Older CLI (scanner) release notes
CLI release notes
Starting with version 1.7.9 all release notes have been consolidated into one page.
v1.7.8
2020-05-23
- Fingerprint updates.
v1.7.7
2020-05-22
- Fingerprint updates.
v1.7.6
2020-05-14
- Corrects inconsistent use of the new service attributes when processing the dynamic MAC address filter.
v1.7.5
2020-05-14
- Asset and Service attributes have been normalized. All keys are now camelCase and most service attributes are now prefixed by the protocol name.
v1.7.4
2020-05-13
- Support has been improved for the following database protocols: Memcached (TCP), CouchDB, Cassandra, Redis, ElasticSearch, Riak (TCP/HTTP), MySQL, PostgreSQL, MongoDB, MSSQL, and Oracle.
v1.7.3
2020-05-07
- Cisco HSRP MAC addresses are now ignored for the purposes of asset correlation.
- Updated Ethernet fingerprints.
v1.7.2
2020-05-06
- A bug in the mDNS probe that could lead to a hung scan on certain platforms has been resolved.
v1.7.1
2020-05-06
- Updated Ethernet fingerprints.
v1.7.0
2020-05-04
- The bundled
npcap
driver has been upgraded to version 0.9991. - The TLS probe now reports
tls.notBeforeTS
andtls.notAfterTS
fields as unix timestamps. - Updated Ethernet fingerprints.
v1.6.10
2020-05-03
- Updated Ethernet fingerprints.
v1.6.9
2020-05-01
- Support for Recog development with
--fingerprints
and--fingerprints-debug
options. - The Switch Topology and Network Bridges reports are now available for the CLI scanner.
- Updated Ethernet fingerprints.
v1.6.8
2020-04-23
- Updated Ethernet fingerprints.
v1.6.7
2020-04-23
- The scan engine can now identify TCP services on the scanning system across all platforms.
v1.6.6
2020-04-22
- An issue that could lead to the scan engine hanging with misbehaving HTTP services has been resolved.
v1.6.5
2020-04-22
- Support for the runZero Starter Edition.
- Updated Ethernet and BACnet fingerprints.
v1.6.4
2020-04-17
-
Devices that relay mDNS from other networks (ex: Ubiquiti USG) are no longer associated with the relayed asset information.
-
Additional Google Chrome paths are considered for screenshot collection. Snap packages of Chromium are no longer used.
v1.6.3
2020-04-14
- An issue that could lead to scans hanging while processing HTTP services has been resolved.
v1.6.2
2020-04-13
- Fingerprint updates for Crestron, ELAN, MAC addresses, and BACnet.
v1.6.1
2020-04-08
- The MAC address database fingerprints have been updated.
v1.6.0
2020-04-06
- Screenshots will now limit the number of concurrent Chrome processes based on core count, available RAM, and architecture.
- The bundled npcap build has been updated to version 0.9990.
v1.5.6
2020-04-04
- The RDP probe now collects the full NTLMSSP response for more platforms.
- The HTTP probe now collects information about web forms and their inputs.
v1.5.5
2020-03-27
- The SNMP probe no longer reports invalid MAC addresses found in ARP caches or MAC tables.
v1.5.4
2020-03-26
- The TCP probe now handles a wider variety of RDP responses.
v1.5.3
2020-03-26
- The SMB probe now reports subprotocols (smb1, smb2, and smb3) consistently.
- The SMB probe now collects hashing, encryption, and compression methods from SMBv3 servers.
- The SMB probe now reports the server-allocated Session ID for smb2 and smb3.
- The TCP probe now collects NTLM information from Remote Desktop endpoints and reports the protocol as rdp.
- The HTTP probe now collects additional information from VMware SOAP endpoints.
- A race condition in
--nopcap
mode that led to inconsistent results has been resolved.
v1.5.2
2020-03-20
- A bug that could lead to the HTTP/2 probe stalling during TLS negotiation has been resolved.
v1.5.1
2020-03-14
- Fingerprints have been updated for Ethernet MAC addresses, BACnet vendors, and Enterprise IDs.
- HTTP/1 probes now explicitly disable HTTP/2 upgrades even when advertised. HTTP/2 is handled separately.
- Generic protocol negotiation is no longer attempted on NDMP ports (10,000/30,000). A future release will support improved NDMP detection and negotiation.
- A potential deadlock in the runtime library has been resolved by reverting to an older runtime version.
v1.5.0
2020-03-04
- A NTP probe has been added that reports the clock skew compared to the scanning instance.
- A TFTP discovery probe has been added that requests a non-existent file and stores the response. The TFTP probe supports port ranges.
- An OpenVPN probe has been added that can detect remote instances across multiple ports.
- A dTLS discovery probe has been added that handles both bare dTLS and CAPWAP-encoded variants.
- Microsoft Remote Desktop Gateway instances are now fingerprinted through dTLS and HTTP, reporting the
rdg.Transport
service key. - The protocol handlers for NATPMP, WS-Discovery, and UPnP Device XML now parse out specific subfields for easier matches and future fingerprinting efforts.
- The UPnP Device XML parser now triggers a request to download and report the device icon.
- The SYN scanner has been updated to improve reliability and report more accurate progress.
- The HTTP probe now identifies and reports web site icons as base64-encoded images along with their MD5 hashes.
- The HTTP probe now extracts the generator meta tag from HTML responses.
- The HTTP probe now extracts splunkd versions from HTML responses.
- The RPCBind probe now sends a null call to every UDP service and probes the NFS daemon directly.
- VMware ESXi detection has improved and will be used as a fallback in more cases.
- TCP protocol fingerprinting will retry more often on temporary network errors.
- Empty fields in the
result
structure within the JSON output are now omitted. - Linux on ARM 64-bit (aarch64) is now a supported platform.
- Improved detection and early rejection of invalid CIDRs.
v1.4.5
2020-02-19
- The SMB probe now records the NTLMSSP response from a wider range of operating systems.
- The HTTP probe now stores the response to
GET /
and the response after any redirects are followed. Key names for the redirect responses are prefixed bylast
, such aslast.http.code
. - The HTTP probe now handles compression and chunked transfer encoding properly, storing the normalized HTTP body.
- The HTTP probe now reports a banner consisting of the raw HTTP response.
- The HTTP probe now supports collecting environment data from LANDesk Management Agents.
- HTTP screenshots are now only collected when a 2XX HTTP response code is seen.
- HTTP screenshot processing is now more reliable.
v1.4.4
2020-02-16
- The SMB Server GUID attribute is now used to correlate results to assets.
- The SNMP sysName and sysObjectID attributes are now used to unmatch assets that have changed IPs or were mistakenly matched through another attribute (shared bogus MAC addresses or similar).
- Interfaces with no global unicast addresses (including RFC1918) are no longer considered by the ARP and SYN scanners.
- VLAN-tagged frames are now ignored by the SYN scanner resolving an issue where packets could be sent on the wrong interface by mistake.
- SYN scans now have a mandatory delay between retry attempts, which improves reliability and decreases change churn when small network ranges are scanned.
v1.4.3
2020-02-13
- A bug that caused some HTTP requests to be sent with an empty Host header has been fixed.
v1.4.2
2020-02-05
- Version 1.4.2 improves fingerprinting and type classification of Windows operating systems.
v1.4.1
2020-02-04
- Version 1.4.1 resolves a regression where
--input-targets
was being ignored.
v1.4.0
2020-02-04
- Version 1.4.0 is a rollup of post-1.3.0 point release work.
v1.3.2
2020-02-02
- Support for the new
--arp-fast
option to send ARP probes at the configured--rate
, without additional delays. This option is on by default in AWS VPC environments. - Support for the new
--snmp-v3-context
option to specify the SNMP v3 Context for queries.
v1.3.1
2020-01-26
- Support for the
--baseline
option (-b
) to load a previousassets.jsonl
and use existing asset IDs in the newassets.jsonl
output. - Support for multiple
--import
files. This allows multiple scans to be recombined into a single output. - Support for the
--upload
option, which uses--api-key
,--upload-site
, and other API-related options to upload scan data to the runZero Console. - A race condition was resolved that could leave abandoned chrome.exe processes after a scan.
- Prevent use or display of a blank virtual host for HTTP servers
v1.3.0
2020-01-07
- Version 1.3.0 is a rollup of post-1.2.0 point release work.
v1.2.3
2019-12-19
- The CLI scanner now generates a
protocols.csv
file with a simplified list of services and their URLs.
v1.2.2
2019-12-19
- Support for the BACnet protocol has been added.
v1.2.1
2019-12-13
- Many new fingerprints were added for HTTP and SIP endpoints.
- Asset correlation now occurs after the scan completes, not as it runs, for more consistent results.
- The protocol detection engine has received a number of small improvements (mongod recognition among others).
- Network scans of segments where a device responds to all ARP requests with the same MAC address will now be handled appropriately.
v1.2.0
2019-12-01
- Version 1.2.0 is a rollup of post-1.1.0 point release work.
v1.1.15
2019-12-01
- Automatic generation of wireless.jsonl and wireless.csv reports when the wlan-list probe returns results.
- Improved normalization of wireless network fields for the wlan-list probe.
v1.1.14
2019-11-27
- Additional bug fixes for SNMP processing.
- Initial support for the wlan-list probe module.
v1.1.13
2019-11-26
- Better support for truncated HTTP responses.
v1.1.12
2019-11-24
- Invalid SNMP responses are now handled more efficiently.
v1.1.11
2019-11-24
- A bug that could lead to memory exhaustion when Max Group Size was set to zero has been resolved.
v1.1.10
2019-11-23
- A bug in the SNMP probe that could result in the scan missing the last round of enumeration results has been fixed.
v1.1.9
2019-11-22
- Improved error handling and logging, minor performance increase.
v1.1.8
2019-11-22
- Reduced memory usage on scan reply deduplication.
v1.1.7
2019-11-19
- Cisco-specific MIBs are now enumerated for CAM/MAC table enumeration.
- SNMP v2 is now queried two ways by the SNMP probe to improve device compatibility.
- SNMP v3 authenticated enumeration is now available.
v1.1.6
2019-11-19
- A number of small bugs in the SNMP probe have been resolved.
v1.1.5
2019-11-18
- The SNMP probe will now try to obtain the full interface and MAC address list from each asset.
v1.1.4
2019-11-14
- Network topology links are now reported in the
_links.*
asset attributes. - Miscellaneous fingerprinting improvements.
v1.1.3
2019-11-07
- Additional SSH fingerprints, covering Debian, Ubuntu, Raspbian, and FreeBSD.
- Improved protocol detection for the Click Modular Router daemon.
v1.1.2
2019-11-05
- A bug that could lead to a scan engine hang when the scan is interrupted has been resolved.
v1.0.15
2019-11-04
- The scanner now supports the
--max-group-size
option to limit the host working set (default is 4096). - A race condition in the
--text
mode output that could rarely lead to a crash has been resolved. - The MAC address prefix database and various other dependencies and fingerprints were updated.
v1.0.10
2019-10-25
- The scanner now supports the
--overwrite
option to allow reuse of an existing output directory
v1.0.9
2019-10-24
- The SYN probe now sends retries using the same source port and sequence number to minimize duplicate responses. MAC address fingerprints have been updated.
v1.0.8
2019-10-23
- The SYN probe now retries twice if no RST is received. This improves reliability at the cost of a small increase in scan times. This can be changed by the –syn-max-retries parameter.
v1.0.7
2019-10-21
- Scanner performance is no longer reduced when the ARP probe is enabled for non-local scan targets.
v1.0.3
2019-10-06
- The macOS scanner now supports additional interface types (loopback and tunnel adapters).
- The macOS scanner no longer prints warnings about unusable interfaces unless the verbose flag is set.
- A bug was fixed that led to the wrong result count being reported when using the
--text
interface of the scanner.
v1.0.2
2019-10-02
- A race condition was fixed that could the scanner to crash mid-scan.
- The macOS scanner no longer crashes if an unusable interface is found and the scanner is not run as root.
v1.0.1
2019-10-01
- Rumble Network Discovery is out of Beta with version 1.0.0!