---
title: "Using the CLI"
aliases: [ "/docs/using-the-scanner/" ]
---
<!-- license: platform -->

The runZero Command Line Interface (CLI) provides various utility functions. For licensed users, it also allows standalone network scanning.

## Scanner

The `scan` command has the same options as the runZero Explorer, and similar performance characteristics. The output file named `scan.runzero.gz` can be uploaded to the runZero Console through the Inventory _Import_ menu. This

The CLI scanner works best with root privileges on Linux/macOS and Administrator privileges on Windows. Although the CLI will function without privileged access, many probe types will be unavailable. The `sudo` command can be used to run the CLI as root on Linux and macOS, while the tool is best run from an elevated command shell on Windows. On the Windows platform, the runZero CLI will look for an existing `npcap` installation and try to install it if the software is not found. This behavior can be disabled with the `--nopcap` flag.

<div class="alert alert-info">
<svg class="alert-icon" xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="16" x2="12" y2="12"></line><line x1="12" y1="8" x2="12.01" y2="8"></line></svg>
<div class="alert-body">
Some components of the application still reference the name "Rumble" for backwards compatibility. The documentation will be updated as these are changed.
</div>
</div>

The runZero CLI defaults to a semi-interactive terminal interface that writes multiple output files to a directory. The default directory name is `runzero-[current-date]`. To switch to plain text output, use the `--text` option. To skip artifact generation and only produce the raw JSON output file, use the flags `--text -o disable --output-raw scan.runzero`.

Input can be provided as arguments on the command-line or by specifying an input file using the `--input` (or `-i`) parameter. Input can consist of specific IPv4 addresses or IPv4 CIDRs. Supported formats
include:

- `10.0.0.1`
- `10.0.0.0/24`
- `10.0.0.0/255.255.255.0`
- `10.0.0.1-10.0.0.255`
- `example.com`
- `example.com/24`

For hostnames, each IPv4 address in the response will be expanded with the optional mask.

The example below downloads and runs the CLI on a Linux x86_64 host. This URL will be different for your installation. The current download links for your organization are available from the [CLI](https://console.runzero.com/deploy/download/cli) page of the runZero Console. If you are using a self-hosted console or a region other than our US-based SaaS, you can find the download link under the Deploy navigation menu.

```bash
$ wget https://console.runzero.com/download/cli/[unique-link]/runzero-cli-linux-amd64.bin
$ chmod +x runzero-cli-linux-amd64.bin
$ sudo runzero scan 192.168.0.0/24 -o output-dir
```

Please note that the hexadecimal values in the download URL are specific for your account and organization.

### Performance

The default speed of runZero scans is limited to 1,000 packets per second with a single pass. This setting works great for reliable wired networks without stateful firewalls between the scanning system and the destination networks. This rate can be changed via the `--rate` (or `-r`) option, with a reasonable maximum being `10000` for most networks. On slow, unreliable networks, a rate of `300` with `--passes` set to `3` may provide better results.

A second parameter, `--max-host-rate` limits how many packets are sent per second to each individual host. This defaults to `40`, which is low, but may be necessary when scanning low-power embedded devices. In cases where a small number of hosts (or a single host) should be scanned quickly, the `--max-host-rate` parameter can be increased to match the `--rate`.

### Examples

The following example demonstrates a scan of 65,535 TCP ports on all hosts in the `192.168.0.0/24` subnet running at 10,000 packets per second:
```bash
$ sudo runzero scan 192.168.0.0/24 -r 10000 --tcp-ports 1-65535 -o output-dir
```

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 and 10.0.0.0/24 subnets running at 5,000 packets per second:
```bash
$ sudo runzero scan 192.168.0.0/24 10.0.0.0/24 -r 5000 -o output-dir
```

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 and 10.0.0.0/8 subnets running at a max host rate of 20 packets per host:
```bash
$ sudo runzero scan 192.168.0.0/24 10.0.0.0/8 –-max-host-rate 20 -o output-dir
```

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 subnet and the domain "example.com" running at 7,500 packets per second:
```bash
$ sudo runzero scan 192.168.0.0/24 example.com -r 7,500 -o output dir
```

The following example demonstrates a scan on all hosts in the 10.0.0.0/8 subnet and a particular ASN4 value at a default speed of 1,000 packets per second.
```bash
$ sudo runzero scan 10.0.0.0/8 asn4:[ID] -o output dir
```

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 subnet with the max TTL set at 128 and a scan rate of 2,500 packets per second:
```bash
$ sudo runzero scan 192.168.0.0/24 -r 2,500 -–max-ttl 128 -o output-dir
```

The following example demonstrates a scan based on an input file:
```bash
$ sudo runzero scan -i /path/to/input-file.txt -o output dir
```

Here is an example input file:
```
www.example.com
192.168.0.0/24
```

### Automatic web ((screenshots))

The `--screenshots` option defaults to `true` and tells runZero to obtain a screenshot of all web services identified during the scan. This feature depends on the system running the Explorer having a local installation of the Google Chrome or Chromium browsers. The acquired screenshots will be reported as a base64 string, stored in the "screenshot.image" field of the containing service scan result.

To disable automatic web screenshots, set the `--screenshots` option to false (`--screenshots=false`).

### Scanner defaults

#### Standard ports scanned

<p class="ports">
<!-- include portList -->
</p>

### Scan outputs

The runZero CLI generates a directory of output files by default. This directory includes the following items.

* `scan.runzero.gz`: The raw scan data compressed via gzip, this can be imported or reprocessed via `--import`
* `assets.jsonl`: The new optimized format for correlated, fingerprinted assets.
* `nmap.xml`: A Nmap XML compatible data file that can be imported into various security tools.
* `urls.txt`: A list of discovered web services in URL format.
* `protocols.csv`: A list of protocols with their ports and URLs.
* `assets.html`: A rudimentary HTML report with screenshots.
* `screenshots`: A directory of raw screenshot images, headers in JSON format, and HTML bodies.
* Various lists including `addresses.txt`, `addresses_all.txt`, `hostnames.txt`, and `domains.txt`

### Raw Scan Data

The runZero CLI raw data is stored in a file named `scan.runzero.gz` within the output directory. This file contains JSONL-formatted records. An example ARP response record is shown below.

```
{
  "type": "result",
  "host": "192.168.0.1",
  "port": "0",
  "proto": "arp",
  "probe": "arp",
  "name": "192.168.0.1",
  "info": {
    "mac": "f0:9f:c2:11:1a:13",
    "macDateAdded": "2014-12-17",
    "macVendor": "Ubiquiti Networks Inc."
  },
  "ts": 1551584126253853200
}
```

The `info` field is a JSON map of strings to strings. Multiple values are encoded using the `tab` character (0x09), which are otherwise escaped as `\t` (along with `\r` and `\n` for carriage return and line feed bytes and `\x00` for null bytes). runZero scans may return more than one record of the same type for the same host if multiple responses were received.

In addition to the `result` type, there are also records for `status` messages, `stats`, and an initial `config` type that contains the scan parameters.

<!-- Start of Markdown generated from CLI help output by docbuilder/scripts/scannertomd.rb -->
## runZero Command Line Interface (CLI)

The runZero CLI supports a wide range of commands and options. As well as offline scans, you can run third-party integrations and custom scripts on the command line.

The `--help` output provides basic documentation on the available options.

Most commands below accept the following global flags:

`--verbose`
: Display verbose output.

`--very-verbose`
: Display very verbose output.

### Import Censys data files

`runZero censys [avro files] [targets] [flags]`

#### Flags:

`-i`, `--input-targets string`
:  Read search targets from the specified input file

`--output-raw string`
:  Write results to the specified output file

### Import Censys data from a local database

`runZero censys-db [path-to-database] [targets] [flags]`

#### Flags:

`-i`, `--input-targets string`
:  Read search targets from the specified input file

`--output-raw string`
:  Write results to the specified output file

### Convert Censys Avro files into a local database

`runZero censys-db-convert [path-to-avro-directory] [path-to-db-directory] [flags]`

#### Flags:

`--shard-max-records int`
:  Specify the maximum record count per shard (default 500000)

`--test-mode`
:  Replace keys in the source data with random values

`--test-multiplier int`
:  Multiply the source data by a given factor (default 1)

### Serves a Censys database from a web server

`runZero censys-db-server [path-to-database] [flags]`

#### Flags:

`--port int`
:  The TCP port for the web server to listen on (default 55555)

### Generate the autocompletion script for the specified shell

`runZero completion [command]`

#### Available commands:

`bash`: Generate the autocompletion script for bash

`fish`: Generate the autocompletion script for fish

`powershell`: Generate the autocompletion script for powershell

`zsh`: Generate the autocompletion script for zsh

### Help about any command

`runZero help [command] [flags]`

### Display license information

`runZero license [flags]`

### Start a runZero active scan, passive discovery, or integration task

`runZero scan <options> [targets] [flags]`

#### Flags:

`--api-key string`
:  Specify the runZero API key

`--api-no-verify`
:  Disable TLS verification for API communication

`--api-url string`
:  Specify the runZero API server hostname (default "https://console.runzero.com/api/v1.0")

`--arp-fast`
:  Enables fast mode by ARP scanning at the scan rate vs host rate

`--atg-ports string`
:  The destination ports for ATG probes (default "10001")

`--aws-instances-access-key string`
:  The access key for the AWS account

`--aws-instances-assume-role-name string`
:  The role to assume for all accounts in the organization for cross-account access

`--aws-instances-delete-stale`
:  Automatically delete stale AWS assets

`--aws-instances-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--aws-instances-include-stopped`
:  Include assets that are not currently running

`--aws-instances-regions string`
:  The comma-separated list of regions for the AWS account

`--aws-instances-secret-access-key string`
:  The secret access key for the AWS account

`--aws-instances-service-options string`
:  The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (default "defaults")

`--aws-instances-site-per-account`
:  Automatically create a new site per account

`--aws-instances-site-per-vpc`
:  Automatically create a new site per VPC

`--aws-instances-token string`
:  The session token for the AWS account

`--azure-client-id string`
:  The application ID (client ID) for the Azure account

`--azure-client-secret string`
:  The client secret for the Azure account

`--azure-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--azure-multi-subscription`
:  Access all subscriptions in the directory (tenant) for the Azure account

`--azure-password string`
:  The password for the Azure account

`--azure-service-options string`
:  The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (default "defaults")

`--azure-site-per-subscription`
:  Automatically create a new site per subscription

`--azure-subscription-id string`
:  The subscription ID for the Azure account

`--azure-tenant-id string`
:  The directory ID (tenant ID) for the Azure account

`--azure-username string`
:  The username for the Azure account

`--azuread-client-id string`
:  The application ID (client ID) for the Azure account

`--azuread-client-secret string`
:  The client secret for the Azure account

`--azuread-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--azuread-filter string`
:  An optional filter. Only import devices that match this filter.

`--azuread-include-inactive`
:  Include assets that are marked as inactive in the AzureAD account

`--azuread-password string`
:  The password for the AzureAD account

`--azuread-service-options string`
:  The comma-separated list of services to sync data from (defaults,dev,user,group) (default "defaults")

`--azuread-tenant-id string`
:  The directory ID (tenant ID) for the Azure account

`--azuread-username string`
:  The username for the AzureAD account

`--bacnet-ports string`
:  The destination ports for BACnet probes (default "46808,47808,48808")

`-b`, `--baseline string`
:  Use the specified file as an asset baseline for tracking

`--bedrock-ports string`
:  The destination ports for Bedrock probes (default "19132")

`--bjnp-printer-ports string`
:  The UDP ports to send Canon printer discovery requests (default "8611")

`--bjnp-scanner-ports string`
:  The UDP ports to send Canon scanner discovery requests (default "8612")

`--censys-api-url string`
:  The API endpoint to use for Censys Search (default "https://search.censys.io")

`--censys-client-id string`
:  The Client ID to use for Censys Search authentication

`--censys-client-secret string`
:  The Client Secret to use for Censys Search authentication

`--censys-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--censys-mode string`
:  The search mode (assets or query). The assets option queries the scan targets (default "assets")

`--censys-query string`
:  The search string to use in query mode

`--coap-port uint`
:  The destination port for CoAP probes (default 5683)

`-c`, `--config string`
:  Specify the config file name to load. It must be in a JSON format

`--cpu string`
:  Write a cpu profile after the scan completes

`--crestron-port uint`
:  The destination port for Crestron probes (default 41794)

`--crowdstrike-api-url string`
:  The URL used for the CrowdStrike account's API access

`--crowdstrike-client-id string`
:  The client ID for the CrowdStrike account

`--crowdstrike-client-secret string`
:  The client secret for the CrowdStrike account

`--crowdstrike-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--crowdstrike-filter string`
:  An optional Falcon Query Language (FQL) filter for imported assets

`--crowdstrike-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--crowdstrike-risks string`
:  Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--crowdstrike-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--custom-integration-entry-function-name string`
:  Function to call that will return ImportAssets (default "main")

`--custom-integration-id string`
:  UUID of custom integration from console

`--custom-integration-script-args string`
:  Arguments for the script

`--custom-integration-script-kwargs string`
:  Keyword arguments for the script

`--custom-integration-script-source string`
:  Source code of the custom integration script

`--dahua-dhip-ports string`
:  The destination ports for Dahua DHIP discovery probes (default "37810")

`--defender365-client-id string`
:  The application ID (client ID) for the Azure account

`--defender365-client-secret string`
:  The client secret for the Azure account

`--defender365-exclude-notonboarded`
:  Exclude assets that have not been fully onboarded

`--defender365-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--defender365-filter string`
:  Exclude assets using a Graph API $filter string

`--defender365-include-inactive`
:  Include assets that have stopped reporting to the Microsoft 365 Defender service

`--defender365-tenant-id string`
:  The directory ID (tenant ID) for the Azure account

`--disabled-probes string`
:  Specifically exclude these probes, comma-delimited

`--dnp3-address-probe-timeout int`
:  Time limit (in seconds) for DNP address discovery. (default 30)

`--dnp3-banner-address-discovery string`
:  One of 'require', 'prefer', or 'ignore'. (default "ignore")

`--dnp3-destination-address-discovery-range string`
:  A numeric range of addresses to attempt to discover. (default "0-32")

`--dnp3-explorer-address int`
:  Source DNP3 address for the explorer. (default -1)

`--dns-disable-google-myaddr`
:  Disables resolution of upstream DNS via Google myaddr service

`--dns-disable-meraki-detection`
:  Disables detection of Meraki DNS interception

`--dns-port uint`
:  The destination port for DNS probes (default 53)

`--dns-resolve-name string`
:  The target hostname for DNS queries ('off' to disable) (default "www.google.com")

`--dns-trace-domain string`
:  The subdomain to use for trace requests ('off' to disable) (default "helper.rumble.network")

`--dtls-ports string`
:  The destination ports for DTLS probes (default "443,3391,4433,5246,5349,5684")

`--echo-report-errors`
:  Report errors from intermediate in-scope hosts

`--ethernetip-cip-enumeration-method string`
:  (BETA) Set this to the preferred CIP enumeration method. (default "none")

`--ethernetip-udp-ports string`
:  The destination ports for EtherNet/IP UDP probes (default "44818")

`--exclude string`
:  Specify scan exclusions

`--excludefile string`
:  Read exclusions from an input file

`--filter-base64`
:  Filter base64-encoded fields

`-f`, `--fingerprints string`
:  Use the specified directory as an alternate fingerprint database

`--fingerprints-debug`
:  Enable debug output for the fingerprint processor

`--fins-port uint`
:  The destination port for FINS probes (default 9600)

`--gcp-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--gcp-key-path string`
:  Path to GCP service account key file

`--gcp-service-options string`
:  The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (default "defaults")

`--gcp-site-per-project`
:  Automatically create a new site per project

`--genudp-payload-base64 string`
:  The generic udp payload as base64

`--genudp-payload-hex string`
:  The generic udp payload as hexadecimal

`--genudp-payload-text string`
:  The generic udp payload as plain text

`--genudp-ports string`
:  The destination ports for the generic udp probe

`--googleworkspace-client-email string`
:  The email address of the service account

`--googleworkspace-client-id string`
:  The ID of the service account

`--googleworkspace-customer-id string`
:  An optional customer ID for multi-tenant environments (default "my_customer")

`--googleworkspace-delegate string`
:  The email address of an admin account with directory access

`--googleworkspace-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--googleworkspace-private-key string`
:  The PEM encoded private key

`--googleworkspace-private-key-id string`
:  The ID of the private key

`--googleworkspace-project-id string`
:  The project ID of the service account

`--googleworkspace-service-options string`
:  The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (default "defaults")

`--goroutines string`
:  Write a goroutine dump after the scan completes

`--heap string`
:  Write a heap profile after the scan completes

`--hiddiscoveryd-port uint`
:  The destination port for HID discoveryd probes (default 4070)

`--host-ping`
:  Only scan hosts that respond to a ping scan using the host-ping settings

`--host-ping-max-attempts int`
:  Set the maximum number of attempts for each probe (default 2)

`--host-ping-max-ttl int`
:  Set the default TTL on host-ping probe packets (default 255)

`--host-ping-passes int`
:  Set the number of passes for the host-ping phase (default 1)

`--host-ping-probes string`
:  Launch a subset of the probes for the host-ping, comma-delimited (default "arp,echo,syn,connect,netbios,snmp,ntp,sunrpc,ike,openvpn,mdns")

`--host-ping-tcp-ports string`
:  The list of TCP ports to host-ping using the syn and connect probes (default "22,80,135,179,443,3389,5040,7547,62078")

`--host-ping-tos int`
:  Set the default ToS on host-ping probe packets

`--igel-discovery-ports string`
:  The destination ports for IGEL discovery probes (default "30005")

`--ike-port uint`
:  The destination port for IKE probes (default 500)

`-I`, `--import stringArray`
:  Import existing scan data from the specified input files ('scan.rumble' format)

`--import-pcap stringArray`
:  Import pcap packet capture from the specified input files ('.pcap' or '.pcapng' format)

`-i`, `--input-targets string`
:  Read scan targets from the specified input file

`--insightvm-api-url string`
:  The URL used for the InsightVM account's API access

`--insightvm-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--insightvm-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--insightvm-insecure`
:  Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true)

`--insightvm-password string`
:  The password for the InsightVM account

`--insightvm-risks string`
:  Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--insightvm-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--insightvm-thumbprints string`
:  A set of IP=SHA256:B64HASH pairs to trust for authentication

`--insightvm-username string`
:  The username for the InsightVM account

`--intune-client-id string`
:  The application ID (client ID) for the Azure account

`--intune-client-secret string`
:  The client secret for the Azure account

`--intune-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--intune-filter string`
:  An optional filter. Only import devices that match this filter.

`--intune-password string`
:  The password for the Intune account

`--intune-tenant-id string`
:  The directory ID (tenant ID) for the Azure account

`--intune-username string`
:  The username for the Intune account

`--ipmi-port uint`
:  The destination port for IPMI probes (default 623)

`--ipp-browse-port uint`
:  The destination port for IPP-browse probes (default 631)

`--iscsi-discover`
:  Enable iSCSI target discovery probe (default true)

`--kerberos-port uint`
:  The destination port for kerberos probes (default 88)

`--knxnet-ports string`
:  The destination ports for knxnet probes (default "3671")

`--l2t-port uint`
:  The destination port for L2T probes (default 2228)

`--l2tp-ports string`
:  The destination ports for L2TP probes (default "1701")

`--lantronix-port uint`
:  The destination port for Lantronix probes (default 30718)

`--layer2-add-targets`
:  Set this false to skip scanning discovered targets (default true)

`--layer2-force`
:  Set this to true to force discovery even without local targets

`--layer2-max-retries uint`
:  The desired number of retries (default 3)

`--layer2-tcp-ports string`
:  The TCP ports to ping for local device discovery (default "22,80,135,179,443,3389,5040,7547,62078")

`--layer2-udp-trace-port uint`
:  The UDP port number to use for UDP trace requests (default 9)

`--ldap-base-dn string`
:  The base DN used for LDAP searches

`--ldap-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--ldap-insecure`
:  Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN)

`--ldap-legacy-tls`
:  Set this to true to authenticate over legacy TLS versions (< 1.2)

`--ldap-password string`
:  The password for the LDAP account

`--ldap-service-options string`
:  The comma-separated list of services to sync data from (defaults,computer,user,group) (default "defaults")

`--ldap-thumbprints string`
:  A set of IP=SHA256:B64HASH pairs to trust for authentication

`--ldap-url string`
:  The URL used for the LDAP server

`--ldap-username string`
:  The username for the LDAP account

`--max-attempts int`
:  Set the maximum number of attempts for each probe (default 3)

`-G`, `--max-group-size int`
:  Set the maximum number of targets to process in each group (default 4096)

`-R`, `--max-host-rate int`
:  Set the maximum packet rate per target (including ARP broadcast) (default 40)

`--max-scan-duration int`
:  Set the maximum scan duration in seconds before aborting

`--max-sockets int`
:  Set the maximum number of concurrent sockets (default 2048)

`--max-ttl int`
:  Set the default TTL on probe packets (default 255)

`--mdns-port uint`
:  The destination port for MDNS probes (default 5353)

`--mecm-database-connection-string string`
:  The connection string for your MECM Microsoft SQL Server database

`--mecm-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--memcache-port uint`
:  The destination port for memcached probes (default 11211)

`--meraki-api-key string`
:  The access key for the Meraki.io account

`--meraki-api-url string`
:  The URL used for the Meraki.io account's API access (default "https://api.meraki.com/api/v1")

`--meraki-exclude-no-vlan-clients`

`--meraki-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--meraki-excluded-ssids string`

`--meraki-excluded-vlans string`

`--meraki-networks string`
:  An optional list of network names or IDs. Only import devices in the specified networks.

`--meraki-organizations string`
:  An optional list of organization names or IDs. Only import devices in the specified organizations.

`--miradore-api-key string`
:  The API key for the Miradore account

`--miradore-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--miradore-hostname string`
:  The Miradore web console hostname (url)

`--modbus-identification-level string`
:  Identification level, one of 'basic', 'regular', or 'extended'. (default "regular")

`--mssql-port uint`
:  The destination port for MSSQL Browser probes (default 1434)

`--nameservers string`
:  One or more nameservers to use for DNS resolution

`--natpmp-port uint`
:  The destination port for NATPMP probes (default 5351)

`--nessus-access-key string`
:  The access key for the Nessus Professional account

`--nessus-api-url string`
:  The URL used for the Nessus Professional account's API access

`--nessus-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--nessus-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--nessus-insecure`
:  Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true)

`--nessus-risks string`
:  Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--nessus-secret-key string`
:  The secret key for the Nessus Professional account

`--nessus-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--nessus-thumbprints string`
:  A set of IP=SHA256:B64HASH pairs to trust for authentication

`--netbios-port uint`
:  The destination port for NetBIOS Name Service probes (default 137)

`--netbox-api-key string`
:  The access key for the NetBox instance

`--netbox-api-url string`
:  The URL to the NetBox instance

`--netbox-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--netbox-include-no-ip`
:  Include NetBox assets that have no associated IP addresses

`--netbox-include-site-names`
:  Comma-separated list of NetBox site names to include assets from

`--netbox-include-cidrs`
:  Comma-separated list of CIDRs to include assets from

`--netbox-field-mappings`
:  Map NetBox custom fields to runZero attributes. See the 
   NetBox [documentation](netbox.md#netbox-custom-fields-cli) for more information

`--nowait`
:  Exit the user interface immediately upon completion

`--ntp-port uint`
:  The destination port for NTP probes (default 123)

`--openvpn-ports string`
:  The destination ports for OpenVPN probes (default "1194")

`--oracledb-fingerprint`
:  Enable Oracle DB version fingerprinting using a TNS connect sequence (default true)

`-o`, `--output string`
:  Output directory for scan results and analysis ('disable' to skip)

`--output-raw string`
:  Set the raw output file for scan data

`--overwrite`
:  Overwrite and replace the output directory if it already exists

`--passes int`
:  Set the number of passes for each probe (default 1)

`--pca-port uint`
:  The destination port for PCAnywhere probes (default 5632)

`--pcworx-ports string`
:  The destination ports for PCWORX probes (default "1962")

`--probes string`
:  Launch a subset of the probes, comma-delimited (default "defaults")

`--psdisco-ports string`
:  The destination ports for playstation discovery probes (default "987,9302")

`--qualys-api-url string`
:  The URL used for the Qualys account's API access

`--qualys-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--qualys-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--qualys-include-unscanned`
:  Include assets that have not been assessed for vulnerabilities

`--qualys-password string`
:  The password for the Qualys account

`--qualys-risks string`
:  Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--qualys-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--qualys-tags string`
:  An optional list of tags. Only import devices that match any of the specified tags

`--qualys-network-ids string`
:  An optional list of network IDs. Only import devices that match any of the specified network IDs

`--qualys-username string`
:  The username for the Qualys account

`-r`, `--rate int`
:  Set the maximum packet rate for the overall scan (default 1000)

`--rdns-max-concurrent int`
:  The maximum number of concurrent DNS lookups (default 64)

`--rdns-timeout uint`
:  The DNS PTR lookup timeout in seconds (default 3)

`--rpcbind-port uint`
:  The destination port for RPCBind probes (default 111)

`--rpcbind-port-nfs uint`
:  The destination port for NFS probes (default 2049)

`--s7comm-request-extended-information`
:  If true, request extended device information.

`--sadp-ports string`
:  The destination ports for Hikvision SADP discovery probes (default "37020")

`--sample-duration string`
:  Specify the duration in seconds to sample network traffic (or '0' for non-stop) (default "300")

`--sample-excludes string`
:  Specify host exclusions

`--sample-interfaces string`
:  Specify a comma-separated list of network interfaces (or 'all' for everything)

`--sample-targets string`
:  Specify the discovery scope (default "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16")

`-S`, `--screenshots`
:  Capture screenshots from scan target web services (default true)

`--sentinelone-api-url string`
:  The URL used for the SentinelOne account's API access

`--sentinelone-api-key string`
:  The API key for the SentinelOne accounts API access

`--sentinelone-exclude-software-import`
:  Do not import software records from the SentinelOne account

`--sentinelone-exclude-vulnerability-import`
:  Do not import vulnerability records from the SentinelOne account

`--sentinelone-severities string`
:  Severity levels of imported vulnerabilities (False Positive, LOW, MEDIUM, HIGH, CRITICAL) (default "False Positive,LOW,MEDIUM,HIGH,CRITICAL")

`--sentinelone-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--servicetag-port uint`
:  The destination port for Solaris Service Tag probes (default 6481)

`--shodan-api-key string`
:  The key used for the Shodan account's API access

`--shodan-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--shodan-mode string`
:  The search mode (assets or query). The assets option queries the scan targets (default "assets")

`--shodan-query string`
:  The search string to use in query mode

`--sip-port uint`
:  The destination port for SIP probes (default 5060)

`--snmp-comms string`
:  The comma-separated list of SNMP v1/v2c communities (default "public,private")

`--snmp-disable-bulk`
:  If true, do not use bulk walking operations

`--snmp-max-repetitions uint`
:  The maximum number of repetitions in a bulk walk operation (default 16)

`--snmp-max-retries int`
:  The maximum number of retries for an SNMP operation (default 1)

`--snmp-poll-interval uint`
:  The minimum number of seconds between polling each host after initial discovery (default 300)

`--snmp-port uint`
:  The destination port for SNMP probes (default 161)

`--snmp-timeout uint`
:  The maximum number of seconds for each individual SNMP operation (default 5)

`--snmp-v3-auth-passphrase string`
:  The authentication passphrase

`--snmp-v3-auth-protocol string`
:  The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (default "none")

`--snmp-v3-context string`
:  The optional SNMP v3 context to supply

`--snmp-v3-privacy-passphrase string`
:  The privacy passphrase

`--snmp-v3-privacy-protocol string`
:  The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (default "none")

`--snmp-v3-username string`
:  The username to use for SNMP v3 authentication

`--snmp-walk-timeout uint`
:  The maximum number of seconds for each SNMP walk operation (default 60)

`--ssdp-port uint`
:  The destination port for UPnP/SSDP probes (default 1900)

`--ssh-fingerprint`
:  Enable fingerprinting using partial authentication (default true)

`--ssh-fingerprint-username string`
:  The username to use for partial authentication SSH fingerprinting (default "_STATUS_")

`--steam-ports string`
:  The destination ports for Steam discovery probes (default "27036")

`--subnet-ping`
:  Only scan subnets that have at least one active response using the subnet-ping settings

`--subnet-ping-max-attempts int`
:  Set the maximum number of attempts for each probe (default 1)

`--subnet-ping-max-ttl int`
:  Set the default TTL on subnet-ping probe packets (default 255)

`--subnet-ping-mode string`
:  Set the subnet-ping discovery profile: auto (default "auto")

`--subnet-ping-net-size int`
:  Set the subnet size to use for the subnet ping (default 256)

`--subnet-ping-passes int`
:  Set the number of passes for the subnet-ping phase (default 1)

`--subnet-ping-probes string`
:  Launch a subset of the probes for the subnet-ping, comma-delimited (default "arp,echo,syn,connect,netbios,snmp,ntp,sunrpc,ike,openvpn,mdns")

`--subnet-ping-sample-rate int`
:  Set the sample rate of addresses within each subnet as a percentage (default 4)

`--subnet-ping-tcp-ports string`
:  The list of TCP ports to subnet-ping using the syn and connect probes (default "22,80,135,179,443,3389,5040,7547,62078")

`--subnet-ping-tos int`
:  Set the default ToS on subnet-ping probe packets

`--syn-disable-bogus-filter`
:  Disable bogus service detection and filtering

`--syn-forwarding-check`
:  Perform an IP forwarding check as part of the scan (default true)

`--syn-forwarding-check-target string`
:  An external IPv4 address for the forwarding check (default:runzero) (default "13.248.161.247")

`--syn-max-retries uint`
:  The maximum number of retries trace and SYN requests (default 2)

`--syn-report-resets`
:  Set this to true to report RST responses (default true)

`--syn-reset-sessions`
:  Reset middle-box/firewall sessions automatically (default true)

`--syn-reset-sessions-delay uint`
:  Minimum delay in milliseconds between a SYN and a session reset

`--syn-reset-sessions-limit uint`
:  Maximum number of in-flight sessions before forcing session resets (default 50)

`--syn-traceroute`
:  Perform a multi-protocol traceroute as part of the scan (default true)

`--syn-udp-trace-port uint`
:  The UDP port number to use for UDP trace requests (default 9)

`--tanium-api-token string`
:  The API token for the Tanium account

`--tanium-api-url string`
:  The URL used for the Tanium account's API access

`--tanium-computer-groups string`
:  Filter endpoints to members of the specified computer groups

`--tanium-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--tanium-severities string`
:  Severity levels of imported vulnerabilities (Low, Medium, High, Critical) (default "Low,Medium,High,Critical")

`--tcp-excludes string`
:  The list of TCP ports to always exclude

`-p`, `--tcp-ports string`
:  The list of TCP ports scan using the syn and connect probes (see below for default)

`--tcp-skip-protocol`
:  Set this to skip protocol detection on TCP ports

`--tenable-access-key string`
:  The access key for the Tenable.io account

`--tenable-api-url string`
:  The URL used for the Tenable.io account's API access

`--tenable-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--tenable-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--tenable-include-unscanned`
:  Include assets that have not been assessed for vulnerabilities

`--tenable-risks string`
:  Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--tenable-secret-key string`
:  The secret key for the Tenable.io account

`--tenable-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--tenable-sources string`
:  An optional list of sources. Only import devices that match the specified sources

`--tenable-tags string`
:  An optional list of tags. Only import devices that match the specified tags

`--tenablesecuritycenter-access-key string`
:  The access key for the Tenable Security Center account

`--tenablesecuritycenter-api-url string`
:  The URL used for the Tenable Security Center account's API access

`--tenablesecuritycenter-batch-size string`
:  The number of records to request at a time. (between 2000 and 10000) (default "2000")

`--tenablesecuritycenter-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--tenablesecuritycenter-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--tenablesecuritycenter-insecure string`
:  Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN)

`--tenablesecuritycenter-query-id string`
:  The ID of an existing vulnerability query in the Tenable Security Center account

`--tenablesecuritycenter-query-mode string`
:  Set to 'filters' to provide 'severities' and 'risks' values to import. Set to 'query-id' to provide a value for 'query-id'. (default "filters")

`--tenablesecuritycenter-risks string`
:  Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--tenablesecuritycenter-secret-key string`
:  The secret key for the Tenable Security Center account

`--tenablesecuritycenter-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--tenablesecuritycenter-sync-since string`
:  Specify an initial date to sync data from.

`--tenablesecuritycenter-thumbprints string`
:  A set of IP=SHA256:B64HASH pairs to trust for authentication

`--text`
:  Force text-only mode (no console ui)

`--tftp-ports string`
:  The destination ports for TFTP probes (default "69")

`--tos int`
:  Set the default ToS on probe packets

`--ubnt-port uint`
:  The destination port for Ubiquiti probes (default 10001)

`--upload`
:  Automatically upload results to the runZero Console

`-u`, `--upload-site string`
:  Specify the Site ID or Name to upload the raw scan results to if --upload is specified (default "Primary")

`--vmware-insecure`
:  Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true)

`--vmware-password string`
:  The password to use for VMware SDK authentication (read-only)

`--vmware-thumbprints string`
:  A set of IP=SHA256:B64HASH pairs to trust for authentication

`--vmware-username string`
:  The username to use for VMware SDK authentication (read-only)

`--webmin-ports string`
:  The destination ports for webmin probes (default "10000")

`--wiz-api-url string`
:  The URL used for the Wiz account's API access

`--wiz-auth-url string`
:  The URL used for the Wiz account's authentication

`--wiz-client-id string`
:  The client ID for the Wiz account

`--wiz-client-secret string`
:  The client secret for the Wiz account

`--wiz-exclude-unknown`
:  Exclude assets that cannot be merged into an existing asset

`--wiz-fingerprint-only`
:  Import vulnerabilites for fingerprinting purposes only

`--wiz-include-unscanned`
:  Include assets that have not been assessed for vulnerabilities (default true)

`--wiz-risks string`
:  Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default "None,Low,Medium,High,Critical")

`--wiz-severities string`
:  Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default "Info,Low,Medium,High,Critical")

`--wlan-list-poll-interval uint`
:  The minimum number of seconds between polls of the access point list (default 300)

`--wsd-port uint`
:  The destination port for WSD probes (default 3702)

`--xdmcp-ports string`
:  The destination ports for XDMCP probes (default "177")

### Run a custom starlark script

`runZero script --filename filename [--args a] [--args b] [--kwargs a=b] [--kwargs b=c] [flags]`

`runZero script [command]`

#### Available commands:

`repl`: Run a custom starlark script in a REPL

#### Flags:

`--args stringArray`
:  args to pass into script

`-f`, `--filename string`
:  file of script to load and run

`--kwargs stringToString`
:  kwargs to pass into script (default [])

### Upgrade to the latest version of the runZero Scanner

`runZero upgrade [flags]`

#### Flags:

`--force`
:  Apply the update without checking the version

### Perform an internal signature verification

`runZero verify [flags]`

### Print the version number of runZero

`runZero version [flags]`

<!-- End of Markdown generated from CLI help output by docbuilder/scripts/scannertomd.rb -->