Asset inventory with Rumble on FreeBSD
Inventory and control of your IT hardware and software based assets is one of the basic processes you must have in place managing and securing an IT infrastructure properly. At the same time it is probably one of the most difficult processes to implement. But this has changed now! No more scripts scanning your networks, using i.e. nmap.
Rumble: an introduction
Rumble is a network asset discovery tool, created by H.D. Moore, who also created the Metasploit Framework. It helps security, network and system administrator engineers to identify connected servers, workstations, network equipment, such as routers, and other devices (like tablets, phones and IoT devices) within a network. It extracts all relevant properties possible from the found assets and collects the data. It then compares it to a very large fingerprint database, and show you its findings in a nice elegant and readable way. It also provides means to analyze the data.
You can also scan and keep the results locally using the Rumble Scanner.
Before you can start using Rumble, you have to register yourself. You can do so for the Starter Edition using this link. The paid options offer more functionality but for home environments the Starter Edition is more than sufficient!
Required for your scanner
$ sudo pkg install curl
Implement the Rumble Agent
The steps to install the Rumble Agent are well documented and also stated in the Rumble GUI console once logged in (click ‘Agents’ in the left menu and then choose the ‘BSD Variants’ icon). The Rumble Agent you download and install is specifically for your Rumble account.
$ cd /usr/local/sbin $ sudo curl -o rumble-agent.bin \ https://console.rumble.run/download/agent/download token/account specific string/ \ rumble-agent-freebsd-amd64.bin $ sudo chmod 0555 /usr/local/sbin/rumble-agent.bin
The download link of the Rumble Agent is keyed to your Rumble organization using a donwload token and uses also a second account specific string. The download token is can be reset in the organization sessting page (click ‘Organizations’ under the Global Settings menu on the left and then click your arganization).
When installed the Rumble Agent can be started:
$ sudo /usr/local/sbin/rumble-agent.bin &
How to use the Rumble Agent
You use the Rumble Agent to perform scans on your network(s) which are initiated from the Rumble GUI console. You can configure a one time manual scan, but you can also schedule a scan with a certain frequency (i.e. daily, weekly, monthly).
Rumble uses the concept of sites. A sites is a collection of IP address(es) and or ranges. You can assign one site to the configuration of a network scan. Sites can be configured through the ‘Sites’ link in the left menu under ‘Organization Data’.
Implement the Rumble Scanner
Rumble provides also a Scanner which you, once installed, can use to perform network scans locally. The Scanner stores the results of a scan on the host where the Scanner is installed. You can upload a scan result to the Rumble GUI console if required.
The steps to install the Rumble Scanner are well documented and also stated in the Rumble GUI console once logged in (click ‘Agents’ in the left menu and then choose the ‘BSD Variants’ icon). The Rumble Scanner you download and install is specifically for your Rumble account.
$ cd /usr/local/bin $ sudo curl -o rumble \ https://console.rumble.run/download/scanner/download token/account specific string/ \ rumble-scanner-freebsd-amd64.bin $ sudo chmod 0555 /usr/local/bin/rumble
How to use the Rumble scanner
The Rumble Scanner binary has a lot of options. To show all the options use the command:
$ rumble help
So you can i.e. scan a single IP with a specific range of TCP ports:
$ sudo rumble --tcp-ports 1-1024 10.101.102.3
Or you can scan a whole subnet with the default TCP port list:
$ sudo rumble 10.101.102.0/24
In both these examples the output is stored in a directory in the home directory of the user. the directory is created by the
You can specify where you want to store the output of your scan by using the
$ sudo rumble -o /var/tmp/inventory 10.101.102.0/24
The output of a scan with the
rumble binary looks like the below:
user@scanner:rumble-20200605T132319 $ ll total 112K drwx------ 3 user user 512 Jun 5 13:23 . drwxr-xr-x 4 user user 512 Jun 5 13:24 .. -rw-r--r-- 1 user user 26 Jun 5 13:24 addresses_all.txt -rw-r--r-- 1 user user 26 Jun 5 13:23 addresses.txt -rw-r--r-- 1 user user 1515 Jun 5 13:23 assets.csv -rw-r--r-- 1 user user 21999 Jun 5 13:23 assets.html -rw-r--r-- 1 user user 6205 Jun 5 13:23 assets.jsonl -rw-r--r-- 1 user user 7327 Jun 5 13:23 bridges.html -rw-r--r-- 1 user user 48 Jun 5 13:23 hostnames.txt -rw-r--r-- 1 user user 8108 Jun 5 13:23 nmap.xml -rw-r--r-- 1 user user 220 Jun 5 13:23 protocols.csv -rw-r--r-- 1 user user 548 Jun 5 13:24 scan.log -rw-r--r-- 1 user user 15146 Jun 5 13:23 scan.rumble drwxr-xr-x 2 user user 512 Jun 5 13:23 screenshots -rw-r--r-- 1 user user 8255 Jun 5 13:23 topology.html
The output contains all obtained data in TXT, JSON, HTML and CSV formats. I want to look into the JSON format and see if I can make my own reports by extracting data using
My observations so far
I’ve used Rumble for a couple of days when I write this post. So here some experiences and observations so far:
- first: the service of Rumble is absolutely great! My first scans using the FreeBSD scanner did not provide the detail of scans using an Ubuntu VM. So I highlighted this to the Rumble support team. Within a day (!) they identified the problem and issued a new version of the Rumble software, which solved the problem!
- Rumble scans much faster than i.e. nmap.
- the Rumble GUI console is intuitive and easy to use.
- the local Rumble Scanner is really a great addition to the Rumble Agent. This provides a lot of flexibility.
- it is important to have your DNS setup right and preferably have a PTR and A record configured for all of your assets.
- the SoCruel.NU platform runs a pfSense firewall, and Rumble did not recognise it as such. Probably because of the hardware I use (Protectli).
- my SNMP based Cisco switches are recognised, but not the OS of it.
- my non SNMP based Cisco switches are not recognised.
- I would like to see a mobile app to become available in the near future, such that I can see my assets on my mobile phone and/or tablet as well.
Some (other) resources about this subject: