Using the Scanner

Rumble includes a standalone command-line Scanner that can be used to perform network discovery without access to the internet. The Scanner has the same options and similar performance characteristics to the agent. The Scanner output can be uploaded to the Rumble Console through the Inventory Import menu.

The Scanner works best with root privileges on Linux/macOS and Administrator privileges on Windows. Although the scanner will function without privileged access, many probe types will be unavailable. The sudo command can be used to run the scanner as root on Linux and macOS, while the tool is best run from an elevated command shell on Windows. On the Windows platform, the Rumble Scanner will look for an existing npcap installation and try to install it if the software is not found. This behavior can be disabled with the --nopcap flag.

The output of the Rumble Scanner defaults to the console for both JSON data and status messages. In most situations it makes sense to redirect the output to a file, using the --output (or -o) parameter.

Input can be provided as arguments on the command-line or by specifying an input file using the --input (or -i) parameter. Input can consist of specific IPv4 addresses or IPv4 CIDRs. Supported formats include 10.0.0.1, 10.0.0.0/24, 10.0.0.0/255.255.255.0, 10.0.0.1-10.0.0.255, example.com, and example.com/24. For hostnames, each IPv4 address in the response will be expanded with the optional mask. IPv6 is not yet supported.

The example below downloads and runs the scanner on a Linux x86_64 host. This URL will be different for your installation. The current download links for your organization are available from the Tools page of the Rumble Console.

$ wget https://console.rumble.run/download/scanner/[unique-organization-token]/[timestamp]/rumble-scanner-linux-amd64.bin
$ chmod +x rumble-scanner-linux-amd64.bin
$ sudo ./rumble-scanner-linux-amd64.bin 192.168.0.0/24 -o myscan.out

Please note that the hexadecimal values in the download URL are specific for your account and organization.

Performance & Scope

The default speed of Rumble scans is limited to 3,000 packets per second with a single pass. This setting works great for reliable wired networks without stateful firewalls between the scanning system and the destination networks. This rate can be changed via the --rate (or -r) option, with a reasonable maximum being 10000 for most networks. On slow unreliable networks, a rate of 300 with --passes set to 3 may provide better results.

A second parameter, --max-host-rate limits how many packets are sent per second to each individual host. This defaults to 50, which is low, but necessary when scanning low-power embedded devices. In cases where a small number of hosts (or a single host) should be scanned quickly, the --max-host-rate parameter can be increased to match the --rate.

The following example demonstrates a scan of 65,535 TCP ports on all hosts of the 192.168.0.0/24 subnet running at 10,000 packets per second:

$ sudo ./rumble-scanner-linux-amd64.bin 192.168.0.0/24 -r 10000 --tcp-ports 1-65535 -o myscan.out

Automatic Web Screenshots

The --screenshots option (default true) introduced in version 0.6.6 tells Rumble to obtain a screenshot of all web services identified during the scan. This feature depends on the system running the agent having a local installation of the Google Chrome or Chromium browsers. The acquired screenshots will be reported as a base64 string, stored in the “screenshot.image” field of the containing service scan result.

Additional Options

The Rumble Scanner supports a wide range of options, including the ability to limit scans to specific ports, probes, and snmp communities. The --help output provides basic documentation on the available options. An example of this help output is shown below.

C:\Work\> rumble-scanner.exe --help
Rumble Network Discovery Scanner

Usage:
  rumble [flags]
  rumble [command]

Available Commands:
  help        Help about any command
  license     Display license information
  verify      Perform an internal signature verification
  version     Print the version number of rumble

Flags:
      --dns-port uint             The destination port for DNS probes (default 53)
      --dns-resolve-name string   The target hostname for DNS queries (default "www.google.com")
      --dns-trace-domain string   The subdomain to use for trace requests (default "helper.rumble.network")
      --exclude string            Specify scan exclusions
      --excludefile string        Read exclusions from an input file
  -h, --help                      help for rumble
  -i, --input string              Read scan targets from an input file
  -R, --max-host-rate int         Set the maximum packets-per-second rate for each individual target (default 50)
      --max-sockets int           Set the maximum number of concurrent sockets (default 512)
      --mdns-port uint            The destination port for MDNS probes (default 5353)
      --memcache-port uint        The destination port for memcached probes (default 11211)
      --mssql-port uint           The destination port for MSSQL probes (default 1434)
      --nameservers string        One or more nameservers to use for DNS resolution
      --natpmp-port uint          The destination port for NATPMP probes (default 5351)
      --netbios-port uint         The destination port for NetBIOS probes (default 137)
      --nopcap                    Do not attempt to use or install npcap
  -o, --output string             Set the output file for scan results
      --passes int                Set the number of passes for each probe (default 1)
      --pca-port uint             The destination port for PCAnywhere probes (default 5632)
      --probes string             Launch a subset of the probes, comma-delimited (default "arp,connect,dns,...")
  -r, --rate int                  Set the maximum packets-per-second rate for the scan (default 500)
      --rdns-max-concurrent int   The maximum number of concurrent DNS lookups (default 64)
      --rpcbind-port uint         The destination port for RPCBind probes (default 111)
  -S, --screenshots               Capture screenshots from scan target web services (default true)
      --sip-port uint             The destination port for SIP probes (default 5060)
      --snmp-comms string         The comma-separated list of SNMP v1/v2c communities (default "public,private")
      --snmp-port uint            The destination port for SNMP probes (default 161)
      --ssdp-port uint            The destination port for UPNP/SSDP probes (default 1900)
      --syn-udp-trace-port uint   The UDP port number to use for UDP trace requests (default 65535)
  -p, --tcp-ports string          The list of TCP ports scan using the syn and connect probes (default "80...")
      --ubnt-port uint            The destination port for Ubiquiti probes (default 10001)
  -v, --verbose                   Display verbose output
      --wsd-port uint             The destination port for WSD probes (default 3702)

Use "rumble [command] --help" for more information about a command.

JSON Output

Rumble Scan records are emitted as individual lines of text encoded as JSON. An example ARP response record is shown below.

{
  "type": "result",
  "host": "192.168.0.1",
  "port": "0",
  "proto": "arp",
  "probe": "arp",
  "name": "192.168.0.1",
  "info": {
    "mac": "f0:9f:c2:11:1a:13",
    "macDateAdded": "2014-12-17",
    "macVendor": "Ubiquiti Networks Inc."
  },
  "ts": 1551584126253853200
}

The info field is a JSON map of strings to strings. Multiple values are encoded using the tab character (0x09), which are otherwise escaped as \t (along with \r and \n for carriage return and line feed bytes and \x00 for null bytes). Rumble scans may return more than record of the same type for the same host if multiple responses were received.

In addition to the result type, there are also records for status messages, stats, and an initial config type that contains the scan parameters.