Older CLI (scanner) release notes

CLI release notes

Starting with version 1.7.9 all release notes have been consolidated into one page.

v1.7.8

2020-05-23

  • Fingerprint updates.

v1.7.7

2020-05-22

  • Fingerprint updates.

v1.7.6

2020-05-14

  • Corrects inconsistent use of the new service attributes when processing the dynamic MAC address filter.

v1.7.5

2020-05-14

  • Asset and Service attributes have been normalized. All keys are now camelCase and most service attributes are now prefixed by the protocol name.

v1.7.4

2020-05-13

  • Support has been improved for the following database protocols: Memcached (TCP), CouchDB, Cassandra, Redis, ElasticSearch, Riak (TCP/HTTP), MySQL, PostgreSQL, MongoDB, MSSQL, and Oracle.

v1.7.3

2020-05-07

  • Cisco HSRP MAC addresses are now ignored for the purposes of asset correlation.
  • Updated Ethernet fingerprints.

v1.7.2

2020-05-06

  • A bug in the mDNS probe that could lead to a hung scan on certain platforms has been resolved.

v1.7.1

2020-05-06

  • Updated Ethernet fingerprints.

v1.7.0

2020-05-04

  • The bundled npcap driver has been upgraded to version 0.9991.
  • The TLS probe now reports tls.notBeforeTS and tls.notAfterTS fields as unix timestamps.
  • Updated Ethernet fingerprints.

v1.6.10

2020-05-03

  • Updated Ethernet fingerprints.

v1.6.9

2020-05-01

  • Support for Recog development with --fingerprints and --fingerprints-debug options.
  • The Switch Topology and Network Bridges reports are now available for the CLI scanner.
  • Updated Ethernet fingerprints.

v1.6.8

2020-04-23

  • Updated Ethernet fingerprints.

v1.6.7

2020-04-23

  • The scan engine can now identify TCP services on the scanning system across all platforms.

v1.6.6

2020-04-22

  • An issue that could lead to the scan engine hanging with misbehaving HTTP services has been resolved.

v1.6.5

2020-04-22

  • Support for the runZero Starter Edition.
  • Updated Ethernet and BACnet fingerprints.

v1.6.4

2020-04-17

  • Devices that relay mDNS from other networks (ex: Ubiquiti USG) are no longer associated with the relayed asset information.

  • Additional Google Chrome paths are considered for screenshot collection. Snap packages of Chromium are no longer used.

v1.6.3

2020-04-14

  • An issue that could lead to scans hanging while processing HTTP services has been resolved.

v1.6.2

2020-04-13

  • Fingerprint updates for Crestron, ELAN, MAC addresses, and BACnet.

v1.6.1

2020-04-08

  • The MAC address database fingerprints have been updated.

v1.6.0

2020-04-06

  • Screenshots will now limit the number of concurrent Chrome processes based on core count, available RAM, and architecture.
  • The bundled npcap build has been updated to version 0.9990.

v1.5.6

2020-04-04

  • The RDP probe now collects the full NTLMSSP response for more platforms.
  • The HTTP probe now collects information about web forms and their inputs.

v1.5.5

2020-03-27

  • The SNMP probe no longer reports invalid MAC addresses found in ARP caches or MAC tables.

v1.5.4

2020-03-26

  • The TCP probe now handles a wider variety of RDP responses.

v1.5.3

2020-03-26

  • The SMB probe now reports subprotocols (smb1, smb2, and smb3) consistently.
  • The SMB probe now collects hashing, encryption, and compression methods from SMBv3 servers.
  • The SMB probe now reports the server-allocated Session ID for smb2 and smb3.
  • The TCP probe now collects NTLM information from Remote Desktop endpoints and reports the protocol as rdp.
  • The HTTP probe now collects additional information from VMware SOAP endpoints.
  • A race condition in --nopcap mode that led to inconsistent results has been resolved.

v1.5.2

2020-03-20

  • A bug that could lead to the HTTP/2 probe stalling during TLS negotiation has been resolved.

v1.5.1

2020-03-14

  • Fingerprints have been updated for Ethernet MAC addresses, BACnet vendors, and Enterprise IDs.
  • HTTP/1 probes now explicitly disable HTTP/2 upgrades even when advertised. HTTP/2 is handled separately.
  • Generic protocol negotiation is no longer attempted on NDMP ports (10,000/30,000). A future release will support improved NDMP detection and negotiation.
  • A potential deadlock in the runtime library has been resolved by reverting to an older runtime version.

v1.5.0

2020-03-04

  • A NTP probe has been added that reports the clock skew compared to the scanning instance.
  • A TFTP discovery probe has been added that requests a non-existent file and stores the response. The TFTP probe supports port ranges.
  • An OpenVPN probe has been added that can detect remote instances across multiple ports.
  • A dTLS discovery probe has been added that handles both bare dTLS and CAPWAP-encoded variants.
  • Microsoft Remote Desktop Gateway instances are now fingerprinted through dTLS and HTTP, reporting the rdg.Transport service key.
  • The protocol handlers for NATPMP, WS-Discovery, and UPnP Device XML now parse out specific subfields for easier matches and future fingerprinting efforts.
  • The UPnP Device XML parser now triggers a request to download and report the device icon.
  • The SYN scanner has been updated to improve reliability and report more accurate progress.
  • The HTTP probe now identifies and reports web site icons as base64-encoded images along with their MD5 hashes.
  • The HTTP probe now extracts the generator meta tag from HTML responses.
  • The HTTP probe now extracts splunkd versions from HTML responses.
  • The RPCBind probe now sends a null call to every UDP service and probes the NFS daemon directly.
  • VMware ESXi detection has improved and will be used as a fallback in more cases.
  • TCP protocol fingerprinting will retry more often on temporary network errors.
  • Empty fields in the result structure within the JSON output are now omitted.
  • Linux on ARM 64-bit (aarch64) is now a supported platform.
  • Improved detection and early rejection of invalid CIDRs.

v1.4.5

2020-02-19

  • The SMB probe now records the NTLMSSP response from a wider range of operating systems.
  • The HTTP probe now stores the response to GET / and the response after any redirects are followed. Key names for the redirect responses are prefixed by last, such as last.http.code.
  • The HTTP probe now handles compression and chunked transfer encoding properly, storing the normalized HTTP body.
  • The HTTP probe now reports a banner consisting of the raw HTTP response.
  • The HTTP probe now supports collecting environment data from LANDesk Management Agents.
  • HTTP screenshots are now only collected when a 2XX HTTP response code is seen.
  • HTTP screenshot processing is now more reliable.

v1.4.4

2020-02-16

  • The SMB Server GUID attribute is now used to correlate results to assets.
  • The SNMP sysName and sysObjectID attributes are now used to unmatch assets that have changed IPs or were mistakenly matched through another attribute (shared bogus MAC addresses or similar).
  • Interfaces with no global unicast addresses (including RFC1918) are no longer considered by the ARP and SYN scanners.
  • VLAN-tagged frames are now ignored by the SYN scanner resolving an issue where packets could be sent on the wrong interface by mistake.
  • SYN scans now have a mandatory delay between retry attempts, which improves reliability and decreases change churn when small network ranges are scanned.

v1.4.3

2020-02-13

  • A bug that caused some HTTP requests to be sent with an empty Host header has been fixed.

v1.4.2

2020-02-05

  • Version 1.4.2 improves fingerprinting and type classification of Windows operating systems.

v1.4.1

2020-02-04

  • Version 1.4.1 resolves a regression where --input-targets was being ignored.

v1.4.0

2020-02-04

  • Version 1.4.0 is a rollup of post-1.3.0 point release work.

v1.3.2

2020-02-02

  • Support for the new --arp-fast option to send ARP probes at the configured --rate, without additional delays. This option is on by default in AWS VPC environments.
  • Support for the new --snmp-v3-context option to specify the SNMP v3 Context for queries.

v1.3.1

2020-01-26

  • Support for the --baseline option (-b) to load a previous assets.jsonl and use existing asset IDs in the new assets.jsonl output.
  • Support for multiple --import files. This allows multiple scans to be recombined into a single output.
  • Support for the --upload option, which uses --api-key, --upload-site, and other API-related options to upload scan data to the runZero Console.
  • A race condition was resolved that could leave abandoned chrome.exe processes after a scan.
  • Prevent use or display of a blank virtual host for HTTP servers

v1.3.0

2020-01-07

  • Version 1.3.0 is a rollup of post-1.2.0 point release work.

v1.2.3

2019-12-19

  • The CLI scanner now generates a protocols.csv file with a simplified list of services and their URLs.

v1.2.2

2019-12-19

  • Support for the BACnet protocol has been added.

v1.2.1

2019-12-13

  • Many new fingerprints were added for HTTP and SIP endpoints.
  • Asset correlation now occurs after the scan completes, not as it runs, for more consistent results.
  • The protocol detection engine has received a number of small improvements (mongod recognition among others).
  • Network scans of segments where a device responds to all ARP requests with the same MAC address will now be handled appropriately.

v1.2.0

2019-12-01

  • Version 1.2.0 is a rollup of post-1.1.0 point release work.

v1.1.15

2019-12-01

  • Automatic generation of wireless.jsonl and wireless.csv reports when the wlan-list probe returns results.
  • Improved normalization of wireless network fields for the wlan-list probe.

v1.1.14

2019-11-27

  • Additional bug fixes for SNMP processing.
  • Initial support for the wlan-list probe module.

v1.1.13

2019-11-26

  • Better support for truncated HTTP responses.

v1.1.12

2019-11-24

  • Invalid SNMP responses are now handled more efficiently.

v1.1.11

2019-11-24

  • A bug that could lead to memory exhaustion when Max Group Size was set to zero has been resolved.

v1.1.10

2019-11-23

  • A bug in the SNMP probe that could result in the scan missing the last round of enumeration results has been fixed.

v1.1.9

2019-11-22

  • Improved error handling and logging, minor performance increase.

v1.1.8

2019-11-22

  • Reduced memory usage on scan reply deduplication.

v1.1.7

2019-11-19

  • Cisco-specific MIBs are now enumerated for CAM/MAC table enumeration.
  • SNMP v2 is now queried two ways by the SNMP probe to improve device compatibility.
  • SNMP v3 authenticated enumeration is now available.

v1.1.6

2019-11-19

  • A number of small bugs in the SNMP probe have been resolved.

v1.1.5

2019-11-18

  • The SNMP probe will now try to obtain the full interface and MAC address list from each asset.

v1.1.4

2019-11-14

  • Network topology links are now reported in the _links.* asset attributes.
  • Miscellaneous fingerprinting improvements.

v1.1.3

2019-11-07

  • Additional SSH fingerprints, covering Debian, Ubuntu, Raspbian, and FreeBSD.
  • Improved protocol detection for the Click Modular Router daemon.

v1.1.2

2019-11-05

  • A bug that could lead to a scan engine hang when the scan is interrupted has been resolved.

v1.0.15

2019-11-04

  • The scanner now supports the --max-group-size option to limit the host working set (default is 4096).
  • A race condition in the --text mode output that could rarely lead to a crash has been resolved.
  • The MAC address prefix database and various other dependencies and fingerprints were updated.

v1.0.10

2019-10-25

  • The scanner now supports the --overwrite option to allow reuse of an existing output directory

v1.0.9

2019-10-24

  • The SYN probe now sends retries using the same source port and sequence number to minimize duplicate responses. MAC address fingerprints have been updated.

v1.0.8

2019-10-23

  • The SYN probe now retries twice if no RST is received. This improves reliability at the cost of a small increase in scan times. This can be changed by the –syn-max-retries parameter.

v1.0.7

2019-10-21

  • Scanner performance is no longer reduced when the ARP probe is enabled for non-local scan targets.

v1.0.3

2019-10-06

  • The macOS scanner now supports additional interface types (loopback and tunnel adapters).
  • The macOS scanner no longer prints warnings about unusable interfaces unless the verbose flag is set.
  • A bug was fixed that led to the wrong result count being reported when using the --text interface of the scanner.

v1.0.2

2019-10-02

  • A race condition was fixed that could the scanner to crash mid-scan.
  • The macOS scanner no longer crashes if an unusable interface is found and the scanner is not run as root.

v1.0.1

2019-10-01

Updated