Using the Scanner

Rumble includes a standalone command-line Scanner that can be used to perform network discovery without access to the internet. The Scanner has the same options and similar performance characteristics to the agent. The Scanner output file named scan.rumble can be uploaded to the Rumble Console through the Inventory Import menu.

The Scanner works best with root privileges on Linux/macOS and Administrator privileges on Windows. Although the scanner will function without privileged access, many probe types will be unavailable. The sudo command can be used to run the scanner as root on Linux and macOS, while the tool is best run from an elevated command shell on Windows. On the Windows platform, the Rumble Scanner will look for an existing npcap installation and try to install it if the software is not found. This behavior can be disabled with the --nopcap flag.

The Rumble Scanner defaults to a semi-interactive terminal interface that writes multiple output files to a directory. The default directory name is rumble-[current-date]. To switch to plain text output, use the --text option. To skip artifact generation and only produce the raw JSON output file, use the flags --text -o disable --output-raw scan.rumble.

Input can be provided as arguments on the command-line or by specifying an input file using the --input (or -i) parameter. Input can consist of specific IPv4 addresses or IPv4 CIDRs. Supported formats include 10.0.0.1, 10.0.0.0/24, 10.0.0.0/255.255.255.0, 10.0.0.1-10.0.0.255, example.com, and example.com/24. For hostnames, each IPv4 address in the response will be expanded with the optional mask. IPv6 is not yet supported.

The example below downloads and runs the scanner on a Linux x86_64 host. This URL will be different for your installation. The current download links for your organization are available from the Scanner page of the Rumble Console.

$ wget https://console.rumble.run/download/scanner/[unique-link]/rumble-scanner-linux-amd64.bin
$ chmod +x rumble-scanner-linux-amd64.bin
$ sudo ./rumble-scanner-linux-amd64.bin 192.168.0.0/24 -o output-dir

Please note that the hexadecimal values in the download URL are specific for your account and organization.

Performance & Scope

The default speed of Rumble scans is limited to 1,000 packets per second with a single pass. This setting works great for reliable wired networks without stateful firewalls between the scanning system and the destination networks. This rate can be changed via the --rate (or -r) option, with a reasonable maximum being 10000 for most networks. On slow unreliable networks, a rate of 300 with --passes set to 3 may provide better results.

A second parameter, --max-host-rate limits how many packets are sent per second to each individual host. This defaults to 40, which is low, but necessary when scanning low-power embedded devices. In cases where a small number of hosts (or a single host) should be scanned quickly, the --max-host-rate parameter can be increased to match the --rate.

The following example demonstrates a scan of 65,535 TCP ports on all hosts of the 192.168.0.0/24 subnet running at 10,000 packets per second:

$ sudo ./rumble-scanner-linux-amd64.bin 192.168.0.0/24 -r 10000 --tcp-ports 1-65535 -o output-dir

Automatic Web Screenshots

The --screenshots option (default true) introduced in version 0.6.6 tells Rumble to obtain a screenshot of all web services identified during the scan. This feature depends on the system running the agent having a local installation of the Google Chrome or Chromium browsers. The acquired screenshots will be reported as a base64 string, stored in the “screenshot.image” field of the containing service scan result.

Additional Options

The Rumble Scanner supports a wide range of options, including the ability to limit scans to specific ports, probes, and snmp communities. The --help output provides basic documentation on the available options. An example of this help output is shown below.

C:\Work\> rumble-scanner.exe --help

Rumble Network Discovery Scanner

Usage:
  rumble [flags]
  rumble [command]

Available Commands:
  help        Help about any command
  license     Display license information
  verify      Perform an internal signature verification
  version     Print the version number of rumble

Flags:
      --dns-port uint                       The destination port for DNS probes (default 53)
      --dns-resolve-name string             The target hostname for DNS queries (default "www.google.com")
      --dns-trace-domain string             The subdomain to use for trace requests (default "helper.rumble.network")      
      --exclude string                      Specify scan exclusions
      --excludefile string                  Read exclusions from an input file
  -h, --help                                help for rumble
      --ike-port uint                       The destination port for IKE probes (default 500)
  -I, --import string                       Import existing scan data from the specified input file ('scan.rumble' format)
  -i, --input-targets string                Read scan targets from the specified input file
      --ipmi-port uint                      The destination port for IPMI probes (default 623)
  -G, --max-group-size int                  Set the maximum number of targets to process in each group (default 4096)
  -R, --max-host-rate int                   Set the maximum packets-per-second rate for each individual target (default 40)
      --max-sockets int                     Set the maximum number of concurrent sockets (default 512)
      --mdns-port uint                      The destination port for MDNS probes (default 5353)
      --memcache-port uint                  The destination port for memcached probes (default 11211)
      --mssql-port uint                     The destination port for MSSQL probes (default 1434)
      --nameservers string                  One or more nameservers to use for DNS resolution
      --natpmp-port uint                    The destination port for NATPMP probes (default 5351)
      --netbios-port uint                   The destination port for NetBIOS probes (default 137)
      --nopcap                              Do not attempt to use or install npcap
      --nowait                              Exit the user interface immediately upon completion
  -o, --output string                       Output directory for scan results and analysis ('disable' to skip)
      --output-raw string                   Set the raw output file for scan data
      --overwrite                           Overwrite and replace the output directory if it already exists
      --passes int                          Set the number of passes for each probe (default 1)
      --pca-port uint                       The destination port for PCAnywhere probes (default 5632)
      --probes string                       Launch a subset of the probes, comma-delimited (default "arp,connect,dns,echo,ike,ipmi,mdns,memcache,mssql,natpmp,netbios,pca,rdns,rpcbind,sip,snmp,ssdp,syn,ubnt,wlan-list,wsd")      
  -r, --rate int                            Set the maximum packets-per-second rate for the scan (default 1000)
      --rdns-max-concurrent int             The maximum number of concurrent DNS lookups (default 64)
      --rpcbind-port uint                   The destination port for RPCBind probes (default 111)
  -S, --screenshots                         Capture screenshots from scan target web services (default true)
      --sip-port uint                       The destination port for SIP probes (default 5060)
      --snmp-comms string                   The comma-separated list of SNMP v1/v2c communities (default "public,private")
      --snmp-poll-interval uint             The minimum number of seconds between polling each host after initial discovery (default 30)
      --snmp-port uint                      The destination port for SNMP probes (default 161)
      --snmp-timeout uint                   The maximum number of seconds for each walk operation (default 5)
      --snmp-v3-auth-passphrase string      The authentication passphrase
      --snmp-v3-auth-protocol string        The authentication protocol (none, md5, sha) (default "none")
      --snmp-v3-privacy-passphrase string   The privacy passphrase
      --snmp-v3-privacy-protocol string     The privacy protocol (none, des, aes) (default "none")
      --snmp-v3-username string             The username to use for SNMP v3 authentication
      --ssdp-port uint                      The destination port for UPNP/SSDP probes (default 1900)
      --syn-max-retries uint                The maximum number of retries trace and SYN requests (default 2)
      --syn-udp-trace-port uint             The UDP port number to use for UDP trace requests (default 65535)
  -p, --tcp-ports string                    The list of TCP ports scan using the syn and connect probes (default "1,7,9,13,19,21,22,23,25,37,42,49,53,69,79,80,81,82,83,84,85,88,102,105,109,110,111,113,123,135,137,139,143,161,179,222,264,384,389,402,407,443,445,465,500,502,512,513,515,523,524,540,548,554,587,617,623,631,636,689,705,771,783,873,888,902,910,912,921,993,995,998,1000,1024,1030,1035,1080,1089,1090,1091,1098,1099,1100,1101,1102,1103,1128,1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433,1440,1494,1521,1530,1533,1581,1582,1583,1604,1720,1723,1755,1811,1883,1900,2000,2049,2082,2083,2100,2103,2121,2181,2199,2207,2222,2323,2362,2375,2379,2380,2381,2525,2533,2598,2601,2604,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3311,3312,3351,3389,3460,3500,3628,3632,3690,3780,3790,3817,4000,4322,4433,4443,4444,4445,4567,4659,4679,4730,4840,4848,5000,5038,5040,5051,5060,5061,5093,5168,5222,5247,5250,5351,5353,5355,5400,5405,5432,5433,5498,5520,5521,5554,5555,5560,5580,5601,5631,5632,5666,5672,5683,5800,5814,5900,5920,5938,5984,5985,6000,6001,6002,6050,6060,6070,6080,6082,6101,6106,6112,6262,6379,6405,6502,6503,6504,6542,6660,6661,6667,6905,6988,7001,7021,7071,7077,7080,7144,7181,7210,7443,7474,7510,7547,7579,7580,7700,7770,7777,7778,7787,7800,7801,7879,7902,8000,8008,8009,8012,8014,8020,8023,8028,8030,8080,8081,8087,8088,8089,8090,8095,8098,8161,8180,8205,8222,8300,8303,8333,8400,8443,8471,8503,8545,8686,8800,8812,8834,8880,8883,8888,8899,8901,8902,8903,9000,9002,9042,9060,9080,9081,9084,9090,9092,9099,9100,9111,9152,9160,9200,9300,9390,9391,9418,9443,9471,9495,9809,9855,9999,10000,10001,10008,10050,10051,10080,10098,10162,10202,10203,10443,10616,10628,11000,11099,11211,11234,11333,12174,12203,12221,12345,12397,12401,13364,13500,13838,14330,15200,15672,16102,17185,17200,18264,18881,19300,19810,19888,20000,20010,20031,20034,20101,20111,20171,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27019,27080,27888,28017,28222,28784,30000,30718,31001,31099,32764,32913,34205,34443,34962,34963,34964,37718,37777,38080,38292,40007,41025,41080,41523,41524,44334,44818,45230,46823,46824,47001,47002,48899,49152,50000,50013,50070,50090,52302,55553,57772,61616,62078,62514,65535")
      --text                                Force text-only mode (no console ui)
      --ubnt-port uint                      The destination port for Ubiquiti probes (default 10001)
  -v, --verbose                             Display verbose output
      --wlan-list-poll-interval uint        The minimum number of seconds between polling the access point list (default 300)  
      --wsd-port uint                       The destination port for WSD probes (default 3702)

Use "rumble [command] --help" for more information about a command.

Scan Outputs

The Rumble Scanner generates a directory of output files by default. This directory includes the following items.

  • scan.rumble: The raw scan data, this can be imported or reprocessed via --import
  • assets.jsonl: The new optimized format for correlated, fingerprinted assets.
  • nmap.xml: A Nmap XML compatible data file that can be imported into various security tools.
  • urls.txt: A list of discovered web services in URL format.
  • assets.html: A rudimentary HTML report with screenshots.
  • screenshots: A directory of raw screenshot images, headers in JSON format, and HTML bodies.
  • Various lists including addresses.txt, addresses_all.txt, hostnames.txt, and domains.txt

Raw Scan Data

The Rumble Scanner raw data is stored in a file named scan.rumble within the output directory. This file contains JSONL-formatted records. An example ARP response record is shown below.

{
  "type": "result",
  "host": "192.168.0.1",
  "port": "0",
  "proto": "arp",
  "probe": "arp",
  "name": "192.168.0.1",
  "info": {
    "mac": "f0:9f:c2:11:1a:13",
    "macDateAdded": "2014-12-17",
    "macVendor": "Ubiquiti Networks Inc."
  },
  "ts": 1551584126253853200
}

The info field is a JSON map of strings to strings. Multiple values are encoded using the tab character (0x09), which are otherwise escaped as \t (along with \r and \n for carriage return and line feed bytes and \x00 for null bytes). Rumble scans may return more than record of the same type for the same host if multiple responses were received.

In addition to the result type, there are also records for status messages, stats, and an initial config type that contains the scan parameters.