Older scanner release notes

Scanner release notes

Starting with version 1.7.9 all release notes have been consolidated into one page.

v1.7.8

2020-05-23

• Fingerprint updates.

v1.7.7

2020-05-22

• Fingerprint updates.

v1.7.6

2020-05-14

• Corrects inconsistent use of the new service attributes when processing the dynamic MAC address filter.

v1.7.5

2020-05-14

• Asset and Service attributes have been normalized. All keys are now camelCase and most service attributes are now prefixed by the protocol name.

v1.7.4

2020-05-13

• Support has been improved for the following database protocols: Memcached (TCP), CouchDB, Cassandra, Redis, ElasticSearch, Riak (TCP/HTTP), MySQL, PostgreSQL, MongoDB, MSSQL, and Oracle.

v1.7.3

2020-05-07

• Cisco HSRP MAC addresses are now ignored for the purposes of asset correlation.
• Updated Ethernet fingerprints.

v1.7.2

2020-05-06

• A bug in the mDNS probe that could lead to a hung scan on certain platforms has been resolved.

v1.7.1

2020-05-06

• Updated Ethernet fingerprints.

v1.7.0

2020-05-04

• The bundled npcap driver has been upgraded to version 0.9991.
• The TLS probe now reports tls.notBeforeTS and tls.notAfterTS fields as unix timestamps.
• Updated Ethernet fingerprints.

v1.6.10

2020-05-03

• Updated Ethernet fingerprints.

v1.6.9

2020-05-01

• Support for Recog development with --fingerprints and --fingerprints-debug options.
• The Switch Topology and Network Bridges reports are now available for the CLI scanner.
• Updated Ethernet fingerprints.

v1.6.8

2020-04-23

• Updated Ethernet fingerprints.

v1.6.7

2020-04-23

• The scan engine can now identify TCP services on the scanning system across all platforms.

v1.6.6

2020-04-22

• An issue that could lead to the scan engine hanging with misbehaving HTTP services has been resolved.

v1.6.5

2020-04-22

• Support for the runZero Starter Edition.
• Updated Ethernet and BACnet fingerprints.

v1.6.4

2020-04-17

• Devices that relay mDNS from other networks (ex: Ubiquiti USG) are no longer associated with the relayed asset information.

• Additional Google Chrome paths are considered for screenshot collection. Snap packages of Chromium are no longer used.

v1.6.3

2020-04-14

• An issue that could lead to scans hanging while processing HTTP services has been resolved.

v1.6.2

2020-04-13

• Fingerprint updates for Crestron, ELAN, MAC addresses, and BACnet.

v1.6.1

2020-04-08

• The MAC address database fingerprints have been updated.

v1.6.0

2020-04-06

• Screenshots will now limit the number of concurrent Chrome processes based on core count, available RAM, and architecture.
• The bundled npcap build has been updated to version 0.9990.

v1.5.6

2020-04-04

• The RDP probe now collects the full NTLMSSP response for more platforms.
• The HTTP probe now collects information about web forms and their inputs.

v1.5.5

2020-03-27

• The SNMP probe no longer reports invalid MAC addresses found in ARP caches or MAC tables.

v1.5.4

2020-03-26

• The TCP probe now handles a wider variety of RDP responses.

v1.5.3

2020-03-26

• The SMB probe now reports subprotocols (smb1, smb2, and smb3) consistently.
• The SMB probe now collects hashing, encryption, and compression methods from SMBv3 servers.
• The SMB probe now reports the server-allocated Session ID for smb2 and smb3.
• The TCP probe now collects NTLM information from Remote Desktop endpoints and reports the protocol as rdp.
• The HTTP probe now collects additional information from VMware SOAP endpoints.
• A race condition in --nopcap mode that led to inconsistent results has been resolved.

v1.5.2

2020-03-20

• A bug that could lead to the HTTP/2 probe stalling during TLS negotiation has been resolved.

v1.5.1

2020-03-14

• Fingerprints have been updated for Ethernet MAC addresses, BACnet vendors, and Enterprise IDs.
• HTTP/1 probes now explicitly disable HTTP/2 upgrades even when advertised. HTTP/2 is handled separately.
• Generic protocol negotiation is no longer attempted on NDMP ports (10,000/30,000). A future release will support improved NDMP detection and negotiation.
• A potential deadlock in the runtime library has been resolved by reverting to an older runtime version.

v1.5.0

2020-03-04

• A NTP probe has been added that reports the clock skew compared to the scanning instance.
• A TFTP discovery probe has been added that requests a non-existent file and stores the response. The TFTP probe supports port ranges.
• An OpenVPN probe has been added that can detect remote instances across multiple ports.
• A dTLS discovery probe has been added that handles both bare dTLS and CAPWAP-encoded variants.
• Microsoft Remote Desktop Gateway instances are now fingerprinted through dTLS and HTTP, reporting the rdg.Transport service key.
• The protocol handlers for NATPMP, WS-Discovery, and UPnP Device XML now parse out specific subfields for easier matches and future fingerprinting efforts.
• The UPnP Device XML parser now triggers a request to download and report the device icon.
• The SYN scanner has been updated to improve reliability and report more accurate progress.
• The HTTP probe now identifies and reports web site icons as base64-encoded images along with their MD5 hashes.
• The HTTP probe now extracts the generator meta tag from HTML responses.
• The HTTP probe now extracts splunkd versions from HTML responses.
• The RPCBind probe now sends a null call to every UDP service and probes the NFS daemon directly.
• VMware ESXi detection has improved and will be used as a fallback in more cases.
• TCP protocol fingerprinting will retry more often on temporary network errors.
• Empty fields in the result structure within the JSON output are now omitted.
• Linux on ARM 64-bit (aarch64) is now a supported platform.
• Improved detection and early rejection of invalid CIDRs.

v1.4.5

2020-02-19

• The SMB probe now records the NTLMSSP response from a wider range of operating systems.
• The HTTP probe now stores the response to GET / and the response after any redirects are followed. Key names for the redirect responses are prefixed by last, such as last.http.code.
• The HTTP probe now handles compression and chunked transfer encoding properly, storing the normalized HTTP body.
• The HTTP probe now reports a banner consisting of the raw HTTP response.
• The HTTP probe now supports collecting environment data from LANDesk Management Agents.
• HTTP screenshots are now only collected when a 2XX HTTP response code is seen.
• HTTP screenshot processing is now more reliable.

v1.4.4

2020-02-16

• The SMB Server GUID attribute is now used to correlate results to assets.
• The SNMP sysName and sysObjectID attributes are now used to unmatch assets that have changed IPs or were mistakenly matched through another attribute (shared bogus MAC addresses or similar).
• Interfaces with no global unicast addresses (including RFC1918) are no longer considered by the ARP and SYN scanners.
• VLAN-tagged frames are now ignored by the SYN scanner resolving an issue where packets could be sent on the wrong interface by mistake.
• SYN scans now have a mandatory delay between retry attempts, which improves reliability and decreases change churn when small network ranges are scanned.

v1.4.3

2020-02-13

• A bug that caused some HTTP requests to be sent with an empty Host header has been fixed.

v1.4.2

2020-02-05

• Version 1.4.2 improves fingerprinting and type classification of Windows operating systems.

v1.4.1

2020-02-04

• Version 1.4.1 resolves a regression where --input-targets was being ignored.

v1.4.0

2020-02-04

• Version 1.4.0 is a rollup of post-1.3.0 point release work.

v1.3.2

2020-02-02

• Support for the new --arp-fast option to send ARP probes at the configured --rate, without additional delays. This option is on by default in AWS VPC environments.
• Support for the new --snmp-v3-context option to specify the SNMP v3 Context for queries.

v1.3.1

2020-01-26

• Support for the --baseline option (-b) to load a previous assets.jsonl and use existing asset IDs in the new assets.jsonl output.
• Support for multiple --import files. This allows multiple scans to be recombined into a single output.
• Support for the --upload option, which uses --api-key, --upload-site, and other API-related options to upload scan data to the runZero Console.
• A race condition was resolved that could leave abandoned chrome.exe processes after a scan.
• Prevent use or display of a blank virtual host for HTTP servers

v1.3.0

2020-01-07

• Version 1.3.0 is a rollup of post-1.2.0 point release work.

v1.2.3

2019-12-19

• The CLI scanner now generates a protocols.csv file with a simplified list of services and their URLs.

v1.2.2

2019-12-19

• Support for the BACnet protocol has been added.

v1.2.1

2019-12-13

• Many new fingerprints were added for HTTP and SIP endpoints.
• Asset correlation now occurs after the scan completes, not as it runs, for more consistent results.
• The protocol detection engine has received a number of small improvements (mongod recognition among others).
• Network scans of segments where a device responds to all ARP requests with the same MAC address will now be handled appropriately.

v1.2.0

2019-12-01

• Version 1.2.0 is a rollup of post-1.1.0 point release work.

v1.1.15

2019-12-01

• Automatic generation of wireless.jsonl and wireless.csv reports when the wlan-list probe returns results.
• Improved normalization of wireless network fields for the wlan-list probe.

v1.1.14

2019-11-27

• Additional bug fixes for SNMP processing.
• Initial support for the wlan-list probe module.

v1.1.13

2019-11-26

• Better support for truncated HTTP responses.

v1.1.12

2019-11-24

• Invalid SNMP responses are now handled more efficiently.

v1.1.11

2019-11-24

• A bug that could lead to memory exhaustion when Max Group Size was set to zero has been resolved.

v1.1.10

2019-11-23

• A bug in the SNMP probe that could result in the scan missing the last round of enumeration results has been fixed.

v1.1.9

2019-11-22

• Improved error handling and logging, minor performance increase.

v1.1.8

2019-11-22

• Reduced memory usage on scan reply deduplication.

v1.1.7

2019-11-19

• Cisco-specific MIBs are now enumerated for CAM/MAC table enumeration.
• SNMP v2 is now queried two ways by the SNMP probe to improve device compatibility.
• SNMP v3 authenticated enumeration is now available.

v1.1.6

2019-11-19

• A number of small bugs in the SNMP probe have been resolved.

v1.1.5

2019-11-18

• The SNMP probe will now try to obtain the full interface and MAC address list from each asset.

v1.1.4

2019-11-14

• Network topology links are now reported in the _links.* asset attributes.
• Miscellaneous fingerprinting improvements.

v1.1.3

2019-11-07

• Additional SSH fingerprints, covering Debian, Ubuntu, Raspbian, and FreeBSD.
• Improved protocol detection for the Click Modular Router daemon.

v1.1.2

2019-11-05

• A bug that could lead to a scan engine hang when the scan is interrupted has been resolved.

v1.0.15

2019-11-04

• The scanner now supports the --max-group-size option to limit the host working set (default is 4096).
• A race condition in the --text mode output that could rarely lead to a crash has been resolved.
• The MAC address prefix database and various other dependencies and fingerprints were updated.

v1.0.10

2019-10-25

• The scanner now supports the --overwrite option to allow reuse of an existing output directory

v1.0.9

2019-10-24

• The SYN probe now sends retries using the same source port and sequence number to minimize duplicate responses. MAC address fingerprints have been updated.

v1.0.8

2019-10-23

• The SYN probe now retries twice if no RST is received. This improves reliability at the cost of a small increase in scan times. This can be changed by the –syn-max-retries parameter.

v1.0.7

2019-10-21

• Scanner performance is no longer reduced when the ARP probe is enabled for non-local scan targets.

v1.0.3

2019-10-06

• The macOS scanner now supports additional interface types (loopback and tunnel adapters).
• The macOS scanner no longer prints warnings about unusable interfaces unless the verbose flag is set.
• A bug was fixed that led to the wrong result count being reported when using the --text interface of the scanner.

v1.0.2

2019-10-02

• A race condition was fixed that could the scanner to crash mid-scan.
• The macOS scanner no longer crashes if an unusable interface is found and the scanner is not run as root.

v1.0.1

2019-10-01

• Rumble Network Discovery is out of Beta with version 1.0.0!