Published on July 30, 2019

Rumble Two Ways with Beta 5

The last few months have been incredible thanks to our wonderful beta community and their vocal feedback. Quite a few folks asked for a version of Rumble they could use independent of the cloud and Beta 5 delivers it.

The Rumble Scanner has undergone a makeover and now handles fingerprinting, asset correlation, and rudimentary reporting, making it far more adaptable for restrictive environments and security consulting. We want the Rumble Scanner to be the best possible option for any advanced network discovery task. If you haven’t tried the Scanner yet, download a binary and let us know what you think.

The Rumble Scanner now generates a directory of output files by default. This directory includes

  • scan.rumble: The raw scan data, this can be imported or reprocessed via --input-raw
  • assets.jsonl: The new optimized format for correlated, fingerprinted assets.
  • nmap.xml: A Nmap XML compatible data file that can be imported into various security tools.
  • urls.txt: A list of discovered web services in URL format.
  • assets.html: A rudimentary HTML report with screenshots.
  • screenshots: A directory of raw screenshot images, headers in JSON format, and HTML bodies.
  • Various lists including addresses.txt, addresses_all.txt, hostnames.txt, and domains.txt

We are continuing to invest the Rumble asset inventory platform, and this release includes many improvements to the infrastructure, agents, and cloud console.

The inventory now supports asset tags, allowing metadata such as asset owners, locations, and field notes to be set, cleared, and queried. Tags provide a simple way to organize, flag, and communicate with colleagues about assets.

Two new export formats are available; JSONL, a more efficient option for processing large exports, and Nmap® XML, a format widely supported by security tools. Exports are now streamed on download, making more efficient clients easier to implement.

User profiles can now be configured to required FIDO2 WebAuthn security tokens for multi-factor authentication. We believe WebAuthn is the best standard available today, but if you prefer something else for MFA, please let us know.

Check out the release notes below for a complete list of changes since Beta 4 and drop us a line if you have any questions, suggestions, or feedback.

Release Notes

  • The Rumble Scanner has been revamped with a fancy new terminal interface and updated options. Major changes include support for asset correlation, fingerprinting, and artifact generation. The Rumble Scanner documentation has been updated to match.

  • The Inventory now supports setting, clearing, and searching based on Tags. Tags are key-value pairs that can signify organization structure or process. Good uses of Tags include setting the location of an asset, indicating the asset owner, or noting that an asset is part of a critical business process.

  • The Inventory now displays Comments as a column by default, making it easy to set, view, clear, and search for quick notes. Comments can be useful for coordinating remediation or maintenance tasks.

  • The Inventory now supports searching and exporting based on Site names (site:"Name").

  • The default export format is now JSONL. This format requires less memory to process in most client applications, as each record is separated by a newline.

  • Exports (API and via Inventory) now stream their responses, allow for more efficient client applications.

  • The Inventory can now export a Nmap® XML compatible document, complete with an XSL template that produces a lovely report.

  • User profiles can be configured to require FIDO2 WebAuthn compatible security tokens, such as the Yubico YubiKey and Google Titan devices.

  • The Tasks screen now shows failed tasks by default and can list all failed tasks via a new tab.

  • The original scan data for a given task can be downloaded from the Task details page. This data can be fed into the new Rumble Scanner, re-uploaded as an Import, or used in your own internal processes.

  • AWS S3 is now used for screenshots, scan data, and change reports. This should improve performance and help us maintain a consistent approach to server-side data encryption and data lifecycles.

  • Agents try much harder to deliver their scan data. The default is a direct upload to AWS S3 using a per-scan pre-signed URL, with a fallback method that uses an endpoint of the Rumble Hub instead.

  • Agents will now load environment settings from $install/.env, allowing for easier configuration of proxy support and other environment-based settings.

  • FreeBSD is now a supported platform for the Rumble Scanner. We are still looking into full support of BSD-like platforms for the agent and would love to know if there any specific platforms you would like us to support first.

  • The scan engine now reports the overall progress more accurately. The progress is based on the percent of target hosts completed, which has subtle differences for routed versus local segment discovery speeds.

  • The scan engine now detects TCP services via UDP discovery, improving overall coverage with minimal performance costs.

  • The default TCP port list has been adjusted based on real-world scan data of internal networks in order to provide a better trade-off of coverage versus performance.

  • The scan engine received numerous fingerprint and protocol negotiation improvements, including multicast MDNS, improved Ubiquiti discovery, and bug fixes to tje Memcache, Redis, and AMQP handlers.

  • The Agent and Scanner have been upgraded to npcap v0.9981.

* NMAP is a registered trademark of Insecure.Com LLC (and an awesome network scanner!).

Similar Content

Scanning for HTTP/2 with Rumble
Published on August 15, 2019
This Tuesday, Jonathan Looney, a researcher at Netflix, disclosed seven different ways to break common HTTP/2 protocol implementations, while an eighth issue was disclosed by Piotr Sikora of Google. These issues could be used to exhaust the resources of affected HTTP/2 implementations. Shortly after the HTTP/2 issues were disclosed, a Rumble user reached out asking if we could help identify HTTP/2 endpoints on their network. We are happy to announce that as of version 0.
Hunting for Network Bridges with Rumble
Published on August 5, 2019
Thanks to the wonderful user feedback from Beta 5, a handful of bug fixes and improvements have been deployed along with a new feature: Network Bridge Detection! The bridge report shows external networks in red, internal networks in green, and multihomed assets that bridge these networks in orange. Zooming in will show asset and subnet details, while clicking a node will take you to the asset page for bridge nodes and to a CIDR-based inventory search for network nodes.
Better TCP Scans Through UDP Discovery
Published on June 11, 2019
One of the trickiest parts of network discovery is balancing thoroughness with speed. We strive to provide a fast, low-impact scan by default, but also try to include as many services and protocols as possible. Today we released version 0.7.5 of the Rumble Agent and Rumble Scanner. This version increases the default port coverage from 100 TCP ports to more than 400, while also supporting discovery and fingerprinting of additional TCP services by leveraging UDP discovery protocols.