-interactive terminal interface that writes multiple output files to a directory. The default directory name is rumble-[current-date]. To switch to plain text output, use the --text option. To skip artifact generation and only produce the raw JSON output file, use the flags --text -o disable --output-raw scan.rumble.

Input can be provided as arguments on the command-line or by specifying an input file using the --input (or -i) parameter. Input can consist of specific IPv4 addresses or IPv4 CIDRs. Supported formats include 10.0.0.1, 10.0.0.0/24, 10.0.0.0/255.255.255.0, 10.0.0.1-10.0.0.255, example.com, and example.com/24. For hostnames, each IPv4 address in the response will be expanded with the optional mask. IPv6 is not yet supported.

The example below downloads and runs the scanner on a Linux x86_64 host. This URL will be different for your installation. The current download links for your organization are available from the Scanner page of the Rumble Console.

$ wget https://console.rumble.run/download/scanner/[unique-link]/rumble-scanner-linux-amd64.bin
$ chmod +x rumble-scanner-linux-amd64.bin
$ sudo ./rumble-scanner-linux-amd64.bin 192.168.0.0/24 -o output-dir

Please note that the hexadecimal values in the download URL are specific for your account and organization.

Starter Edition Limits

Rumble Starter Edition includes access to a limited version of the Rumble Scanner. This edition has the following restrictions:

  • Each scan is limited to 1024 targets at a time
  • Scanner downloads expires after 90 days
  • No baseline support for asset tracking
  • No API or automatic upload support
  • No product or service integrations
  • Limited report generation

Performance & Scope

The default speed of Rumble scans is limited to 1,000 packets per second with a single pass. This setting works great for reliable wired networks without stateful firewalls between the scanning system and the destination networks. This rate can be changed via the --rate (or -r) option, with a reasonable maximum being 10000 for most networks. On slow unreliable networks, a rate of 300 with --passes set to 3 may provide better results.

A second parameter, --max-host-rate limits how many packets are sent per second to each individual host. This defaults to 40, which is low, but necessary when scanning low-power embedded devices. In cases where a small number of hosts (or a single host) should be scanned quickly, the --max-host-rate parameter can be increased to match the --rate.

The following example demonstrates a scan of 65,535 TCP ports on all hosts of the 192.168.0.0/24 subnet running at 10,000 packets per second:

$ sudo ./rumble-scanner-linux-amd64.bin 192.168.0.0/24 -r 10000 --tcp-ports 1-65535 -o output-dir

Automatic Web Screenshots

The --screenshots option (default true) introduced in version 0.6.6 tells Rumble to obtain a screenshot of all web services identified during the scan. This feature depends on the system running the agent having a local installation of the Google Chrome or Chromium browsers. The acquired screenshots will be reported as a base64 string, stored in the “screenshot.image” field of the containing service scan result.

Additional Options

The Rumble Scanner supports a wide range of options, including the ability to limit scans to specific ports, probes, and snmp communities. The --help output provides basic documentation on the available options. An example of this help output is shown below.

C:\Work\> rumble-scanner.exe --help

Rumble Network Discovery Scanner

Usage:
  rumble [flags]
  rumble [command]

Available Commands:
  help        Help about any command
  license     Display license information
  verify      Perform an internal signature verification
  version     Print the version number of rumble

Flags:
      --api-host string                     Specify the Rumble API server hostname (default "console.rumble.run")
      --api-key string                      Specify the Rumble API key
      --api-port uint                       Specify the Rumble API server port (default 443)
      --arp-fast                            Enables fast mode by ARP scanning at the specified rate without delay
      --bacnet-port uint                    The destination port for BACnet probes (default 47808)
  -b, --baseline string                     Use the specified file as an asset baseline for tracking
      --dns-port uint                       The destination port for DNS probes (default 53)
      --dns-resolve-name string             The target hostname for DNS queries (default "www.google.com")
      --dns-trace-domain string             The subdomain to use for trace requests (default "helper.rumble.network")
      --dtls-ports string                   The destination ports for DTLS probes (default "443,3391,4433,5246,5349,5684")
      --exclude string                      Specify scan exclusions
      --excludefile string                  Read exclusions from an input file
  -f, --fingerprints string                 Use the specified directory as an alternate fingerprint database
      --fingerprints-debug                  Enable debug output for the fingerprint processor
  -h, --help                                help for rumble
      --ike-port uint                       The destination port for IKE probes (default 500)
  -I, --import stringArray                  Import existing scan data from the specified input files ('scan.rumble' format)
  -i, --input-targets string                Read scan targets from the specified input file
      --ipmi-port uint                      The destination port for IPMI probes (default 623)
  -G, --max-group-size int                  Set the maximum number of targets to process in each group (default 4096)
  -R, --max-host-rate int                   Set the maximum packets-per-second rate for each individual target (default 40)
      --max-sockets int                     Set the maximum number of concurrent sockets (default 512)
      --mdns-port uint                      The destination port for MDNS probes (default 5353)
      --memcache-port uint                  The destination port for memcached probes (default 11211)
      --mssql-port uint                     The destination port for MSSQL probes (default 1434)
      --nameservers string                  One or more nameservers to use for DNS resolution
      --natpmp-port uint                    The destination port for NATPMP probes (default 5351)
      --netbios-port uint                   The destination port for NetBIOS probes (default 137)
      --nopcap                              Do not attempt to use or install npcap
      --nowait                              Exit the user interface immediately upon completion
      --ntp-port uint                       The destination port for NTP probes (default 123)
      --openvpn-ports string                The destination ports for OpenVPN probes (default "1194")
  -o, --output string                       Output directory for scan results and analysis ('disable' to skip)
      --output-raw string                   Set the raw output file for scan data
      --overwrite                           Overwrite and replace the output directory if it already exists
      --passes int                          Set the number of passes for each probe (default 1)
      --pca-port uint                       The destination port for PCAnywhere probes (default 5632)
      --probes string                       Launch a subset of the probes, comma-delimited (default "arp,bacnet,connect,dns,dtls,echo,ike,ipmi,mdns,memcache,mssql,natpmp,netbios,ntp,openvpn,pca,rdns,rpcbind,arp,sip,snmp,ssdp,syn,tftp,ubnt,wlan-list,wsd")
  -r, --rate int                            Set the maximum packets-per-second rate for the scan (default 1000)
      --rdns-max-concurrent int             The maximum number of concurrent DNS lookups (default 64)
      --rpcbind-port uint                   The destination port for RPCBind probes (default 111)
      --rpcbind-port-nfs uint               The destination port for NFS probes (default 2049)
  -S, --screenshots                         Capture screenshots from scan target web services (default true)
      --sip-port uint                       The destination port for SIP probes (default 5060)
      --snmp-comms string                   The comma-separated list of SNMP v1/v2c communities (default "public,private")
      --snmp-poll-interval uint             The minimum number of seconds between polling each host after initial discovery (default 300)
      --snmp-port uint                      The destination port for SNMP probes (default 161)
      --snmp-timeout uint                   The maximum number of seconds for each walk operation (default 5)
      --snmp-v3-auth-passphrase string      The authentication passphrase
      --snmp-v3-auth-protocol string        The authentication protocol (none, md5, sha) (default "none")
      --snmp-v3-context string              The optional SNMP v3 context to supply
      --snmp-v3-privacy-passphrase string   The privacy passphrase
      --snmp-v3-privacy-protocol string     The privacy protocol (none, des, aes) (default "none")
      --snmp-v3-username string             The username to use for SNMP v3 authentication
      --ssdp-port uint                      The destination port for UPNP/SSDP probes (default 1900)
      --syn-max-retries uint                The maximum number of retries trace and SYN requests (default 2)
      --syn-udp-trace-port uint             The UDP port number to use for UDP trace requests (default 65535)
  -p, --tcp-ports string                    The list of TCP ports scan using the syn and connect probes (default "1,7,9,13,19,21,22,23,25,37,42,49,53,69,79,80,81,82,83,84,85,88,102,105,109,110,111,113,123,135,137,139,143,161,179,222,264,384,389,402,407,443,445,465,500,502,512,513,515,523,524,540,548,554,587,617,623,631,636,689,705,771,783,873,888,902,910,912,921,993,995,998,1000,1024,1030,1035,1080,1089,1090,1091,1098,1099,1100,1101,1102,1103,1128,1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433,1440,1494,1521,1530,1533,1581,1582,1583,1604,1720,1723,1755,1811,1883,1900,2000,2049,2082,2083,2100,2103,2121,2181,2199,2207,2222,2323,2362,2375,2379,2380,2381,2525,2533,2598,2601,2604,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3311,3312,3351,3389,3460,3500,3628,3632,3690,3780,3790,3817,4000,4322,4433,4443,4444,4445,4567,4659,4679,4730,4840,4848,5000,5038,5040,5051,5060,5061,5093,5168,5222,5247,5250,5351,5353,5355,5400,5405,5432,5433,5498,5520,5521,5554,5555,5560,5580,5601,5631,5632,5666,5672,5683,5800,5814,5900,5920,5938,5984,5985,6000,6001,6002,6050,6060,6070,6080,6082,6101,6106,6112,6262,6379,6405,6502,6503,6504,6542,6660,6661,6667,6905,6988,7001,7021,7071,7077,7080,7144,7181,7210,7443,7474,7510,7547,7579,7580,7700,7770,7777,7778,7787,7800,7801,7879,7902,8000,8008,8009,8012,8014,8020,8023,8028,8030,8080,8081,8087,8088,8089,8090,8095,8098,8161,8180,8205,8222,8300,8303,8333,8400,8443,8471,8503,8545,8686,8800,8812,8834,8880,8883,8888,8899,8901,8902,8903,9000,9002,9042,9060,9080,9081,9084,9090,9092,9099,9100,9111,9152,9160,9200,9300,9390,9391,9418,9443,9471,9495,9809,9855,9595,9527,9530,9999,10000,10001,10008,10050,10051,10080,10098,10162,10202,10203,10443,10616,10628,11000,11099,11211,11234,11333,12174,12203,12221,12345,12397,12401,13364,13500,13838,14330,15200,15672,16102,17185,17200,18264,18881,19300,19810,19888,20000,20010,20031,20034,20101,20111,20171,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27019,27080,27888,28017,28222,28784,30000,30718,31001,31099,32764,32913,34205,34443,34962,34963,34964,37718,37777,38080,38292,40007,41025,41080,41523,41524,44334,44818,45230,46823,46824,47001,47002,48899,49152,50000,50013,50070,50090,52302,55553,57772,61616,62078,62514,65535")
      --text                                Force text-only mode (no console ui)
      --tftp-ports string                   The destination ports for TFTP probes (default "69")
      --ubnt-port uint                      The destination port for Ubiquiti probes (default 10001)
      --upload                              Automatically upload scan results to the Rumble Console
  -u, --upload-site string                  Specify an optional Site ID or Name to upload the raw scan results to (default "Primary")
  -v, --verbose                             Display verbose output
      --wlan-list-poll-interval uint        The minimum number of seconds between polling the access point list (default 300)
      --wsd-port uint                       The destination port for WSD probes (default 3702)

Use "rumble [command] --help" for more information about a command.

Scan Outputs

The Rumble Scanner generates a directory of output files by default. This directory includes the following items.

  • scan.rumble: The raw scan data, this can be imported or reprocessed via --import
  • assets.jsonl: The new optimized format for correlated, fingerprinted assets.
  • nmap.xml: A Nmap XML compatible data file that can be imported into various security tools.
  • urls.txt: A list of discovered web services in URL format.
  • protocols.csv: A list of protocols with their ports and URLs.
  • assets.html: A rudimentary HTML report with screenshots.
  • screenshots: A directory of raw screenshot images, headers in JSON format, and HTML bodies.
  • Various lists including addresses.txt, addresses_all.txt, hostnames.txt, and domains.txt

Raw Scan Data

The Rumble Scanner raw data is stored in a file named scan.rumble within the output directory. This file contains JSONL-formatted records. An example ARP response record is shown below.

{
  "type": "result",
  "host": "192.168.0.1",
  "port": "0",
  "proto": "arp",
  "probe": "arp",
  "name": "192.168.0.1",
  "info": {
    "mac": "f0:9f:c2:11:1a:13",
    "macDateAdded": "2014-12-17",
    "macVendor": "Ubiquiti Networks Inc."
  },
  "ts": 1551584126253853200
}

The info field is a JSON map of strings to strings. Multiple values are encoded using the tab character (0x09), which are otherwise escaped as \t (along with \r and \n for carriage return and line feed bytes and \x00 for null bytes). Rumble scans may return more than record of the same type for the same host if multiple responses were received.

In addition to the result type, there are also records for status messages, stats, and an initial config type that contains the scan parameters.