Using the standalone command-line scanner

Platform

Some editions of runZero include the standalone command-line scanner that can be used to perform network discovery without access to the internet. The scanner has the same options and similar performance characteristics to the Explorer. The scanner output file named scan.rumble.gz can be uploaded to the runZero Console through the Inventory Import menu.

The scanner works best with root privileges on Linux/macOS and Administrator privileges on Windows. Although the scanner will function without privileged access, many probe types will be unavailable. The sudo command can be used to run the scanner as root on Linux and macOS, while the tool is best run from an elevated command shell on Windows. On the Windows platform, the runZero Scanner will look for an existing npcap installation and try to install it if the software is not found. This behavior can be disabled with the --nopcap flag.

Note: Some components of the application still reference the name "Rumble" for backwards compatibility. The documentation will be updated as these are changed.

The runZero Scanner defaults to a semi-interactive terminal interface that writes multiple output files to a directory. The default directory name is rumble-[current-date]. To switch to plain text output, use the --text option. To skip artifact generation and only produce the raw JSON output file, use the flags --text -o disable --output-raw scan.rumble.

Input can be provided as arguments on the command-line or by specifying an input file using the --input (or -i) parameter. Input can consist of specific IPv4 addresses or IPv4 CIDRs. Supported formats include:

  • 10.0.0.1
  • 10.0.0.0/24
  • 10.0.0.0/255.255.255.0
  • 10.0.0.1-10.0.0.255
  • example.com
  • example.com/24

For hostnames, each IPv4 address in the response will be expanded with the optional mask.

The example below downloads and runs the scanner on a Linux x86_64 host. This URL will be different for your installation. The current download links for your organization are available from the scanner page of the runZero Console.

$ wget https://console.runzero.com/download/scanner/[unique-link]/runzero-scanner-linux-amd64.bin
$ chmod +x runzero-scanner-linux-amd64.bin
$ sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 -o output-dir

Please note that the hexadecimal values in the download URL are specific for your account and organization.

Performance

The default speed of runZero scans is limited to 1,000 packets per second with a single pass. This setting works great for reliable wired networks without stateful firewalls between the scanning system and the destination networks. This rate can be changed via the --rate (or -r) option, with a reasonable maximum being 10000 for most networks. On slow unreliable networks, a rate of 300 with --passes set to 3 may provide better results.

A second parameter, --max-host-rate limits how many packets are sent per second to each individual host. This defaults to 40, which is low, but may be necessary when scanning low-power embedded devices. In cases where a small number of hosts (or a single host) should be scanned quickly, the --max-host-rate parameter can be increased to match the --rate.

Examples

The following example demonstrates a scan of 65,535 TCP ports on all hosts in the 192.168.0.0/24 subnet running at 10,000 packets per second:

$ sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 -r 10000 --tcp-ports 1-65535 -o output-dir

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 and 10.0.0.0/24 subnets running at 5,000 packets per second:

$ sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 10.0.0.0/24 -r 5000 -o output-dir

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 and 10.0.0.0/8 subnets running at a max host rate of 20 packets per host:

$ sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 10.0.0.0/8 –-max-host-rate 20 -o output-dir

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 subnet and the domain “example.com” running at 7,500 packets per second:

$ sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 example.com -r 7,500 -o output dir

The following example demonstrates a scan on all hosts in the 10.0.0.0/8 subnet and a particular ASN4 value at a default speed of 1,000 packets per second.

$ sudo ./runzero-scanner-linux-amd64.bin 10.0.0.0/8 asn4:[ID] -o output dir

The following example demonstrates a scan on all hosts in the 192.168.0.0/24 subnet with the max TTL set at 128 and a scan rate of 2,500 packets per second:

$ sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 -r 2,500 -–max-ttl 128 -o output-dir

The following example demonstrates a scan based on an input file:

$ sudo ./runzero-scanner-linux-amd64.bin -i /path/to/input-file.txt -o output dir

Here is an example input file:

www.example.com
192.168.0.0/24

Automatic web screenshots

The --screenshots option defaults to true and tells runZero to obtain a screenshot of all web services identified during the scan. This feature depends on the system running the Explorer having a local installation of the Google Chrome or Chromium browsers. The acquired screenshots will be reported as a base64 string, stored in the “screenshot.image” field of the containing service scan result.

To disable automatic web screenshots, set the --screenshots option to false (--screenshots=false).

runZero scanner commands and options

The runZero Scanner supports a wide range of options, including the ability to limit scans to specific ports, probes, and SNMP communities. The --help output provides basic documentation on the available options.

Commands

censys
Import Censys data files
completion
Generate the autocompletion script for the specified shell
help
Help about any command
license
Display license information
upgrade
Upgrade to the latest version of the runZero Scanner
verify
Perform an internal signature verification
version
Print the version number of runZero

Flags

--api-key string
Specify the runZero API key
--api-no-verify
Disable TLS verification for API communication
--api-url string
Specify the runZero API server hostname (default “https://console.runzero.com/api/v1.0")
--arp-fast
Enables fast mode by ARP scanning at the scan rate vs host rate
--aws-instances-access-key string
The access key for the AWS account
--aws-instances-assume-role-name string
The role to assume for all accounts in the organization for cross-account access
--aws-instances-delete-stale
Automatically delete stale AWS assets
--aws-instances-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--aws-instances-include-stopped
Include assets that are not currently running
--aws-instances-regions string
The comma-separated list of regions for the AWS account
--aws-instances-secret-access-key string
The secret access key for the AWS account
--aws-instances-service-options string
The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (default “defaults”)
--aws-instances-site-per-account
Automatically create a new site per account
--aws-instances-site-per-vpc
Automatically create a new site per VPC
--aws-instances-token string
The session token for the AWS account
--azure-client-id string
The application ID (client ID) for the Azure account
--azure-client-secret string
The client secret for the Azure account
--azure-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--azure-multi-subscription
Access all subscriptions in the directory (tenant) for the Azure account
--azure-password string
The password for the Azure account
--azure-service-options string
The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (default “defaults”)
--azure-site-per-subscription
Automatically create a new site per subscription
--azure-subscription-id string
The subscription ID for the Azure account
--azure-tenant-id string
The directory ID (tenant ID) for the Azure account
--azure-username string
The username for the Azure account
--azuread-client-id string
The application ID (client ID) for the Azure account
--azuread-client-secret string
The client secret for the Azure account
--azuread-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--azuread-include-inactive
Include assets that are marked as inactive in the AzureAD account
--azuread-password string
The password for the AzureAD account
--azuread-service-options string
The comma-separated list of services to sync data from (defaults,dev,user,group) (default “defaults”)
--azuread-tenant-id string
The directory ID (tenant ID) for the Azure account
--azuread-username string
The username for the AzureAD account
--bacnet-ports string
The destination ports for BACnet probes (default “46808,47808,48808”)
-b, --baseline string
Use the specified file as an asset baseline for tracking
--bedrock-ports string
The destination ports for Bedrock probes (default “19132”)
--censys-api-url string
The API endpoint to use for Censys Search (default “https://search.censys.io”)
--censys-client-id string
The Client ID to use for Censys Search authentication
--censys-client-secret string
The Client Secret to use for Censys Search authentication
--censys-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--censys-mode string
The search mode (assets or query). The assets option queries the scan targets (default “assets”)
--censys-query string
The search string to use in query mode
--coap-port uint
The destination port for CoAP probes (default 5683)
--cpu string
Write a cpu profile after the scan completes
--crestron-port uint
The destination port for Crestron probes (default 41794)
--crowdstrike-api-url string
The URL used for the CrowdStrike account’s API access
--crowdstrike-client-id string
The client ID for the CrowdStrike account
--crowdstrike-client-secret string
The client secret for the CrowdStrike account
--crowdstrike-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--crowdstrike-filter string
An optional Falcon Query Language (FQL) filter for imported assets
--crowdstrike-fingerprint-only
Import vulnerabilites for fingerprinting purposes only
--crowdstrike-risks string
Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”)
--crowdstrike-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”)
--dahua-dhip-ports string
The destination ports for Dahua DHIP discovery probes (default “37810”)
--defender365-client-id string
The application ID (client ID) for the Azure account
--defender365-client-secret string
The client secret for the Azure account
--defender365-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--defender365-include-inactive
Include assets that have stopped reporting to the Microsoft 365 Defender service
--defender365-tenant-id string
The directory ID (tenant ID) for the Azure account
--disabled-probes string
Specifically exclude these probes, comma-delimited
--dnp3-address-probe-timeout int
Time limit (in seconds) for DNP address discovery. (default 30)
--dnp3-banner-address-discovery string
One of ‘require’, ‘prefer’, or ‘ignore’. (default “ignore”)
--dnp3-destination-address-discovery-range string
A numeric range of addresses to attempt to discover. (default “0-32”)
--dnp3-explorer-address int
Source DNP3 address for the explorer. (default -1)
--dns-disable-google-myaddr
Disables resolution of upstream DNS via Google myaddr service
--dns-disable-meraki-detection
Disables detection of Meraki DNS interception
--dns-port uint
The destination port for DNS probes (default 53)
--dns-resolve-name string
The target hostname for DNS queries (‘off’ to disable) (default “www.google.com”)
--dns-trace-domain string
The subdomain to use for trace requests (‘off’ to disable) (default “helper.rumble.network”)
--dtls-ports string
The destination ports for DTLS probes (default “443,3391,4433,5246,5349,5684”)
--echo-report-errors
Report errors from intermediate in-scope hosts
--ethernetip-udp-ports string
The destination ports for EtherNet/IP UDP probes (default “44818”)
--ethernetip-use-tagged-context string
Set this to true to use a runZero-specific sender context for debugging. (default “false”)
--exclude string
Specify scan exclusions
--excludefile string
Read exclusions from an input file
--filter-base64
Filter base64-encoded fields
-f, --fingerprints string
Use the specified directory as an alternate fingerprint database
--fingerprints-debug
Enable debug output for the fingerprint processor
--fins-port uint
The destination port for FINS probes (default 9600)
--gcp-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--gcp-key-path string
Path to GCP service account key file
--gcp-service-options string
The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (default “defaults”)
--gcp-site-per-project
Automatically create a new site per project
--genudp-payload-base64 string
The generic udp payload as base64
--genudp-payload-hex string
The generic udp payload as hexadecimal
--genudp-payload-text string
The generic udp payload as plain text
--genudp-ports string
The destination ports for the generic udp probe
--googleworkspace-client-email string
The email address of the service account
--googleworkspace-client-id string
The ID of the service account
--googleworkspace-customer-id string
An optional customer ID for multi-tenant environments (default “my_customer”)
--googleworkspace-delegate string
The email address of an admin account with directory access
--googleworkspace-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--googleworkspace-private-key string
The PEM encoded private key
--googleworkspace-private-key-id string
The ID of the private key
--googleworkspace-project-id string
The project ID of the service account
--googleworkspace-service-options string
The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (default “defaults”)
--goroutines string
Write a goroutine dump after the scan completes
--heap string
Write a heap profile after the scan completes
-h, --help
help for runZero
--hiddiscoveryd-port uint
The destination port for HID discoveryd probes (default 4070)
--host-ping
Only scan hosts that respond to a ping scan using the host-ping settings
--host-ping-arp-fast
Enables fast mode by ARP scanning at the scan rate vs host rate (host ping)
--host-ping-aws-instances-access-key string
The access key for the AWS account (host ping)
--host-ping-aws-instances-assume-role-name string
The role to assume for all accounts in the organization for cross-account access (host ping)
--host-ping-aws-instances-delete-stale
Automatically delete stale AWS assets (host ping)
--host-ping-aws-instances-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-aws-instances-include-stopped
Include assets that are not currently running (host ping)
--host-ping-aws-instances-regions string
The comma-separated list of regions for the AWS account (host ping)
--host-ping-aws-instances-secret-access-key string
The secret access key for the AWS account (host ping)
--host-ping-aws-instances-service-options string
The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (host ping) (default “defaults”)
--host-ping-aws-instances-site-per-account
Automatically create a new site per account (host ping)
--host-ping-aws-instances-site-per-vpc
Automatically create a new site per VPC (host ping)
--host-ping-aws-instances-token string
The session token for the AWS account (host ping)
--host-ping-azure-client-id string
The application ID (client ID) for the Azure account (host ping)
--host-ping-azure-client-secret string
The client secret for the Azure account (host ping)
--host-ping-azure-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-azure-multi-subscription
Access all subscriptions in the directory (tenant) for the Azure account (host ping)
--host-ping-azure-password string
The password for the Azure account (host ping)
--host-ping-azure-service-options string
The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (host ping) (default “defaults”)
--host-ping-azure-site-per-subscription
Automatically create a new site per subscription (host ping)
--host-ping-azure-subscription-id string
The subscription ID for the Azure account (host ping)
--host-ping-azure-tenant-id string
The directory ID (tenant ID) for the Azure account (host ping)
--host-ping-azure-username string
The username for the Azure account (host ping)
--host-ping-azuread-client-id string
The application ID (client ID) for the Azure account (host ping)
--host-ping-azuread-client-secret string
The client secret for the Azure account (host ping)
--host-ping-azuread-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-azuread-include-inactive
Include assets that are marked as inactive in the AzureAD account (host ping)
--host-ping-azuread-password string
The password for the AzureAD account (host ping)
--host-ping-azuread-service-options string
The comma-separated list of services to sync data from (defaults,dev,user,group) (host ping) (default “defaults”)
--host-ping-azuread-tenant-id string
The directory ID (tenant ID) for the Azure account (host ping)
--host-ping-azuread-username string
The username for the AzureAD account (host ping)
--host-ping-bacnet-ports string
The destination ports for BACnet probes (host ping) (default “46808,47808,48808”)
--host-ping-bedrock-ports string
The destination ports for Bedrock probes (host ping) (default “19132”)
--host-ping-censys-api-url string
The API endpoint to use for Censys Search (host ping) (default “https://search.censys.io”)
--host-ping-censys-client-id string
The Client ID to use for Censys Search authentication (host ping)
--host-ping-censys-client-secret string
The Client Secret to use for Censys Search authentication (host ping)
--host-ping-censys-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-censys-mode string
The search mode (assets or query). The assets option queries the scan targets (host ping) (default “assets”)
--host-ping-censys-query string
The search string to use in query mode (host ping)
--host-ping-coap-port uint
The destination port for CoAP probes (host ping) (default 5683)
--host-ping-crestron-port uint
The destination port for Crestron probes (host ping) (default 41794)
--host-ping-crowdstrike-api-url string
The URL used for the CrowdStrike account’s API access (host ping)
--host-ping-crowdstrike-client-id string
The client ID for the CrowdStrike account (host ping)
--host-ping-crowdstrike-client-secret string
The client secret for the CrowdStrike account (host ping)
--host-ping-crowdstrike-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-crowdstrike-filter string
An optional Falcon Query Language (FQL) filter for imported assets (host ping)
--host-ping-crowdstrike-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (host ping)
--host-ping-crowdstrike-risks string
Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”)
--host-ping-crowdstrike-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”)
--host-ping-dahua-dhip-ports string
The destination ports for Dahua DHIP discovery probes (host ping) (default “37810”)
--host-ping-defender365-client-id string
The application ID (client ID) for the Azure account (host ping)
--host-ping-defender365-client-secret string
The client secret for the Azure account (host ping)
--host-ping-defender365-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-defender365-include-inactive
Include assets that have stopped reporting to the Microsoft 365 Defender service (host ping)
--host-ping-defender365-tenant-id string
The directory ID (tenant ID) for the Azure account (host ping)
--host-ping-dnp3-address-probe-timeout int
Time limit (in seconds) for DNP address discovery. (host ping) (default 30)
--host-ping-dnp3-banner-address-discovery string
One of ‘require’, ‘prefer’, or ‘ignore’. (host ping) (default “ignore”)
--host-ping-dnp3-destination-address-discovery-range string
A numeric range of addresses to attempt to discover. (host ping) (default “0-32”)
--host-ping-dnp3-explorer-address int
Source DNP3 address for the explorer. (host ping) (default -1)
--host-ping-dns-disable-google-myaddr
Disables resolution of upstream DNS via Google myaddr service (host ping)
--host-ping-dns-disable-meraki-detection
Disables detection of Meraki DNS interception (host ping)
--host-ping-dns-port uint
The destination port for DNS probes (host ping) (default 53)
--host-ping-dns-resolve-name string
The target hostname for DNS queries (‘off’ to disable) (host ping) (default “www.google.com”)
--host-ping-dns-trace-domain string
The subdomain to use for trace requests (‘off’ to disable) (host ping) (default “helper.rumble.network”)
--host-ping-dtls-ports string
The destination ports for DTLS probes (host ping) (default “443,3391,4433,5246,5349,5684”)
--host-ping-echo-report-errors
Report errors from intermediate in-scope hosts (host ping)
--host-ping-ethernetip-udp-ports string
The destination ports for EtherNet/IP UDP probes (host ping) (default “44818”)
--host-ping-ethernetip-use-tagged-context string
Set this to true to use a runZero-specific sender context for debugging. (host ping) (default “false”)
--host-ping-fins-port uint
The destination port for FINS probes (host ping) (default 9600)
--host-ping-gcp-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-gcp-service-options string
The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (host ping) (default “defaults”)
--host-ping-gcp-site-per-project
Automatically create a new site per project (host ping)
--host-ping-genudp-payload-base64 string
The generic udp payload as base64 (host ping)
--host-ping-genudp-payload-hex string
The generic udp payload as hexadecimal (host ping)
--host-ping-genudp-payload-text string
The generic udp payload as plain text (host ping)
--host-ping-genudp-ports string
The destination ports for the generic udp probe (host ping)
--host-ping-googleworkspace-client-email string
The email address of the service account (host ping)
--host-ping-googleworkspace-client-id string
The ID of the service account (host ping)
--host-ping-googleworkspace-customer-id string
An optional customer ID for multi-tenant environments (host ping) (default “my_customer”)
--host-ping-googleworkspace-delegate string
The email address of an admin account with directory access (host ping)
--host-ping-googleworkspace-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-googleworkspace-private-key string
The PEM encoded private key (host ping)
--host-ping-googleworkspace-private-key-id string
The ID of the private key (host ping)
--host-ping-googleworkspace-project-id string
The project ID of the service account (host ping)
--host-ping-googleworkspace-service-options string
The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (host ping) (default “defaults”)
--host-ping-hiddiscoveryd-port uint
The destination port for HID discoveryd probes (host ping) (default 4070)
--host-ping-igel-discovery-ports string
The destination ports for IGEL discovery probes (host ping) (default “30005”)
--host-ping-ike-port uint
The destination port for IKE probes (host ping) (default 500)
--host-ping-insightvm-api-url string
The URL used for the InsightVM account’s API access (host ping)
--host-ping-insightvm-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-insightvm-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (host ping)
--host-ping-insightvm-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) (default true)
--host-ping-insightvm-password string
The password for the InsightVM account (host ping)
--host-ping-insightvm-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”)
--host-ping-insightvm-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”)
--host-ping-insightvm-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping)
--host-ping-insightvm-username string
The username for the InsightVM account (host ping)
--host-ping-intune-client-id string
The application ID (client ID) for the Azure account (host ping)
--host-ping-intune-client-secret string
The client secret for the Azure account (host ping)
--host-ping-intune-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-intune-password string
The password for the Intune account (host ping)
--host-ping-intune-tenant-id string
The directory ID (tenant ID) for the Azure account (host ping)
--host-ping-intune-username string
The username for the Intune account (host ping)
--host-ping-ipmi-port uint
The destination port for IPMI probes (host ping) (default 623)
--host-ping-kerberos-port uint
The destination port for kerberos probes (host ping) (default 88)
--host-ping-knxnet-ports string
The destination ports for knxnet probes (host ping) (default “3671”)
--host-ping-l2t-port uint
The destination port for L2T probes (host ping) (default 2228)
--host-ping-l2tp-ports string
The destination ports for L2TP probes (host ping) (default “1701”)
--host-ping-lantronix-port uint
The destination port for Lantronix probes (host ping) (default 30718)
--host-ping-layer2-add-targets
Set this false to skip scanning discovered targets (host ping) (default true)
--host-ping-layer2-force
Set this to true to force discovery even without local targets (host ping)
--host-ping-layer2-max-retries uint
The desired number of retries (host ping) (default 3)
--host-ping-layer2-tcp-ports string
The TCP ports to ping for local device discovery (host ping) (default “22,80,135,179,443,3389,5040,7547,62078”)
--host-ping-layer2-udp-trace-port uint
The UDP port number to use for UDP trace requests (host ping) (default 9)
--host-ping-ldap-base-dn string
The base DN used for LDAP searches (host ping)
--host-ping-ldap-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-ldap-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping)
--host-ping-ldap-legacy-tls
Set this to true to authenticate over legacy TLS versions (< 1.2) (host ping)
--host-ping-ldap-password string
The password for the LDAP account (host ping)
--host-ping-ldap-service-options string
The comma-separated list of services to sync data from (defaults,computer,user,group) (host ping) (default “defaults”)
--host-ping-ldap-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping)
--host-ping-ldap-url string
The URL used for the LDAP server (host ping)
--host-ping-ldap-username string
The username for the LDAP account (host ping)
--host-ping-max-attempts int
Set the maximum number of attempts for each probe (default 2)
--host-ping-max-ttl int
Set the default TTL on host-ping probe packets (default 255)
--host-ping-mdns-port uint
The destination port for MDNS probes (host ping) (default 5353)
--host-ping-memcache-port uint
The destination port for memcached probes (host ping) (default 11211)
--host-ping-miradore-api-key string
The API key for the Miradore account (host ping)
--host-ping-miradore-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-miradore-hostname string
The Miradore web console hostname (url) (host ping)
--host-ping-modbus-identification-level string
Identification level, one of ‘basic’, ‘regular’, or ’extended’. (host ping) (default “regular”)
--host-ping-mssql-port uint
The destination port for MSSQL probes (host ping) (default 1434)
--host-ping-natpmp-port uint
The destination port for NATPMP probes (host ping) (default 5351)
--host-ping-nessus-access-key string
The access key for the Nessus Professional account (host ping)
--host-ping-nessus-api-url string
The URL used for the Nessus Professional account’s API access (host ping)
--host-ping-nessus-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-nessus-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (host ping)
--host-ping-nessus-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) (default true)
--host-ping-nessus-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”)
--host-ping-nessus-secret-key string
The secret key for the Nessus Professional account (host ping)
--host-ping-nessus-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”)
--host-ping-nessus-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping)
--host-ping-netbios-port uint
The destination port for NetBIOS Name Service probes (host ping) (default 137)
--host-ping-ntp-port uint
The destination port for NTP probes (host ping) (default 123)
--host-ping-openvpn-ports string
The destination ports for OpenVPN probes (host ping) (default “1194”)
--host-ping-passes int
Set the number of passes for the host-ping phase (default 1)
--host-ping-pca-port uint
The destination port for PCAnywhere probes (host ping) (default 5632)
--host-ping-probes string
Launch a subset of the probes for the host-ping, comma-delimited (default “arp,echo,syn,connect,netbios,snmp,ntp,sunrpc,ike,openvpn,mdns”)
--host-ping-psdisco-ports string
The destination ports for playstation discovery probes (host ping) (default “987,9302”)
--host-ping-qualys-api-url string
The URL used for the Qualys account’s API access (host ping)
--host-ping-qualys-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-qualys-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (host ping)
--host-ping-qualys-include-unscanned
Include assets that have not been assessed for vulnerabilities (host ping)
--host-ping-qualys-password string
The password for the Qualys account (host ping)
--host-ping-qualys-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”)
--host-ping-qualys-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”)
--host-ping-qualys-username string
The username for the Qualys account (host ping)
--host-ping-rdns-max-concurrent int
The maximum number of concurrent DNS lookups (host ping) (default 64)
--host-ping-rdns-timeout uint
The DNS PTR lookup timeout in seconds (host ping) (default 3)
--host-ping-rpcbind-port uint
The destination port for RPCBind probes (host ping) (default 111)
--host-ping-rpcbind-port-nfs uint
The destination port for NFS probes (host ping) (default 2049)
--host-ping-s7comm-request-extended-information
If true, request extended device information. (host ping)
--host-ping-sample-duration string
Specify the duration in seconds to sample network traffic (or ‘0’ for non-stop) (host ping) (default “300”)
--host-ping-sample-excludes string
Specify host exclusions (host ping)
--host-ping-sample-interfaces string
Specify a comma-separated list of network interfaces (or ‘all’ for everything) (host ping)
--host-ping-sample-targets string
Specify the discovery scope (host ping) (default “10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16”)
--host-ping-sentinelone-api-url string
The URL used for the SentinelOne account’s API access (host ping)
--host-ping-sentinelone-client-id string
The client ID for the SentinelOne account (host ping)
--host-ping-sentinelone-client-secret string
The client secret for the SentinelOne account (host ping)
--host-ping-sentinelone-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-shodan-api-key string
The key used for the Shodan account’s API access (host ping)
--host-ping-shodan-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-shodan-mode string
The search mode (assets or query). The assets option queries the scan targets (host ping) (default “assets”)
--host-ping-shodan-query string
The search string to use in query mode (host ping)
--host-ping-sip-port uint
The destination port for SIP probes (host ping) (default 5060)
--host-ping-snmp-comms string
The comma-separated list of SNMP v1/v2c communities (host ping) (default “public,private”)
--host-ping-snmp-disable-bulk
If true, do not use bulk walking operations (host ping)
--host-ping-snmp-max-repetitions uint
The maximum number of repetitions in a bulk walk operation (host ping) (default 16)
--host-ping-snmp-max-retries int
The maximum number of retries for an SNMP operation (host ping) (default 1)
--host-ping-snmp-poll-interval uint
The minimum number of seconds between polling each host after initial discovery (host ping) (default 300)
--host-ping-snmp-port uint
The destination port for SNMP probes (host ping) (default 161)
--host-ping-snmp-timeout uint
The maximum number of seconds for each individual SNMP operation (host ping) (default 5)
--host-ping-snmp-v3-auth-passphrase string
The authentication passphrase (host ping)
--host-ping-snmp-v3-auth-protocol string
The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (host ping) (default “none”)
--host-ping-snmp-v3-context string
The optional SNMP v3 context to supply (host ping)
--host-ping-snmp-v3-privacy-passphrase string
The privacy passphrase (host ping)
--host-ping-snmp-v3-privacy-protocol string
The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (host ping) (default “none”)
--host-ping-snmp-v3-username string
The username to use for SNMP v3 authentication (host ping)
--host-ping-snmp-walk-timeout uint
The maximum number of seconds for each SNMP walk operation (host ping) (default 60)
--host-ping-ssdp-port uint
The destination port for UPnP/SSDP probes (host ping) (default 1900)
--host-ping-ssh-fingerprint
Enable fingerprinting using partial authentication (host ping) (default true)
--host-ping-ssh-fingerprint-username string
The username to use for partial authentication SSH fingerprinting (host ping) (default “STATUS”)
--host-ping-steam-ports string
The destination ports for Steam discovery probes (host ping) (default “27036”)
--host-ping-syn-disable-bogus-filter
Disable bogus service detection and filtering (host ping)
--host-ping-syn-forwarding-check
Perform an IP forwarding check as part of the scan (host ping) (default true)
--host-ping-syn-forwarding-check-target string
An external IPv4 address for the forwarding check (default:runzero) (host ping) (default “13.248.161.247”)
--host-ping-syn-max-retries uint
The maximum number of retries trace and SYN requests (host ping) (default 2)
--host-ping-syn-report-resets
Set this to true to report RST responses (host ping) (default true)
--host-ping-syn-reset-sessions
Reset middle-box/firewall sessions automatically (host ping) (default true)
--host-ping-syn-reset-sessions-delay uint
Minimum delay in milliseconds between a SYN and a session reset (host ping)
--host-ping-syn-reset-sessions-limit uint
Maximum number of in-flight sessions before forcing session resets (host ping) (default 50)
--host-ping-syn-traceroute
Perform a multi-protocol traceroute as part of the scan (host ping) (default true)
--host-ping-syn-udp-trace-port uint
The UDP port number to use for UDP trace requests (host ping) (default 9)
--host-ping-tcp-ports string
The list of TCP ports to host-ping using the syn and connect probes (default “22,80,135,179,443,3389,5040,7547,62078”)
--host-ping-tenable-access-key string
The access key for the Tenable.io account (host ping)
--host-ping-tenable-api-url string
The URL used for the Tenable.io account’s API access (host ping)
--host-ping-tenable-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-tenable-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (host ping)
--host-ping-tenable-include-unscanned
Include assets that have not been assessed for vulnerabilities (host ping)
--host-ping-tenable-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”)
--host-ping-tenable-secret-key string
The secret key for the Tenable.io account (host ping)
--host-ping-tenable-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”)
--host-ping-tenablesecuritycenter-access-key string
The access key for the Tenable Security Center account (host ping)
--host-ping-tenablesecuritycenter-api-url string
The URL used for the Tenable Security Center account’s API access (host ping)
--host-ping-tenablesecuritycenter-batch-size string
The number of records to request at a time. (between 2000 and 10000) (host ping) (default “2000”)
--host-ping-tenablesecuritycenter-exclude-unknown
Exclude assets that cannot be merged into an existing asset (host ping)
--host-ping-tenablesecuritycenter-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (host ping)
--host-ping-tenablesecuritycenter-insecure string
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping)
--host-ping-tenablesecuritycenter-query-id string
The ID of an existing vulnerability query in the Tenable Security Center account (host ping)
--host-ping-tenablesecuritycenter-query-mode string
Set to ‘filters’ to provide ‘severities’ and ‘risks’ values to import. Set to ‘query-id’ to provide a value for ‘query-id’. (host ping) (default “filters”)
--host-ping-tenablesecuritycenter-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”)
--host-ping-tenablesecuritycenter-secret-key string
The secret key for the Tenable Security Center account (host ping)
--host-ping-tenablesecuritycenter-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”)
--host-ping-tenablesecuritycenter-sync-since string
Specify an initial date to sync data from. (host ping)
--host-ping-tenablesecuritycenter-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping)
--host-ping-tftp-ports string
The destination ports for TFTP probes (host ping) (default “69”)
--host-ping-tos int
Set the default ToS on host-ping probe packets
--host-ping-ubnt-port uint
The destination port for Ubiquiti probes (host ping) (default 10001)
--host-ping-verbose
Display verbose output for the host-ping
--host-ping-very-verbose
Display very verbose output for the host-ping
--host-ping-vmware-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) (default true)
--host-ping-vmware-password string
The password to use for VMware SDK authentication (read-only) (host ping)
--host-ping-vmware-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping)
--host-ping-vmware-username string
The username to use for VMware SDK authentication (read-only) (host ping)
--host-ping-webmin-ports string
The destination ports for webmin probes (host ping) (default “10000”)
--host-ping-wlan-list-poll-interval uint
The minimum number of seconds between polls of the access point list (host ping) (default 300)
--host-ping-wsd-port uint
The destination port for WSD probes (host ping) (default 3702)
--igel-discovery-ports string
The destination ports for IGEL discovery probes (default “30005”)
--ike-port uint
The destination port for IKE probes (default 500)
-I, --import stringArray
Import existing scan data from the specified input files (‘scan.rumble’ format)
--import-pcap stringArray
Import pcap packet capture from the specified input files (’.pcap’ or ‘.pcapng’ format)
-i, --input-targets string
Read scan targets from the specified input file
--insightvm-api-url string
The URL used for the InsightVM account’s API access
--insightvm-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--insightvm-fingerprint-only
Import vulnerabilites for fingerprinting purposes only
--insightvm-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true)
--insightvm-password string
The password for the InsightVM account
--insightvm-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”)
--insightvm-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”)
--insightvm-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication
--insightvm-username string
The username for the InsightVM account
--intune-client-id string
The application ID (client ID) for the Azure account
--intune-client-secret string
The client secret for the Azure account
--intune-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--intune-password string
The password for the Intune account
--intune-tenant-id string
The directory ID (tenant ID) for the Azure account
--intune-username string
The username for the Intune account
--ipmi-port uint
The destination port for IPMI probes (default 623)
--kerberos-port uint
The destination port for kerberos probes (default 88)
--knxnet-ports string
The destination ports for knxnet probes (default “3671”)
--l2t-port uint
The destination port for L2T probes (default 2228)
--l2tp-ports string
The destination ports for L2TP probes (default “1701”)
--lantronix-port uint
The destination port for Lantronix probes (default 30718)
--layer2-add-targets
Set this false to skip scanning discovered targets (default true)
--layer2-force
Set this to true to force discovery even without local targets
--layer2-max-retries uint
The desired number of retries (default 3)
--layer2-tcp-ports string
The TCP ports to ping for local device discovery (default “22,80,135,179,443,3389,5040,7547,62078”)
--layer2-udp-trace-port uint
The UDP port number to use for UDP trace requests (default 9)
--ldap-base-dn string
The base DN used for LDAP searches
--ldap-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--ldap-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN)
--ldap-legacy-tls
Set this to true to authenticate over legacy TLS versions (< 1.2)
--ldap-password string
The password for the LDAP account
--ldap-service-options string
The comma-separated list of services to sync data from (defaults,computer,user,group) (default “defaults”)
--ldap-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication
--ldap-url string
The URL used for the LDAP server
--ldap-username string
The username for the LDAP account
--max-attempts int
Set the maximum number of attempts for each probe (default 3)
-G, --max-group-size int
Set the maximum number of targets to process in each group (default 4096)
-R, --max-host-rate int
Set the maximum packet rate per target (including ARP broadcast) (default 40)
--max-sockets int
Set the maximum number of concurrent sockets (default 2048)
--max-ttl int
Set the default TTL on probe packets (default 255)
--mdns-port uint
The destination port for MDNS probes (default 5353)
--memcache-port uint
The destination port for memcached probes (default 11211)
--miradore-api-key string
The API key for the Miradore account
--miradore-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--miradore-hostname string
The Miradore web console hostname (url)
--modbus-identification-level string
Identification level, one of ‘basic’, ‘regular’, or ’extended’. (default “regular”)
--mssql-port uint
The destination port for MSSQL probes (default 1434)
--nameservers string
One or more nameservers to use for DNS resolution
--natpmp-port uint
The destination port for NATPMP probes (default 5351)
--nessus-access-key string
The access key for the Nessus Professional account
--nessus-api-url string
The URL used for the Nessus Professional account’s API access
--nessus-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--nessus-fingerprint-only
Import vulnerabilites for fingerprinting purposes only
--nessus-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true)
--nessus-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”)
--nessus-secret-key string
The secret key for the Nessus Professional account
--nessus-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”)
--nessus-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication
--netbios-port uint
The destination port for NetBIOS Name Service probes (default 137)
--nowait
Exit the user interface immediately upon completion
--ntp-port uint
The destination port for NTP probes (default 123)
--openvpn-ports string
The destination ports for OpenVPN probes (default “1194”)
-o, --output string
Output directory for scan results and analysis (‘disable’ to skip)
--output-raw string
Set the raw output file for scan data
--overwrite
Overwrite and replace the output directory if it already exists
--passes int
Set the number of passes for each probe (default 1)
--pca-port uint
The destination port for PCAnywhere probes (default 5632)
--probes string
Launch a subset of the probes, comma-delimited (default “defaults”)
--psdisco-ports string
The destination ports for playstation discovery probes (default “987,9302”)
--qualys-api-url string
The URL used for the Qualys account’s API access
--qualys-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--qualys-fingerprint-only
Import vulnerabilites for fingerprinting purposes only
--qualys-include-unscanned
Include assets that have not been assessed for vulnerabilities
--qualys-password string
The password for the Qualys account
--qualys-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”)
--qualys-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”)
--qualys-username string
The username for the Qualys account
-r, --rate int
Set the maximum packet rate for the overall scan (default 1000)
--rdns-max-concurrent int
The maximum number of concurrent DNS lookups (default 64)
--rdns-timeout uint
The DNS PTR lookup timeout in seconds (default 3)
--rpcbind-port uint
The destination port for RPCBind probes (default 111)
--rpcbind-port-nfs uint
The destination port for NFS probes (default 2049)
--s7comm-request-extended-information
If true, request extended device information.
--sample-duration string
Specify the duration in seconds to sample network traffic (or ‘0’ for non-stop) (default “300”)
--sample-excludes string
Specify host exclusions
--sample-interfaces string
Specify a comma-separated list of network interfaces (or ‘all’ for everything)
--sample-targets string
Specify the discovery scope (default “10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16”)
-S, --screenshots
Capture screenshots from scan target web services (default true)
--sentinelone-api-url string
The URL used for the SentinelOne account’s API access
--sentinelone-client-id string
The client ID for the SentinelOne account
--sentinelone-client-secret string
The client secret for the SentinelOne account
--sentinelone-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--shodan-api-key string
The key used for the Shodan account’s API access
--shodan-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--shodan-mode string
The search mode (assets or query). The assets option queries the scan targets (default “assets”)
--shodan-query string
The search string to use in query mode
--sip-port uint
The destination port for SIP probes (default 5060)
--snmp-comms string
The comma-separated list of SNMP v1/v2c communities (default “public,private”)
--snmp-disable-bulk
If true, do not use bulk walking operations
--snmp-max-repetitions uint
The maximum number of repetitions in a bulk walk operation (default 16)
--snmp-max-retries int
The maximum number of retries for an SNMP operation (default 1)
--snmp-poll-interval uint
The minimum number of seconds between polling each host after initial discovery (default 300)
--snmp-port uint
The destination port for SNMP probes (default 161)
--snmp-timeout uint
The maximum number of seconds for each individual SNMP operation (default 5)
--snmp-v3-auth-passphrase string
The authentication passphrase
--snmp-v3-auth-protocol string
The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (default “none”)
--snmp-v3-context string
The optional SNMP v3 context to supply
--snmp-v3-privacy-passphrase string
The privacy passphrase
--snmp-v3-privacy-protocol string
The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (default “none”)
--snmp-v3-username string
The username to use for SNMP v3 authentication
--snmp-walk-timeout uint
The maximum number of seconds for each SNMP walk operation (default 60)
--ssdp-port uint
The destination port for UPnP/SSDP probes (default 1900)
--ssh-fingerprint
Enable fingerprinting using partial authentication (default true)
--ssh-fingerprint-username string
The username to use for partial authentication SSH fingerprinting (default “STATUS”)
--steam-ports string
The destination ports for Steam discovery probes (default “27036”)
--subnet-ping
Only scan subnets that have at least one active response using the subnet-ping settings
--subnet-ping-arp-fast
Enables fast mode by ARP scanning at the scan rate vs host rate (subnet ping)
--subnet-ping-aws-instances-access-key string
The access key for the AWS account (subnet ping)
--subnet-ping-aws-instances-assume-role-name string
The role to assume for all accounts in the organization for cross-account access (subnet ping)
--subnet-ping-aws-instances-delete-stale
Automatically delete stale AWS assets (subnet ping)
--subnet-ping-aws-instances-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-aws-instances-include-stopped
Include assets that are not currently running (subnet ping)
--subnet-ping-aws-instances-regions string
The comma-separated list of regions for the AWS account (subnet ping)
--subnet-ping-aws-instances-secret-access-key string
The secret access key for the AWS account (subnet ping)
--subnet-ping-aws-instances-service-options string
The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (subnet ping) (default “defaults”)
--subnet-ping-aws-instances-site-per-account
Automatically create a new site per account (subnet ping)
--subnet-ping-aws-instances-site-per-vpc
Automatically create a new site per VPC (subnet ping)
--subnet-ping-aws-instances-token string
The session token for the AWS account (subnet ping)
--subnet-ping-azure-client-id string
The application ID (client ID) for the Azure account (subnet ping)
--subnet-ping-azure-client-secret string
The client secret for the Azure account (subnet ping)
--subnet-ping-azure-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-azure-multi-subscription
Access all subscriptions in the directory (tenant) for the Azure account (subnet ping)
--subnet-ping-azure-password string
The password for the Azure account (subnet ping)
--subnet-ping-azure-service-options string
The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (subnet ping) (default “defaults”)
--subnet-ping-azure-site-per-subscription
Automatically create a new site per subscription (subnet ping)
--subnet-ping-azure-subscription-id string
The subscription ID for the Azure account (subnet ping)
--subnet-ping-azure-tenant-id string
The directory ID (tenant ID) for the Azure account (subnet ping)
--subnet-ping-azure-username string
The username for the Azure account (subnet ping)
--subnet-ping-azuread-client-id string
The application ID (client ID) for the Azure account (subnet ping)
--subnet-ping-azuread-client-secret string
The client secret for the Azure account (subnet ping)
--subnet-ping-azuread-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-azuread-include-inactive
Include assets that are marked as inactive in the AzureAD account (subnet ping)
--subnet-ping-azuread-password string
The password for the AzureAD account (subnet ping)
--subnet-ping-azuread-service-options string
The comma-separated list of services to sync data from (defaults,dev,user,group) (subnet ping) (default “defaults”)
--subnet-ping-azuread-tenant-id string
The directory ID (tenant ID) for the Azure account (subnet ping)
--subnet-ping-azuread-username string
The username for the AzureAD account (subnet ping)
--subnet-ping-bacnet-ports string
The destination ports for BACnet probes (subnet ping) (default “46808,47808,48808”)
--subnet-ping-bedrock-ports string
The destination ports for Bedrock probes (subnet ping) (default “19132”)
--subnet-ping-censys-api-url string
The API endpoint to use for Censys Search (subnet ping) (default “https://search.censys.io”)
--subnet-ping-censys-client-id string
The Client ID to use for Censys Search authentication (subnet ping)
--subnet-ping-censys-client-secret string
The Client Secret to use for Censys Search authentication (subnet ping)
--subnet-ping-censys-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-censys-mode string
The search mode (assets or query). The assets option queries the scan targets (subnet ping) (default “assets”)
--subnet-ping-censys-query string
The search string to use in query mode (subnet ping)
--subnet-ping-coap-port uint
The destination port for CoAP probes (subnet ping) (default 5683)
--subnet-ping-crestron-port uint
The destination port for Crestron probes (subnet ping) (default 41794)
--subnet-ping-crowdstrike-api-url string
The URL used for the CrowdStrike account’s API access (subnet ping)
--subnet-ping-crowdstrike-client-id string
The client ID for the CrowdStrike account (subnet ping)
--subnet-ping-crowdstrike-client-secret string
The client secret for the CrowdStrike account (subnet ping)
--subnet-ping-crowdstrike-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-crowdstrike-filter string
An optional Falcon Query Language (FQL) filter for imported assets (subnet ping)
--subnet-ping-crowdstrike-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (subnet ping)
--subnet-ping-crowdstrike-risks string
Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”)
--subnet-ping-crowdstrike-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”)
--subnet-ping-dahua-dhip-ports string
The destination ports for Dahua DHIP discovery probes (subnet ping) (default “37810”)
--subnet-ping-defender365-client-id string
The application ID (client ID) for the Azure account (subnet ping)
--subnet-ping-defender365-client-secret string
The client secret for the Azure account (subnet ping)
--subnet-ping-defender365-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-defender365-include-inactive
Include assets that have stopped reporting to the Microsoft 365 Defender service (subnet ping)
--subnet-ping-defender365-tenant-id string
The directory ID (tenant ID) for the Azure account (subnet ping)
--subnet-ping-dnp3-address-probe-timeout int
Time limit (in seconds) for DNP address discovery. (subnet ping) (default 30)
--subnet-ping-dnp3-banner-address-discovery string
One of ‘require’, ‘prefer’, or ‘ignore’. (subnet ping) (default “ignore”)
--subnet-ping-dnp3-destination-address-discovery-range string
A numeric range of addresses to attempt to discover. (subnet ping) (default “0-32”)
--subnet-ping-dnp3-explorer-address int
Source DNP3 address for the explorer. (subnet ping) (default -1)
--subnet-ping-dns-disable-google-myaddr
Disables resolution of upstream DNS via Google myaddr service (subnet ping)
--subnet-ping-dns-disable-meraki-detection
Disables detection of Meraki DNS interception (subnet ping)
--subnet-ping-dns-port uint
The destination port for DNS probes (subnet ping) (default 53)
--subnet-ping-dns-resolve-name string
The target hostname for DNS queries (‘off’ to disable) (subnet ping) (default “www.google.com”)
--subnet-ping-dns-trace-domain string
The subdomain to use for trace requests (‘off’ to disable) (subnet ping) (default “helper.rumble.network”)
--subnet-ping-dtls-ports string
The destination ports for DTLS probes (subnet ping) (default “443,3391,4433,5246,5349,5684”)
--subnet-ping-echo-report-errors
Report errors from intermediate in-scope hosts (subnet ping)
--subnet-ping-ethernetip-udp-ports string
The destination ports for EtherNet/IP UDP probes (subnet ping) (default “44818”)
--subnet-ping-ethernetip-use-tagged-context string
Set this to true to use a runZero-specific sender context for debugging. (subnet ping) (default “false”)
--subnet-ping-fins-port uint
The destination port for FINS probes (subnet ping) (default 9600)
--subnet-ping-gcp-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-gcp-service-options string
The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (subnet ping) (default “defaults”)
--subnet-ping-gcp-site-per-project
Automatically create a new site per project (subnet ping)
--subnet-ping-genudp-payload-base64 string
The generic udp payload as base64 (subnet ping)
--subnet-ping-genudp-payload-hex string
The generic udp payload as hexadecimal (subnet ping)
--subnet-ping-genudp-payload-text string
The generic udp payload as plain text (subnet ping)
--subnet-ping-genudp-ports string
The destination ports for the generic udp probe (subnet ping)
--subnet-ping-googleworkspace-client-email string
The email address of the service account (subnet ping)
--subnet-ping-googleworkspace-client-id string
The ID of the service account (subnet ping)
--subnet-ping-googleworkspace-customer-id string
An optional customer ID for multi-tenant environments (subnet ping) (default “my_customer”)
--subnet-ping-googleworkspace-delegate string
The email address of an admin account with directory access (subnet ping)
--subnet-ping-googleworkspace-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-googleworkspace-private-key string
The PEM encoded private key (subnet ping)
--subnet-ping-googleworkspace-private-key-id string
The ID of the private key (subnet ping)
--subnet-ping-googleworkspace-project-id string
The project ID of the service account (subnet ping)
--subnet-ping-googleworkspace-service-options string
The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (subnet ping) (default “defaults”)
--subnet-ping-hiddiscoveryd-port uint
The destination port for HID discoveryd probes (subnet ping) (default 4070)
--subnet-ping-igel-discovery-ports string
The destination ports for IGEL discovery probes (subnet ping) (default “30005”)
--subnet-ping-ike-port uint
The destination port for IKE probes (subnet ping) (default 500)
--subnet-ping-insightvm-api-url string
The URL used for the InsightVM account’s API access (subnet ping)
--subnet-ping-insightvm-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-insightvm-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (subnet ping)
--subnet-ping-insightvm-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) (default true)
--subnet-ping-insightvm-password string
The password for the InsightVM account (subnet ping)
--subnet-ping-insightvm-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”)
--subnet-ping-insightvm-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”)
--subnet-ping-insightvm-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping)
--subnet-ping-insightvm-username string
The username for the InsightVM account (subnet ping)
--subnet-ping-intune-client-id string
The application ID (client ID) for the Azure account (subnet ping)
--subnet-ping-intune-client-secret string
The client secret for the Azure account (subnet ping)
--subnet-ping-intune-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-intune-password string
The password for the Intune account (subnet ping)
--subnet-ping-intune-tenant-id string
The directory ID (tenant ID) for the Azure account (subnet ping)
--subnet-ping-intune-username string
The username for the Intune account (subnet ping)
--subnet-ping-ipmi-port uint
The destination port for IPMI probes (subnet ping) (default 623)
--subnet-ping-kerberos-port uint
The destination port for kerberos probes (subnet ping) (default 88)
--subnet-ping-knxnet-ports string
The destination ports for knxnet probes (subnet ping) (default “3671”)
--subnet-ping-l2t-port uint
The destination port for L2T probes (subnet ping) (default 2228)
--subnet-ping-l2tp-ports string
The destination ports for L2TP probes (subnet ping) (default “1701”)
--subnet-ping-lantronix-port uint
The destination port for Lantronix probes (subnet ping) (default 30718)
--subnet-ping-layer2-add-targets
Set this false to skip scanning discovered targets (subnet ping) (default true)
--subnet-ping-layer2-force
Set this to true to force discovery even without local targets (subnet ping)
--subnet-ping-layer2-max-retries uint
The desired number of retries (subnet ping) (default 3)
--subnet-ping-layer2-tcp-ports string
The TCP ports to ping for local device discovery (subnet ping) (default “22,80,135,179,443,3389,5040,7547,62078”)
--subnet-ping-layer2-udp-trace-port uint
The UDP port number to use for UDP trace requests (subnet ping) (default 9)
--subnet-ping-ldap-base-dn string
The base DN used for LDAP searches (subnet ping)
--subnet-ping-ldap-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-ldap-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping)
--subnet-ping-ldap-legacy-tls
Set this to true to authenticate over legacy TLS versions (< 1.2) (subnet ping)
--subnet-ping-ldap-password string
The password for the LDAP account (subnet ping)
--subnet-ping-ldap-service-options string
The comma-separated list of services to sync data from (defaults,computer,user,group) (subnet ping) (default “defaults”)
--subnet-ping-ldap-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping)
--subnet-ping-ldap-url string
The URL used for the LDAP server (subnet ping)
--subnet-ping-ldap-username string
The username for the LDAP account (subnet ping)
--subnet-ping-max-attempts int
Set the maximum number of attempts for each probe (default 1)
--subnet-ping-max-ttl int
Set the default TTL on subnet-ping probe packets (default 255)
--subnet-ping-mdns-port uint
The destination port for MDNS probes (subnet ping) (default 5353)
--subnet-ping-memcache-port uint
The destination port for memcached probes (subnet ping) (default 11211)
--subnet-ping-miradore-api-key string
The API key for the Miradore account (subnet ping)
--subnet-ping-miradore-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-miradore-hostname string
The Miradore web console hostname (url) (subnet ping)
--subnet-ping-modbus-identification-level string
Identification level, one of ‘basic’, ‘regular’, or ’extended’. (subnet ping) (default “regular”)
--subnet-ping-mode string
Set the subnet-ping discovery profile: auto (default “auto”)
--subnet-ping-mssql-port uint
The destination port for MSSQL probes (subnet ping) (default 1434)
--subnet-ping-natpmp-port uint
The destination port for NATPMP probes (subnet ping) (default 5351)
--subnet-ping-nessus-access-key string
The access key for the Nessus Professional account (subnet ping)
--subnet-ping-nessus-api-url string
The URL used for the Nessus Professional account’s API access (subnet ping)
--subnet-ping-nessus-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-nessus-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (subnet ping)
--subnet-ping-nessus-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) (default true)
--subnet-ping-nessus-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”)
--subnet-ping-nessus-secret-key string
The secret key for the Nessus Professional account (subnet ping)
--subnet-ping-nessus-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”)
--subnet-ping-nessus-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping)
--subnet-ping-net-size int
Set the subnet size to use for the subnet ping (default 256)
--subnet-ping-netbios-port uint
The destination port for NetBIOS Name Service probes (subnet ping) (default 137)
--subnet-ping-ntp-port uint
The destination port for NTP probes (subnet ping) (default 123)
--subnet-ping-openvpn-ports string
The destination ports for OpenVPN probes (subnet ping) (default “1194”)
--subnet-ping-passes int
Set the number of passes for the subnet-ping phase (default 1)
--subnet-ping-pca-port uint
The destination port for PCAnywhere probes (subnet ping) (default 5632)
--subnet-ping-probes string
Launch a subset of the probes for the subnet-ping, comma-delimited (default “arp,echo,syn,connect,netbios,snmp,ntp,sunrpc,ike,openvpn,mdns”)
--subnet-ping-psdisco-ports string
The destination ports for playstation discovery probes (subnet ping) (default “987,9302”)
--subnet-ping-qualys-api-url string
The URL used for the Qualys account’s API access (subnet ping)
--subnet-ping-qualys-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-qualys-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (subnet ping)
--subnet-ping-qualys-include-unscanned
Include assets that have not been assessed for vulnerabilities (subnet ping)
--subnet-ping-qualys-password string
The password for the Qualys account (subnet ping)
--subnet-ping-qualys-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”)
--subnet-ping-qualys-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”)
--subnet-ping-qualys-username string
The username for the Qualys account (subnet ping)
--subnet-ping-rdns-max-concurrent int
The maximum number of concurrent DNS lookups (subnet ping) (default 64)
--subnet-ping-rdns-timeout uint
The DNS PTR lookup timeout in seconds (subnet ping) (default 3)
--subnet-ping-rpcbind-port uint
The destination port for RPCBind probes (subnet ping) (default 111)
--subnet-ping-rpcbind-port-nfs uint
The destination port for NFS probes (subnet ping) (default 2049)
--subnet-ping-s7comm-request-extended-information
If true, request extended device information. (subnet ping)
--subnet-ping-sample-duration string
Specify the duration in seconds to sample network traffic (or ‘0’ for non-stop) (subnet ping) (default “300”)
--subnet-ping-sample-excludes string
Specify host exclusions (subnet ping)
--subnet-ping-sample-interfaces string
Specify a comma-separated list of network interfaces (or ‘all’ for everything) (subnet ping)
--subnet-ping-sample-rate int
Set the sample rate of addresses within each subnet as a percentage (default 4)
--subnet-ping-sample-targets string
Specify the discovery scope (subnet ping) (default “10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16”)
--subnet-ping-sentinelone-api-url string
The URL used for the SentinelOne account’s API access (subnet ping)
--subnet-ping-sentinelone-client-id string
The client ID for the SentinelOne account (subnet ping)
--subnet-ping-sentinelone-client-secret string
The client secret for the SentinelOne account (subnet ping)
--subnet-ping-sentinelone-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-shodan-api-key string
The key used for the Shodan account’s API access (subnet ping)
--subnet-ping-shodan-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-shodan-mode string
The search mode (assets or query). The assets option queries the scan targets (subnet ping) (default “assets”)
--subnet-ping-shodan-query string
The search string to use in query mode (subnet ping)
--subnet-ping-sip-port uint
The destination port for SIP probes (subnet ping) (default 5060)
--subnet-ping-snmp-comms string
The comma-separated list of SNMP v1/v2c communities (subnet ping) (default “public,private”)
--subnet-ping-snmp-disable-bulk
If true, do not use bulk walking operations (subnet ping)
--subnet-ping-snmp-max-repetitions uint
The maximum number of repetitions in a bulk walk operation (subnet ping) (default 16)
--subnet-ping-snmp-max-retries int
The maximum number of retries for an SNMP operation (subnet ping) (default 1)
--subnet-ping-snmp-poll-interval uint
The minimum number of seconds between polling each host after initial discovery (subnet ping) (default 300)
--subnet-ping-snmp-port uint
The destination port for SNMP probes (subnet ping) (default 161)
--subnet-ping-snmp-timeout uint
The maximum number of seconds for each individual SNMP operation (subnet ping) (default 5)
--subnet-ping-snmp-v3-auth-passphrase string
The authentication passphrase (subnet ping)
--subnet-ping-snmp-v3-auth-protocol string
The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (subnet ping) (default “none”)
--subnet-ping-snmp-v3-context string
The optional SNMP v3 context to supply (subnet ping)
--subnet-ping-snmp-v3-privacy-passphrase string
The privacy passphrase (subnet ping)
--subnet-ping-snmp-v3-privacy-protocol string
The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (subnet ping) (default “none”)
--subnet-ping-snmp-v3-username string
The username to use for SNMP v3 authentication (subnet ping)
--subnet-ping-snmp-walk-timeout uint
The maximum number of seconds for each SNMP walk operation (subnet ping) (default 60)
--subnet-ping-ssdp-port uint
The destination port for UPnP/SSDP probes (subnet ping) (default 1900)
--subnet-ping-ssh-fingerprint
Enable fingerprinting using partial authentication (subnet ping) (default true)
--subnet-ping-ssh-fingerprint-username string
The username to use for partial authentication SSH fingerprinting (subnet ping) (default “STATUS”)
--subnet-ping-steam-ports string
The destination ports for Steam discovery probes (subnet ping) (default “27036”)
--subnet-ping-syn-disable-bogus-filter
Disable bogus service detection and filtering (subnet ping)
--subnet-ping-syn-forwarding-check
Perform an IP forwarding check as part of the scan (subnet ping) (default true)
--subnet-ping-syn-forwarding-check-target string
An external IPv4 address for the forwarding check (default:runzero) (subnet ping) (default “13.248.161.247”)
--subnet-ping-syn-max-retries uint
The maximum number of retries trace and SYN requests (subnet ping) (default 2)
--subnet-ping-syn-report-resets
Set this to true to report RST responses (subnet ping) (default true)
--subnet-ping-syn-reset-sessions
Reset middle-box/firewall sessions automatically (subnet ping) (default true)
--subnet-ping-syn-reset-sessions-delay uint
Minimum delay in milliseconds between a SYN and a session reset (subnet ping)
--subnet-ping-syn-reset-sessions-limit uint
Maximum number of in-flight sessions before forcing session resets (subnet ping) (default 50)
--subnet-ping-syn-traceroute
Perform a multi-protocol traceroute as part of the scan (subnet ping) (default true)
--subnet-ping-syn-udp-trace-port uint
The UDP port number to use for UDP trace requests (subnet ping) (default 9)
--subnet-ping-tcp-ports string
The list of TCP ports to subnet-ping using the syn and connect probes (default “22,80,135,179,443,3389,5040,7547,62078”)
--subnet-ping-tenable-access-key string
The access key for the Tenable.io account (subnet ping)
--subnet-ping-tenable-api-url string
The URL used for the Tenable.io account’s API access (subnet ping)
--subnet-ping-tenable-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-tenable-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (subnet ping)
--subnet-ping-tenable-include-unscanned
Include assets that have not been assessed for vulnerabilities (subnet ping)
--subnet-ping-tenable-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”)
--subnet-ping-tenable-secret-key string
The secret key for the Tenable.io account (subnet ping)
--subnet-ping-tenable-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”)
--subnet-ping-tenablesecuritycenter-access-key string
The access key for the Tenable Security Center account (subnet ping)
--subnet-ping-tenablesecuritycenter-api-url string
The URL used for the Tenable Security Center account’s API access (subnet ping)
--subnet-ping-tenablesecuritycenter-batch-size string
The number of records to request at a time. (between 2000 and 10000) (subnet ping) (default “2000”)
--subnet-ping-tenablesecuritycenter-exclude-unknown
Exclude assets that cannot be merged into an existing asset (subnet ping)
--subnet-ping-tenablesecuritycenter-fingerprint-only
Import vulnerabilites for fingerprinting purposes only (subnet ping)
--subnet-ping-tenablesecuritycenter-insecure string
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping)
--subnet-ping-tenablesecuritycenter-query-id string
The ID of an existing vulnerability query in the Tenable Security Center account (subnet ping)
--subnet-ping-tenablesecuritycenter-query-mode string
Set to ‘filters’ to provide ‘severities’ and ‘risks’ values to import. Set to ‘query-id’ to provide a value for ‘query-id’. (subnet ping) (default “filters”)
--subnet-ping-tenablesecuritycenter-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”)
--subnet-ping-tenablesecuritycenter-secret-key string
The secret key for the Tenable Security Center account (subnet ping)
--subnet-ping-tenablesecuritycenter-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”)
--subnet-ping-tenablesecuritycenter-sync-since string
Specify an initial date to sync data from. (subnet ping)
--subnet-ping-tenablesecuritycenter-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping)
--subnet-ping-tftp-ports string
The destination ports for TFTP probes (subnet ping) (default “69”)
--subnet-ping-tos int
Set the default ToS on subnet-ping probe packets
--subnet-ping-ubnt-port uint
The destination port for Ubiquiti probes (subnet ping) (default 10001)
--subnet-ping-verbose
Display verbose output for the subnet-ping
--subnet-ping-very-verbose
Display very verbose output for the subnet-ping
--subnet-ping-vmware-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) (default true)
--subnet-ping-vmware-password string
The password to use for VMware SDK authentication (read-only) (subnet ping)
--subnet-ping-vmware-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping)
--subnet-ping-vmware-username string
The username to use for VMware SDK authentication (read-only) (subnet ping)
--subnet-ping-webmin-ports string
The destination ports for webmin probes (subnet ping) (default “10000”)
--subnet-ping-wlan-list-poll-interval uint
The minimum number of seconds between polls of the access point list (subnet ping) (default 300)
--subnet-ping-wsd-port uint
The destination port for WSD probes (subnet ping) (default 3702)
--syn-disable-bogus-filter
Disable bogus service detection and filtering
--syn-forwarding-check
Perform an IP forwarding check as part of the scan (default true)
--syn-forwarding-check-target string
An external IPv4 address for the forwarding check (default:runzero) (default “13.248.161.247”)
--syn-max-retries uint
The maximum number of retries trace and SYN requests (default 2)
--syn-report-resets
Set this to true to report RST responses (default true)
--syn-reset-sessions
Reset middle-box/firewall sessions automatically (default true)
--syn-reset-sessions-delay uint
Minimum delay in milliseconds between a SYN and a session reset
--syn-reset-sessions-limit uint
Maximum number of in-flight sessions before forcing session resets (default 50)
--syn-traceroute
Perform a multi-protocol traceroute as part of the scan (default true)
--syn-udp-trace-port uint
The UDP port number to use for UDP trace requests (default 9)
--tcp-excludes string
The list of TCP ports to always exclude
-p, --tcp-ports string
The list of TCP ports scan using the syn and connect probes (see below for default)
--tcp-skip-protocol
Set this to skip protocol detection on TCP ports
--tenable-access-key string
The access key for the Tenable.io account
--tenable-api-url string
The URL used for the Tenable.io account’s API access
--tenable-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--tenable-fingerprint-only
Import vulnerabilites for fingerprinting purposes only
--tenable-include-unscanned
Include assets that have not been assessed for vulnerabilities
--tenable-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”)
--tenable-secret-key string
The secret key for the Tenable.io account
--tenable-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”)
--tenablesecuritycenter-access-key string
The access key for the Tenable Security Center account
--tenablesecuritycenter-api-url string
The URL used for the Tenable Security Center account’s API access
--tenablesecuritycenter-batch-size string
The number of records to request at a time. (between 2000 and 10000) (default “2000”)
--tenablesecuritycenter-exclude-unknown
Exclude assets that cannot be merged into an existing asset
--tenablesecuritycenter-fingerprint-only
Import vulnerabilites for fingerprinting purposes only
--tenablesecuritycenter-insecure string
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN)
--tenablesecuritycenter-query-id string
The ID of an existing vulnerability query in the Tenable Security Center account
--tenablesecuritycenter-query-mode string
Set to ‘filters’ to provide ‘severities’ and ‘risks’ values to import. Set to ‘query-id’ to provide a value for ‘query-id’. (default “filters”)
--tenablesecuritycenter-risks string
Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”)
--tenablesecuritycenter-secret-key string
The secret key for the Tenable Security Center account
--tenablesecuritycenter-severities string
Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”)
--tenablesecuritycenter-sync-since string
Specify an initial date to sync data from.
--tenablesecuritycenter-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication
--text
Force text-only mode (no console ui)
--tftp-ports string
The destination ports for TFTP probes (default “69”)
--tos int
Set the default ToS on probe packets
--ubnt-port uint
The destination port for Ubiquiti probes (default 10001)
--upload
Automatically upload results to the runZero Console
-u, --upload-site string
Specify the Site ID or Name to upload the raw scan results to if –upload is specified (default “Primary”)
-v, --verbose
Display verbose output
--very-verbose
Display very verbose output
--vmware-insecure
Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true)
--vmware-password string
The password to use for VMware SDK authentication (read-only)
--vmware-thumbprints string
A set of IP=SHA256:B64HASH pairs to trust for authentication
--vmware-username string
The username to use for VMware SDK authentication (read-only)
--webmin-ports string
The destination ports for webmin probes (default “10000”)
--wlan-list-poll-interval uint
The minimum number of seconds between polls of the access point list (default 300)
--wsd-port uint
The destination port for WSD probes (default 3702)

Standard ports scanned

1 7 9 13 17 19 21 22 23 25 37 42 43 49 53 69 70 79 80 81 82 83 84 85 88 102 105 109 110 111 113 119 123 135 137 139 143 161 179 222 264 280 384 389 402 407 442 443 444 445 465 500 502 512 513 515 523 524 540 541 548 554 587 617 623 631 636 664 689 705 717 743 771 783 830 873 888 902 903 910 912 921 990 993 995 998 1000 1024 1030 1035 1080 1083 1089 1090 1091 1098 1099 1100 1101 1102 1103 1128 1129 1158 1199 1211 1220 1234 1241 1260 1270 1300 1311 1352 1433 1434 1440 1443 1468 1494 1514 1521 1530 1533 1581 1582 1583 1604 1610 1611 1723 1755 1801 1811 1830 1883 1900 2000 2002 2021 2023 2049 2068 2074 2082 2083 2100 2103 2105 2121 2181 2199 2207 2222 2224 2323 2362 2375 2376 2379 2380 2381 2443 2525 2533 2598 2601 2604 2638 2809 2947 2967 3000 3001 3003 3033 3037 3050 3057 3071 3083 3128 3200 3217 3220 3260 3268 3269 3273 3299 3300 3306 3311 3312 3351 3389 3460 3500 3502 3628 3632 3690 3780 3790 3817 3871 3872 3900 4000 4092 4322 4343 4353 4365 4366 4368 4369 4406 4433 4443 4444 4445 4567 4659 4679 4730 4786 4840 4848 4949 4950 4987 5000 5001 5007 5022 5037 5038 5040 5051 5060 5061 5093 5168 5222 5247 5250 5275 5347 5351 5353 5355 5392 5400 5405 5432 5433 5498 5520 5521 5554 5555 5560 5580 5601 5631 5632 5666 5671 5672 5683 5800 5814 5900 5901 5902 5903 5904 5905 5906 5907 5908 5909 5910 5911 5920 5938 5984 5985 5986 5988 5989 6000 6001 6002 6050 6060 6070 6080 6082 6101 6106 6112 6161 6262 6379 6405 6443 6481 6502 6503 6504 6514 6542 6556 6660 6661 6667 6905 6988 7000 7001 7002 7021 7070 7071 7077 7080 7100 7144 7181 7210 7373 7443 7474 7510 7547 7579 7580 7676 7700 7770 7777 7778 7787 7800 7801 7879 7902 8000 8001 8003 8006 8008 8009 8010 8012 8014 8020 8023 8028 8030 8080 8081 8082 8083 8086 8087 8088 8089 8090 8095 8098 8099 8100 8123 8127 8161 8172 8180 8181 8182 8205 8222 8300 8303 8333 8400 8443 8444 8445 8471 8488 8500 8503 8530 8531 8545 8649 8686 8787 8800 8812 8834 8850 8871 8880 8883 8888 8889 8890 8899 8901 8902 8903 8983 9000 9001 9002 9042 9060 9080 9081 9084 9090 9091 9092 9099 9100 9111 9152 9160 9200 9300 9380 9390 9391 9401 9418 9440 9443 9471 9495 9524 9527 9530 9593 9594 9595 9600 9809 9855 9999 10000 10001 10008 10050 10051 10080 10098 10162 10202 10203 10250 10255 10257 10259 10443 10616 10628 11000 11099 11211 11234 11333 12174 12203 12221 12345 12379 12397 12401 13364 13500 13778 13838 14330 15200 15671 15672 16102 16443 16992 16993 17185 17200 17472 17775 17776 17777 17778 17781 17782 17783 17784 17790 17791 17798 18264 18881 19300 19810 19888 20000 20010 20031 20034 20101 20111 20171 20222 20293 22222 23472 23791 23943 25000 25025 25565 25672 26000 26122 27000 27017 27018 27019 27080 27888 28017 28222 28784 30000 31001 31099 32764 32844 32913 33060 34205 34443 34962 34963 34964 37718 37777 37890 37891 37892 38008 38010 38080 38102 38292 40007 40317 41025 41080 41523 41524 44334 44343 44818 45230 46823 46824 47001 47002 47290 48899 49152 50000 50013 50021 50051 50070 50090 50121 51443 52302 52311 54321 54921 54922 54923 55553 55580 57772 61614 61616 62078 62514 65002 65535

Scan outputs

The runZero Scanner generates a directory of output files by default. This directory includes the following items.

  • scan.rumble.gz: The raw scan data compressed via gzip, this can be imported or reprocessed via --import
  • assets.jsonl: The new optimized format for correlated, fingerprinted assets.
  • nmap.xml: A Nmap XML compatible data file that can be imported into various security tools.
  • urls.txt: A list of discovered web services in URL format.
  • protocols.csv: A list of protocols with their ports and URLs.
  • assets.html: A rudimentary HTML report with screenshots.
  • screenshots: A directory of raw screenshot images, headers in JSON format, and HTML bodies.
  • Various lists including addresses.txt, addresses_all.txt, hostnames.txt, and domains.txt

Raw Scan Data

The runZero Scanner raw data is stored in a file named scan.rumble.gz within the output directory. This file contains JSONL-formatted records. An example ARP response record is shown below.

{
  "type": "result",
  "host": "192.168.0.1",
  "port": "0",
  "proto": "arp",
  "probe": "arp",
  "name": "192.168.0.1",
  "info": {
    "mac": "f0:9f:c2:11:1a:13",
    "macDateAdded": "2014-12-17",
    "macVendor": "Ubiquiti Networks Inc."
  },
  "ts": 1551584126253853200
}

The info field is a JSON map of strings to strings. Multiple values are encoded using the tab character (0x09), which are otherwise escaped as \t (along with \r and \n for carriage return and line feed bytes and \x00 for null bytes). runZero scans may return more than one record of the same type for the same host if multiple responses were received.

In addition to the result type, there are also records for status messages, stats, and an initial config type that contains the scan parameters.

Updated
Previous: Leveraging the API Next: Glossary