tips tools reconnaissance

SecurityTrails Blog · Aug 29 · SecurityTrails team

Rumble Network Discovery: A Powerful Cloud-Based Infosec Mapping Platform

Reading time: 8 minutes

Network discovery is an essential part of both network management and cyber threat intelligence tasks, with the former often conducted by a network or system administrator, and the latter performed by infosec researchers and penetration testers.

Regardless of the task you might need it for, we posted an article about IP scanner tools last week that may prove very helpful if you need to build your IP space map. But what happens when you need to go one step ahead of a simple IP map? What if you need to build a full network map with details such as OS, hardware, services and ports to analyze your attack surface area?

In that case, one of the most promising developments we’ve found lately is the Rumble Network Discovery platform. This valuable resource will help you perform network discovery tasks within seconds against your own networks or against 3rd party networks, making it a practical OSINT tool to keep in your infosec arsenal.

Today we’ll explore Rumble Network Discovery, learning about what it is, and exploring its main features, requirements, installation and how it’s used to perform network scans.

What is Rumble Network Discovery?

Created by HD Moore, Rumble Network Discovery is a new infosec tool used for network mapping from both sides, blue teams as well as red teams.

RND helps infosec researchers and network engineers identify connected computers, routers and other devices within a network, extract all relevant details possible, collect the data, compare it against a giant fingerprint database, and show you its findings in an elegant and readable way so you can analyze it properly.

Rumble works by using a centralized GUI console that runs on https://console.rumble.run, which receives its data from single or multiple agents running on different servers.

That’s one of its few requirements.. Other than installing the agent, it works out of the box for most operating systems, allowing you to rapidly discover network-connected assets without intrusive network traffic capturing/sniffing or any type of login credentials.

How can I test it?

First things first! Before you can play with this interesting tool, you’ll need to create a free account on the official website at https://rumble.run and click the ‘Beta Signup’ button.

Once you sign up, an activation code will be sent to your email, and from that point on your account will be ready for installing agents and performing a wide range of network scanning tasks.

Installing an agent

Now that your free account is live, the next step is to install an agent. The agent will send all discovered data to the Rumble console.

Agents can be downloaded from the Rumble download page.

Requirements

There are a few minimum requirements for Windows, Linux, and MacOS. Right now we’ll focus on what the Linux platform needs:

  • Kernel version 2.6.23 or later
  • CPU speed 2.0Ghz or faster
  • 1Gb of free storage space
  • 2Gb of RAM memory (1Gb available)

We launched a VM with the latest CentOS 7.x version and it worked without a hitch. The same should be expected for the most popular Linux distributions, such as Ubuntu.

There’s another thing to consider: if you want Rumble to take screenshots, you’ll need to use Google Chrome.

On CentOS/RHEL you can do that by typing:

wget https://dl.google.com/linux/direct/google-chrome-stable_current_x86_64.rpm

Then, install Google Chrome and its dependencies on a CentOS/RHEL, type:

sudo yum install ./google-chrome-stable_current_*.rpm

And that’s it. If you’re using Windows or MacOS, check out the official docs.

In our case, the installation was fairly straightforward by simply running these commands:

curl -o rumble-agent.bin https://console.rumble.run/download/agent/c999e42a128f9ef0c647bac01e6bdc25/5d5fd7a7/rumble-agent-linux-amd64.bin && chmod u+x rumble-agent.bin && sudo ./rumble-agent.bin

Here’s the expected output if installation is completed successfully:

research@securitytrails.com:~/temp# ./rumble-agent-linux-amd64.bin
{"level":"info","msg":"failed to find a hostID, generating a new one","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"installing rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9 to /opt/rumble/bin/rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9 from /root/temp/rumble-agent-linux-amd64.bin","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"cleaning up any prior installation...","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"writing executable to /opt/rumble/bin/rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9...","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"installing service rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9...","time":"2019-08-23T13:30:03Z"}
{"level":"info","msg":"starting service rumble-agent-44af0223-9cf9-4076-962c-f0bc841d9bc9...","time":"2019-08-23T13:30:04Z"}
{"level":"info","msg":"installation complete","time":"2019-08-23T13:30:04Z"}
research@securitytrails.com:~/temp#

GUI-based scanning

Once you have installed an agent, the web-based interface can be accessed from https://console.rumble.run/ and offers a wide range of options for you to choose from, however, we’re focusing here on the main features that allow you to perform scans and check out results.

Before running the scan, you must create a site. So, let’s move over to the menu on the left and click “Site”. Then just fill the form with some descriptive text, as you see below:

Create a new site

To perform a scan, go to “Inventory” on your left, then click on “New Scan”.

Perform a new scan

Performing scans without firewalls enabled is the ideal scenario—however, we’ve been testing this against “protected” websites with system firewalls and it works just fine. Rumble effectively avoids general banning and network blocks thanks to its non-intrusive scan nature.

From here you’ll be able to configure a wide number of settings including:

  • Site: Select the previously configured site
  • Discovery Agent: Set up multiple agents in different servers
  • Discovery Scope: Specify IPs, IP ranges and hostnames to scan
  • Scan Exclusions: Avoid scanning certain sites or IPs from the scan scope
  • TCP Ports: View the full list of tcp ports to scan. The default list is generally sufficient, but you can customize it to match your needs
  • Other options include scheduling hourly, daily, weekly or monthly scans, as well as tweaking the scan speed and maximum host rate
Configure your scan

Once the scan is running, you will be redirected to a new interface called ‘Tasks’ (located at the left menu), where you’ll see current running scans as well as completed scans:

List of tasks

Click on the scan you want to explore. On the new page you’ll see information including Site Details and Site Change Summary.

Exploring the site

Directly below that, all the IP ranges and websites you scanned will be displayed, allowing you to pivot between them to find more information about each network asset:

Finding information about a network asset

By clicking on any of the previous IPs, you’ll get even more details about that specific host, such as Type of asset, OS, Hardware, and First Seen and Last Seen dates.

Details about specific host

A full list of hostnames and domain names associated with those IP ranges will be displayed at your right.

A full list of hostnames

Below that information, at your left, more data will be displayed depending on the discovered ports and services running on that server, as you can see in the next screenshot from the OpenSSH server:

Discovered ports and services

The same goes for 80 port, including all its header and network details:

Port 80 header and network details

Once all scans are finished, assets and search results can be exported as JSON Lines, JSON Document, Nmap XML and CSV for later integration and analysis.

If you go back to the Dashboard (on the left menu) after running a few scans against IP ranges and websites, details and stats will appear showing the Top 10 Asset Types, Top 10 Asset OS and Top 10 Asset Hardware, as well as the total number of identified assets and discovered TCP/UDP ports.

Dashboard with summaries

Following that information, you’ll also be able to explore statistics obtained from your TCP, UDP, products and protocols.

TCP, UDP, products and protocols statistics

Terminal-based scanning

For old-school nerds, Rumble also offers the ability to run scans from the terminal. For this you’ll need to install the Rumble command line scanner.

Fortunately, this procedure is painless. Just copy and paste the following into your box:

curl -o /usr/local/bin/rumble https://console.rumble.run/download/scanner/c999e42a128f9ef0c647bac01e6bdc25/5d653802/rumble-scanner-linux-amd64.bin
chmod 755 /usr/local/bin/rumble
rumble version

Once that’s done, you’ll know the installation was successful if the last command shows you something like this:

[research@securitytrails]# rumble version
rumble 0.8.27 (20190826061750) [efc936b29a59710ea4f708ce602703aaaf1c267b]

Now, launching a scan is easy. For example:

rumble --tcp-ports 1-1024 1.1.1.1

And here’s what you should be seeing while performing the scan:

Results will be saved in an auto-generated directory and will contain all obtained data in TXT, JSON, HTML, and CSV format, as shown below:

[research@securitytrails rumble-20190827T141419]# ll
total 188
-rw-r--r--. 1 root root 8 Aug 27 14:14 addresses_all.txt
-rw-r--r--. 1 root root 8 Aug 27 14:14 addresses.txt
-rw-r--r--. 1 root root 1042 Aug 27 14:14 assets.csv
-rw-r--r--. 1 root root 29065 Aug 27 14:14 assets.html
-rw-r--r--. 1 root root 52001 Aug 27 14:14 assets.jsonl
-rw-r--r--. 1 root root 22 Aug 27 14:14 domains.txt
-rw-r--r--. 1 root root 65 Aug 27 14:14 hostnames.txt
-rw-r--r--. 1 root root 9387 Aug 27 14:14 nmap.xml
-rw-r--r--. 1 root root 421 Aug 27 14:14 scan.log
-rw-r--r--. 1 root root 64704 Aug 27 14:14 scan.rumble
drwxr-xr-x. 2 root root 160 Aug 27 14:14 screenshots
-rw-r--r--. 1 root root 20 Aug 27 14:14 urls.txt
[research@securitytrails rumble-20190827T141419]#

You can also specify a custom directory output by using -o [output-directory].

Conclusion

Rumble Network Discovery is an outstanding addition to the current range of OSINT tools available to help you with your daily infosec intel-reconnaissance tasks. It is, without a doubt, a valuable resource from HD Moore.

While this tool can definitely assist with your network discovery duties, there’s even more to explore regarding servers, IP addresses and domain names.

Jump swiftly and securely to the next level of OSINT: automate your IPs, domains and DNS exploration by using our powerful API. Sign up today for a free API account or book a demo with our sales team to test SurfaceBrowser™, our all-in-one enterprise-grade product that can give you an eye-opening look at the entire surface area of any company in the world—including yours.