RunZero is a network discovery and asset inventory tool designed to help organizations identify and manage all devices connected to their networks. It performs comprehensive network scans to detect and catalog devices, providing valuable insights into the assets within the network.
Standalone Command-line Scanner
Download the Scanner
Linux
rm runzero-scanner.bin curl -f -o runzero-scanner.bin https://console.runzero.com/download/scanner/[unique-link]/runzero-scanner-linux-amd64.bin chmod u+x runzero-scanner.bin sudo mv runzero-scanner.bin /usr/local/bin/runzero
Windows
https://console.runzero.com/download/scanner/[unique-link]/runzero-scanner-windows-amd64.exe
Using the Standalone Command-line Scanner
The scanner works best with root privileges on Linux/macOS and Administrator privileges on Windows. Although the scanner will function without privileged access, many probe types will be unavailable. The sudo command can be used to run the scanner as root on Linux and macOS, while the tool is best to run from an elevated command shell on Windows.
Input can consist of specific IPv4 addresses or IPv4 CIDRs. Supported formats include:
10.0.0.110.0.0.0/2410.0.0.0/255.255.255.010.0.0.1-10.0.0.255example.comexample.com/24
Examples
sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 -r 10000 --tcp-ports 1-65535 -o output-dir #Scan of 65,535 TCP ports on all hosts in the 192.168.0.0/24 subnet running at 10,000 packets per second sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 10.0.0.0/24 -r 5000 -o output-dir #Scan on all hosts in the 192.168.0.0/24 and 10.0.0.0/24 subnets running at 5,000 packets per second sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 10.0.0.0/8 –-max-host-rate 20 -o output-dir #Scan on all hosts in the 192.168.0.0/24 and 10.0.0.0/8 subnets running at a max host rate of 20 packets per host sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 example.com -r 7,500 -o output dir #Scan on all hosts in the 192.168.0.0/24 subnet and the domain “example.com” running at 7,500 packets per second sudo ./runzero-scanner-linux-amd64.bin 10.0.0.0/8 asn4:[ID] -o output dir #Scan on all hosts in the 10.0.0.0/8 subnet and a particular ASN4 value at a default speed of 1,000 packets per second sudo ./runzero-scanner-linux-amd64.bin 192.168.0.0/24 -r 2,500 -–max-ttl 128 -o output-dir #Scan on all hosts in the 192.168.0.0/24 subnet with the max TTL set at 128 and a scan rate of 2,500 packets per second sudo ./runzero-scanner-linux-amd64.bin -i /path/to/input-file.txt -o output dir #Scan based on an input file
RunZero Scanner Commands and Options
Commands
censys #Import Censys data files completion #Generate the autocompletion script for the specified shell help #Help about any command license #Display license information upgrade #Upgrade to the latest version of the runZero Scanner verify #Perform an internal signature verification version #Print the version number of runZero
Flags
--api-key string #Specify the runZero API key --api-no-verify #Disable TLS verification for API communication --api-url string #Specify the runZero API server hostname (default “https://console.runzero.com/api/v1.0") --arp-fast #Enables fast mode by ARP scanning at the scan rate vs host rate --aws-instances-access-key string #The access key for the AWS account --aws-instances-assume-role-name string #The role to assume for all accounts in the organization for cross-account access --aws-instances-delete-stale #Automatically delete stale AWS assets --aws-instances-exclude-unknown #Exclude assets that cannot be merged into an existing asset --aws-instances-include-stopped #Include assets that are not currently running --aws-instances-regions string #The comma-separated list of regions for the AWS account --aws-instances-secret-access-key string #The secret access key for the AWS account --aws-instances-service-options string #The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (default “defaults”) --aws-instances-site-per-account #Automatically create a new site per account --aws-instances-site-per-vpc #Automatically create a new site per VPC --aws-instances-token string #The session token for the AWS account --azure-client-id string #The application ID (client ID) for the Azure account --azure-client-secret string #The client secret for the Azure account --azure-exclude-unknown #Exclude assets that cannot be merged into an existing asset --azure-multi-subscription #Access all subscriptions in the directory (tenant) for the Azure account --azure-password string #The password for the Azure account --azure-service-options string #The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (default “defaults”) --azure-site-per-subscription #Automatically create a new site per subscription --azure-subscription-id string #The subscription ID for the Azure account --azure-tenant-id string #The directory ID (tenant ID) for the Azure account --azure-username string #The username for the Azure account --azuread-client-id string #The application ID (client ID) for the Azure account --azuread-client-secret string #The client secret for the Azure account --azuread-exclude-unknown #Exclude assets that cannot be merged into an existing asset --azuread-include-inactive #Include assets that are marked as inactive in the AzureAD account --azuread-password string #The password for the AzureAD account --azuread-service-options string #The comma-separated list of services to sync data from (defaults,dev,user,group) (default “defaults”) --azuread-tenant-id string #The directory ID (tenant ID) for the Azure account --azuread-username string #The username for the AzureAD account --bacnet-ports string #The destination ports for BACnet probes (default “46808,47808,48808”) -b, --baseline string #Use the specified file as an asset baseline for tracking --bedrock-ports string #The destination ports for Bedrock probes (default “19132”) --censys-api-url string #The API endpoint to use for Censys Search (default “https://search.censys.io”) --censys-client-id string #The Client ID to use for Censys Search authentication --censys-client-secret string #The Client Secret to use for Censys Search authentication --censys-exclude-unknown #Exclude assets that cannot be merged into an existing asset --censys-mode string #The search mode (assets or query). The assets option queries the scan targets (default “assets”) --censys-query string #The search string to use in query mode --coap-port uint #The destination port for CoAP probes (default 5683) --cpu string #Write a cpu profile after the scan completes --crestron-port uint #The destination port for Crestron probes (default 41794) --crowdstrike-api-url string #The URL used for the CrowdStrike account’s API access --crowdstrike-client-id string #The client ID for the CrowdStrike account --crowdstrike-client-secret string #The client secret for the CrowdStrike account --crowdstrike-exclude-unknown #Exclude assets that cannot be merged into an existing asset --crowdstrike-filter string #An optional Falcon Query Language (FQL) filter for imported assets --crowdstrike-fingerprint-only #Import vulnerabilites for fingerprinting purposes only --crowdstrike-risks string #Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”) --crowdstrike-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”) --dahua-dhip-ports string #The destination ports for Dahua DHIP discovery probes (default “37810”) --defender365-client-id string #The application ID (client ID) for the Azure account --defender365-client-secret string #The client secret for the Azure account --defender365-exclude-unknown #Exclude assets that cannot be merged into an existing asset --defender365-include-inactive #Include assets that have stopped reporting to the Microsoft 365 Defender service --defender365-tenant-id string #The directory ID (tenant ID) for the Azure account --disabled-probes string #Specifically exclude these probes, comma-delimited --dnp3-address-probe-timeout int #Time limit (in seconds) for DNP address discovery. (default 30) --dnp3-banner-address-discovery string #One of ‘require’, ‘prefer’, or ‘ignore’. (default “ignore”) --dnp3-destination-address-discovery-range string #A numeric range of addresses to attempt to discover. (default “0-32”) --dnp3-explorer-address int #Source DNP3 address for the explorer. (default -1) --dns-disable-google-myaddr #Disables resolution of upstream DNS via Google myaddr service --dns-disable-meraki-detection #Disables detection of Meraki DNS interception --dns-port uint #The destination port for DNS probes (default 53) --dns-resolve-name string #The target hostname for DNS queries (‘off’ to disable) (default “www.google.com”) --dns-trace-domain string #The subdomain to use for trace requests (‘off’ to disable) (default “helper.rumble.network”) --dtls-ports string #The destination ports for DTLS probes (default “443,3391,4433,5246,5349,5684”) --echo-report-errors #Report errors from intermediate in-scope hosts --ethernetip-udp-ports string #The destination ports for EtherNet/IP UDP probes (default “44818”) --ethernetip-use-tagged-context string #Set this to true to use a runZero-specific sender context for debugging. (default “false”) --exclude string #Specify scan exclusions --excludefile string #Read exclusions from an input file --filter-base64 #Filter base64-encoded fields -f, --fingerprints string #Use the specified directory as an alternate fingerprint database --fingerprints-debug #Enable debug output for the fingerprint processor --fins-port uint #The destination port for FINS probes (default 9600) --gcp-exclude-unknown #Exclude assets that cannot be merged into an existing asset --gcp-key-path string #Path to GCP service account key file --gcp-service-options string #The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (default “defaults”) --gcp-site-per-project #Automatically create a new site per project --genudp-payload-base64 string #The generic udp payload as base64 --genudp-payload-hex string #The generic udp payload as hexadecimal --genudp-payload-text string #The generic udp payload as plain text --genudp-ports string #The destination ports for the generic udp probe --googleworkspace-client-email string #The email address of the service account --googleworkspace-client-id string #The ID of the service account --googleworkspace-customer-id string #An optional customer ID for multi-tenant environments (default “my_customer”) --googleworkspace-delegate string #The email address of an admin account with directory access --googleworkspace-exclude-unknown #Exclude assets that cannot be merged into an existing asset --googleworkspace-private-key string #The PEM encoded private key --googleworkspace-private-key-id string #The ID of the private key --googleworkspace-project-id string #The project ID of the service account --googleworkspace-service-options string #The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (default “defaults”) --goroutines string #Write a goroutine dump after the scan completes --heap string #Write a heap profile after the scan completes -h, --help #help for runZero --hiddiscoveryd-port uint #The destination port for HID discoveryd probes (default 4070) --host-ping #Only scan hosts that respond to a ping scan using the host-ping settings --host-ping-arp-fast #Enables fast mode by ARP scanning at the scan rate vs host rate (host ping) --host-ping-aws-instances-access-key string #The access key for the AWS account (host ping) --host-ping-aws-instances-assume-role-name string #The role to assume for all accounts in the organization for cross-account access (host ping) --host-ping-aws-instances-delete-stale #Automatically delete stale AWS assets (host ping) --host-ping-aws-instances-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-aws-instances-include-stopped #Include assets that are not currently running (host ping) --host-ping-aws-instances-regions string #The comma-separated list of regions for the AWS account (host ping) --host-ping-aws-instances-secret-access-key string #The secret access key for the AWS account (host ping) --host-ping-aws-instances-service-options string #The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (host ping) (default “defaults”) --host-ping-aws-instances-site-per-account #Automatically create a new site per account (host ping) --host-ping-aws-instances-site-per-vpc #Automatically create a new site per VPC (host ping) --host-ping-aws-instances-token string #The session token for the AWS account (host ping) --host-ping-azure-client-id string #The application ID (client ID) for the Azure account (host ping) --host-ping-azure-client-secret string #The client secret for the Azure account (host ping) --host-ping-azure-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-azure-multi-subscription #Access all subscriptions in the directory (tenant) for the Azure account (host ping) --host-ping-azure-password string #The password for the Azure account (host ping) --host-ping-azure-service-options string #The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (host ping) (default “defaults”) --host-ping-azure-site-per-subscription #Automatically create a new site per subscription (host ping) --host-ping-azure-subscription-id string #The subscription ID for the Azure account (host ping) --host-ping-azure-tenant-id string #The directory ID (tenant ID) for the Azure account (host ping) --host-ping-azure-username string #The username for the Azure account (host ping) --host-ping-azuread-client-id string #The application ID (client ID) for the Azure account (host ping) --host-ping-azuread-client-secret string #The client secret for the Azure account (host ping) --host-ping-azuread-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-azuread-include-inactive #Include assets that are marked as inactive in the AzureAD account (host ping) --host-ping-azuread-password string #The password for the AzureAD account (host ping) --host-ping-azuread-service-options string #The comma-separated list of services to sync data from (defaults,dev,user,group) (host ping) (default “defaults”) --host-ping-azuread-tenant-id string #The directory ID (tenant ID) for the Azure account (host ping) --host-ping-azuread-username string #The username for the AzureAD account (host ping) --host-ping-bacnet-ports string #The destination ports for BACnet probes (host ping) (default “46808,47808,48808”) --host-ping-bedrock-ports string #The destination ports for Bedrock probes (host ping) (default “19132”) --host-ping-censys-api-url string #The API endpoint to use for Censys Search (host ping) (default “https://search.censys.io”) --host-ping-censys-client-id string #The Client ID to use for Censys Search authentication (host ping) --host-ping-censys-client-secret string #The Client Secret to use for Censys Search authentication (host ping) --host-ping-censys-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-censys-mode string #The search mode (assets or query). The assets option queries the scan targets (host ping) (default “assets”) --host-ping-censys-query string #The search string to use in query mode (host ping) --host-ping-coap-port uint #The destination port for CoAP probes (host ping) (default 5683) --host-ping-crestron-port uint #The destination port for Crestron probes (host ping) (default 41794) --host-ping-crowdstrike-api-url string #The URL used for the CrowdStrike account’s API access (host ping) --host-ping-crowdstrike-client-id string #The client ID for the CrowdStrike account (host ping) --host-ping-crowdstrike-client-secret string #The client secret for the CrowdStrike account (host ping) --host-ping-crowdstrike-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-crowdstrike-filter string #An optional Falcon Query Language (FQL) filter for imported assets (host ping) --host-ping-crowdstrike-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (host ping) --host-ping-crowdstrike-risks string #Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”) --host-ping-crowdstrike-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”) --host-ping-dahua-dhip-ports string #The destination ports for Dahua DHIP discovery probes (host ping) (default “37810”) --host-ping-defender365-client-id string #The application ID (client ID) for the Azure account (host ping) --host-ping-defender365-client-secret string #The client secret for the Azure account (host ping) --host-ping-defender365-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-defender365-include-inactive #Include assets that have stopped reporting to the Microsoft 365 Defender service (host ping) --host-ping-defender365-tenant-id string #The directory ID (tenant ID) for the Azure account (host ping) --host-ping-dnp3-address-probe-timeout int #Time limit (in seconds) for DNP address discovery. (host ping) (default 30) --host-ping-dnp3-banner-address-discovery string #One of ‘require’, ‘prefer’, or ‘ignore’. (host ping) (default “ignore”) --host-ping-dnp3-destination-address-discovery-range string #A numeric range of addresses to attempt to discover. (host ping) (default “0-32”) --host-ping-dnp3-explorer-address int #Source DNP3 address for the explorer. (host ping) (default -1) --host-ping-dns-disable-google-myaddr #Disables resolution of upstream DNS via Google myaddr service (host ping) --host-ping-dns-disable-meraki-detection #Disables detection of Meraki DNS interception (host ping) --host-ping-dns-port uint #The destination port for DNS probes (host ping) (default 53) --host-ping-dns-resolve-name string #The target hostname for DNS queries (‘off’ to disable) (host ping) (default “www.google.com”) --host-ping-dns-trace-domain string #The subdomain to use for trace requests (‘off’ to disable) (host ping) (default “helper.rumble.network”) --host-ping-dtls-ports string #The destination ports for DTLS probes (host ping) (default “443,3391,4433,5246,5349,5684”) --host-ping-echo-report-errors #Report errors from intermediate in-scope hosts (host ping) --host-ping-ethernetip-udp-ports string #The destination ports for EtherNet/IP UDP probes (host ping) (default “44818”) --host-ping-ethernetip-use-tagged-context string #Set this to true to use a runZero-specific sender context for debugging. (host ping) (default “false”) --host-ping-fins-port uint #The destination port for FINS probes (host ping) (default 9600) --host-ping-gcp-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-gcp-service-options string #The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (host ping) (default “defaults”) --host-ping-gcp-site-per-project #Automatically create a new site per project (host ping) --host-ping-genudp-payload-base64 string #The generic udp payload as base64 (host ping) --host-ping-genudp-payload-hex string #The generic udp payload as hexadecimal (host ping) --host-ping-genudp-payload-text string #The generic udp payload as plain text (host ping) --host-ping-genudp-ports string #The destination ports for the generic udp probe (host ping) --host-ping-googleworkspace-client-email string #The email address of the service account (host ping) --host-ping-googleworkspace-client-id string #The ID of the service account (host ping) --host-ping-googleworkspace-customer-id string #An optional customer ID for multi-tenant environments (host ping) (default “my_customer”) --host-ping-googleworkspace-delegate string #The email address of an admin account with directory access (host ping) --host-ping-googleworkspace-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-googleworkspace-private-key string #The PEM encoded private key (host ping) --host-ping-googleworkspace-private-key-id string #The ID of the private key (host ping) --host-ping-googleworkspace-project-id string #The project ID of the service account (host ping) --host-ping-googleworkspace-service-options string #The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (host ping) (default “defaults”) --host-ping-hiddiscoveryd-port uint #The destination port for HID discoveryd probes (host ping) (default 4070) --host-ping-igel-discovery-ports string #The destination ports for IGEL discovery probes (host ping) (default “30005”) --host-ping-ike-port uint #The destination port for IKE probes (host ping) (default 500) --host-ping-insightvm-api-url string #The URL used for the InsightVM account’s API access (host ping) --host-ping-insightvm-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-insightvm-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (host ping) --host-ping-insightvm-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) (default true) --host-ping-insightvm-password string #The password for the InsightVM account (host ping) --host-ping-insightvm-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”) --host-ping-insightvm-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”) --host-ping-insightvm-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping) --host-ping-insightvm-username string #The username for the InsightVM account (host ping) --host-ping-intune-client-id string #The application ID (client ID) for the Azure account (host ping) --host-ping-intune-client-secret string #The client secret for the Azure account (host ping) --host-ping-intune-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-intune-password string #The password for the Intune account (host ping) --host-ping-intune-tenant-id string #The directory ID (tenant ID) for the Azure account (host ping) --host-ping-intune-username string #The username for the Intune account (host ping) --host-ping-ipmi-port uint #The destination port for IPMI probes (host ping) (default 623) --host-ping-kerberos-port uint #The destination port for kerberos probes (host ping) (default 88) --host-ping-knxnet-ports string #The destination ports for knxnet probes (host ping) (default “3671”) --host-ping-l2t-port uint #The destination port for L2T probes (host ping) (default 2228) --host-ping-l2tp-ports string #The destination ports for L2TP probes (host ping) (default “1701”) --host-ping-lantronix-port uint #The destination port for Lantronix probes (host ping) (default 30718) --host-ping-layer2-add-targets #Set this false to skip scanning discovered targets (host ping) (default true) --host-ping-layer2-force #Set this to true to force discovery even without local targets (host ping) --host-ping-layer2-max-retries uint #The desired number of retries (host ping) (default 3) --host-ping-layer2-tcp-ports string #The TCP ports to ping for local device discovery (host ping) (default “22,80,135,179,443,3389,5040,7547,62078”) --host-ping-layer2-udp-trace-port uint #The UDP port number to use for UDP trace requests (host ping) (default 9) --host-ping-ldap-base-dn string #The base DN used for LDAP searches (host ping) --host-ping-ldap-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-ldap-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) --host-ping-ldap-legacy-tls #Set this to true to authenticate over legacy TLS versions (< 1.2) (host ping) --host-ping-ldap-password string #The password for the LDAP account (host ping) --host-ping-ldap-service-options string #The comma-separated list of services to sync data from (defaults,computer,user,group) (host ping) (default “defaults”) --host-ping-ldap-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping) --host-ping-ldap-url string #The URL used for the LDAP server (host ping) --host-ping-ldap-username string #The username for the LDAP account (host ping) --host-ping-max-attempts int #Set the maximum number of attempts for each probe (default 2) --host-ping-max-ttl int #Set the default TTL on host-ping probe packets (default 255) --host-ping-mdns-port uint #The destination port for MDNS probes (host ping) (default 5353) --host-ping-memcache-port uint #The destination port for memcached probes (host ping) (default 11211) --host-ping-miradore-api-key string #The API key for the Miradore account (host ping) --host-ping-miradore-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-miradore-hostname string #The Miradore web console hostname (url) (host ping) --host-ping-modbus-identification-level string #Identification level, one of ‘basic’, ‘regular’, or ’extended’. (host ping) (default “regular”) --host-ping-mssql-port uint #The destination port for MSSQL probes (host ping) (default 1434) --host-ping-natpmp-port uint #The destination port for NATPMP probes (host ping) (default 5351) --host-ping-nessus-access-key string #The access key for the Nessus Professional account (host ping) --host-ping-nessus-api-url string #The URL used for the Nessus Professional account’s API access (host ping) --host-ping-nessus-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-nessus-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (host ping) --host-ping-nessus-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) (default true) --host-ping-nessus-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”) --host-ping-nessus-secret-key string #The secret key for the Nessus Professional account (host ping) --host-ping-nessus-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”) --host-ping-nessus-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping) --host-ping-netbios-port uint #The destination port for NetBIOS Name Service probes (host ping) (default 137) --host-ping-ntp-port uint #The destination port for NTP probes (host ping) (default 123) --host-ping-openvpn-ports string #The destination ports for OpenVPN probes (host ping) (default “1194”) --host-ping-passes int #Set the number of passes for the host-ping phase (default 1) --host-ping-pca-port uint #The destination port for PCAnywhere probes (host ping) (default 5632) --host-ping-probes string #Launch a subset of the probes for the host-ping, comma-delimited (default “arp,echo,syn,connect,netbios,snmp,ntp,sunrpc,ike,openvpn,mdns”) --host-ping-psdisco-ports string #The destination ports for playstation discovery probes (host ping) (default “987,9302”) --host-ping-qualys-api-url string #The URL used for the Qualys account’s API access (host ping) --host-ping-qualys-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-qualys-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (host ping) --host-ping-qualys-include-unscanned #Include assets that have not been assessed for vulnerabilities (host ping) --host-ping-qualys-password string #The password for the Qualys account (host ping) --host-ping-qualys-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”) --host-ping-qualys-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”) --host-ping-qualys-username string #The username for the Qualys account (host ping) --host-ping-rdns-max-concurrent int #The maximum number of concurrent DNS lookups (host ping) (default 64) --host-ping-rdns-timeout uint #The DNS PTR lookup timeout in seconds (host ping) (default 3) --host-ping-rpcbind-port uint #The destination port for RPCBind probes (host ping) (default 111) --host-ping-rpcbind-port-nfs uint #The destination port for NFS probes (host ping) (default 2049) --host-ping-s7comm-request-extended-information #If true, request extended device information. (host ping) --host-ping-sample-duration string #Specify the duration in seconds to sample network traffic (or ‘0’ for non-stop) (host ping) (default “300”) --host-ping-sample-excludes string #Specify host exclusions (host ping) --host-ping-sample-interfaces string #Specify a comma-separated list of network interfaces (or ‘all’ for everything) (host ping) --host-ping-sample-targets string #Specify the discovery scope (host ping) (default “10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16”) --host-ping-sentinelone-api-url string #The URL used for the SentinelOne account’s API access (host ping) --host-ping-sentinelone-client-id string #The client ID for the SentinelOne account (host ping) --host-ping-sentinelone-client-secret string #The client secret for the SentinelOne account (host ping) --host-ping-sentinelone-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-shodan-api-key string #The key used for the Shodan account’s API access (host ping) --host-ping-shodan-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-shodan-mode string #The search mode (assets or query). The assets option queries the scan targets (host ping) (default “assets”) --host-ping-shodan-query string #The search string to use in query mode (host ping) --host-ping-sip-port uint #The destination port for SIP probes (host ping) (default 5060) --host-ping-snmp-comms string #The comma-separated list of SNMP v1/v2c communities (host ping) (default “public,private”) --host-ping-snmp-disable-bulk #If true, do not use bulk walking operations (host ping) --host-ping-snmp-max-repetitions uint #The maximum number of repetitions in a bulk walk operation (host ping) (default 16) --host-ping-snmp-max-retries int #The maximum number of retries for an SNMP operation (host ping) (default 1) --host-ping-snmp-poll-interval uint #The minimum number of seconds between polling each host after initial discovery (host ping) (default 300) --host-ping-snmp-port uint #The destination port for SNMP probes (host ping) (default 161) --host-ping-snmp-timeout uint #The maximum number of seconds for each individual SNMP operation (host ping) (default 5) --host-ping-snmp-v3-auth-passphrase string #The authentication passphrase (host ping) --host-ping-snmp-v3-auth-protocol string #The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (host ping) (default “none”) --host-ping-snmp-v3-context string #The optional SNMP v3 context to supply (host ping) --host-ping-snmp-v3-privacy-passphrase string #The privacy passphrase (host ping) --host-ping-snmp-v3-privacy-protocol string #The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (host ping) (default “none”) --host-ping-snmp-v3-username string #The username to use for SNMP v3 authentication (host ping) --host-ping-snmp-walk-timeout uint #The maximum number of seconds for each SNMP walk operation (host ping) (default 60) --host-ping-ssdp-port uint #The destination port for UPnP/SSDP probes (host ping) (default 1900) --host-ping-ssh-fingerprint #Enable fingerprinting using partial authentication (host ping) (default true) --host-ping-ssh-fingerprint-username string #The username to use for partial authentication SSH fingerprinting (host ping) (default “STATUS”) --host-ping-steam-ports string #The destination ports for Steam discovery probes (host ping) (default “27036”) --host-ping-syn-disable-bogus-filter #Disable bogus service detection and filtering (host ping) --host-ping-syn-forwarding-check #Perform an IP forwarding check as part of the scan (host ping) (default true) --host-ping-syn-forwarding-check-target string #An external IPv4 address for the forwarding check (default:runzero) (host ping) (default “13.248.161.247”) --host-ping-syn-max-retries uint #The maximum number of retries trace and SYN requests (host ping) (default 2) --host-ping-syn-report-resets #Set this to true to report RST responses (host ping) (default true) --host-ping-syn-reset-sessions #Reset middle-box/firewall sessions automatically (host ping) (default true) --host-ping-syn-reset-sessions-delay uint #Minimum delay in milliseconds between a SYN and a session reset (host ping) --host-ping-syn-reset-sessions-limit uint #Maximum number of in-flight sessions before forcing session resets (host ping) (default 50) --host-ping-syn-traceroute #Perform a multi-protocol traceroute as part of the scan (host ping) (default true) --host-ping-syn-udp-trace-port uint #The UDP port number to use for UDP trace requests (host ping) (default 9) --host-ping-tcp-ports string #The list of TCP ports to host-ping using the syn and connect probes (default “22,80,135,179,443,3389,5040,7547,62078”) --host-ping-tenable-access-key string #The access key for the Tenable.io account (host ping) --host-ping-tenable-api-url string #The URL used for the Tenable.io account’s API access (host ping) --host-ping-tenable-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-tenable-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (host ping) --host-ping-tenable-include-unscanned #Include assets that have not been assessed for vulnerabilities (host ping) --host-ping-tenable-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”) --host-ping-tenable-secret-key string #The secret key for the Tenable.io account (host ping) --host-ping-tenable-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”) --host-ping-tenablesecuritycenter-access-key string #The access key for the Tenable Security Center account (host ping) --host-ping-tenablesecuritycenter-api-url string #The URL used for the Tenable Security Center account’s API access (host ping) --host-ping-tenablesecuritycenter-batch-size string #The number of records to request at a time. (between 2000 and 10000) (host ping) (default “2000”) --host-ping-tenablesecuritycenter-exclude-unknown #Exclude assets that cannot be merged into an existing asset (host ping) --host-ping-tenablesecuritycenter-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (host ping) --host-ping-tenablesecuritycenter-insecure string #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) --host-ping-tenablesecuritycenter-query-id string #The ID of an existing vulnerability query in the Tenable Security Center account (host ping) --host-ping-tenablesecuritycenter-query-mode string #Set to ‘filters’ to provide ‘severities’ and ‘risks’ values to import. Set to ‘query-id’ to provide a value for ‘query-id’. (host ping) (default “filters”) --host-ping-tenablesecuritycenter-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (host ping) (default “None,Low,Medium,High,Critical”) --host-ping-tenablesecuritycenter-secret-key string #The secret key for the Tenable Security Center account (host ping) --host-ping-tenablesecuritycenter-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (host ping) (default “Info,Low,Medium,High,Critical”) --host-ping-tenablesecuritycenter-sync-since string #Specify an initial date to sync data from. (host ping) --host-ping-tenablesecuritycenter-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping) --host-ping-tftp-ports string #The destination ports for TFTP probes (host ping) (default “69”) --host-ping-tos int #Set the default ToS on host-ping probe packets --host-ping-ubnt-port uint #The destination port for Ubiquiti probes (host ping) (default 10001) --host-ping-verbose #Display verbose output for the host-ping --host-ping-very-verbose #Display very verbose output for the host-ping --host-ping-vmware-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (host ping) (default true) --host-ping-vmware-password string #The password to use for VMware SDK authentication (read-only) (host ping) --host-ping-vmware-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (host ping) --host-ping-vmware-username string #The username to use for VMware SDK authentication (read-only) (host ping) --host-ping-webmin-ports string #The destination ports for webmin probes (host ping) (default “10000”) --host-ping-wlan-list-poll-interval uint #The minimum number of seconds between polls of the access point list (host ping) (default 300) --host-ping-wsd-port uint #The destination port for WSD probes (host ping) (default 3702) --igel-discovery-ports string #The destination ports for IGEL discovery probes (default “30005”) --ike-port uint #The destination port for IKE probes (default 500) -I, --import stringArray #Import existing scan data from the specified input files (‘scan.rumble’ format) --import-pcap stringArray #Import pcap packet capture from the specified input files (’.pcap’ or ‘.pcapng’ format) -i, --input-targets string #Read scan targets from the specified input file --insightvm-api-url string #The URL used for the InsightVM account’s API access --insightvm-exclude-unknown #Exclude assets that cannot be merged into an existing asset --insightvm-fingerprint-only #Import vulnerabilites for fingerprinting purposes only --insightvm-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true) --insightvm-password string #The password for the InsightVM account --insightvm-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”) --insightvm-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”) --insightvm-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication --insightvm-username string #The username for the InsightVM account --intune-client-id string #The application ID (client ID) for the Azure account --intune-client-secret string #The client secret for the Azure account --intune-exclude-unknown #Exclude assets that cannot be merged into an existing asset --intune-password string #The password for the Intune account --intune-tenant-id string #The directory ID (tenant ID) for the Azure account --intune-username string #The username for the Intune account --ipmi-port uint #The destination port for IPMI probes (default 623) --kerberos-port uint #The destination port for kerberos probes (default 88) --knxnet-ports string #The destination ports for knxnet probes (default “3671”) --l2t-port uint #The destination port for L2T probes (default 2228) --l2tp-ports string #The destination ports for L2TP probes (default “1701”) --lantronix-port uint #The destination port for Lantronix probes (default 30718) --layer2-add-targets #Set this false to skip scanning discovered targets (default true) --layer2-force #Set this to true to force discovery even without local targets --layer2-max-retries uint #The desired number of retries (default 3) --layer2-tcp-ports string #The TCP ports to ping for local device discovery (default “22,80,135,179,443,3389,5040,7547,62078”) --layer2-udp-trace-port uint #The UDP port number to use for UDP trace requests (default 9) --ldap-base-dn string #The base DN used for LDAP searches --ldap-exclude-unknown #Exclude assets that cannot be merged into an existing asset --ldap-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) --ldap-legacy-tls #Set this to true to authenticate over legacy TLS versions (< 1.2) --ldap-password string #The password for the LDAP account --ldap-service-options string #The comma-separated list of services to sync data from (defaults,computer,user,group) (default “defaults”) --ldap-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication --ldap-url string #The URL used for the LDAP server --ldap-username string #The username for the LDAP account --max-attempts int #Set the maximum number of attempts for each probe (default 3) -G, --max-group-size int #Set the maximum number of targets to process in each group (default 4096) -R, --max-host-rate int #Set the maximum packet rate per target (including ARP broadcast) (default 40) --max-sockets int #Set the maximum number of concurrent sockets (default 2048) --max-ttl int #Set the default TTL on probe packets (default 255) --mdns-port uint #The destination port for MDNS probes (default 5353) --memcache-port uint #The destination port for memcached probes (default 11211) --miradore-api-key string #The API key for the Miradore account --miradore-exclude-unknown #Exclude assets that cannot be merged into an existing asset --miradore-hostname string #The Miradore web console hostname (url) --modbus-identification-level string #Identification level, one of ‘basic’, ‘regular’, or ’extended’. (default “regular”) --mssql-port uint #The destination port for MSSQL probes (default 1434) --nameservers string #One or more nameservers to use for DNS resolution --natpmp-port uint #The destination port for NATPMP probes (default 5351) --nessus-access-key string #The access key for the Nessus Professional account --nessus-api-url string #The URL used for the Nessus Professional account’s API access --nessus-exclude-unknown #Exclude assets that cannot be merged into an existing asset --nessus-fingerprint-only #Import vulnerabilites for fingerprinting purposes only --nessus-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true) --nessus-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”) --nessus-secret-key string #The secret key for the Nessus Professional account --nessus-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”) --nessus-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication --netbios-port uint #The destination port for NetBIOS Name Service probes (default 137) --nowait #Exit the user interface immediately upon completion --ntp-port uint #The destination port for NTP probes (default 123) --openvpn-ports string #The destination ports for OpenVPN probes (default “1194”) -o, --output string #Output directory for scan results and analysis (‘disable’ to skip) --output-raw string #Set the raw output file for scan data --overwrite #Overwrite and replace the output directory if it already exists --passes int #Set the number of passes for each probe (default 1) --pca-port uint #The destination port for PCAnywhere probes (default 5632) --probes string #Launch a subset of the probes, comma-delimited (default “defaults”) --psdisco-ports string #The destination ports for playstation discovery probes (default “987,9302”) --qualys-api-url string #The URL used for the Qualys account’s API access --qualys-exclude-unknown #Exclude assets that cannot be merged into an existing asset --qualys-fingerprint-only #Import vulnerabilites for fingerprinting purposes only --qualys-include-unscanned #Include assets that have not been assessed for vulnerabilities --qualys-password string #The password for the Qualys account --qualys-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”) --qualys-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”) --qualys-username string #The username for the Qualys account -r, --rate int #Set the maximum packet rate for the overall scan (default 1000) --rdns-max-concurrent int #The maximum number of concurrent DNS lookups (default 64) --rdns-timeout uint #The DNS PTR lookup timeout in seconds (default 3) --rpcbind-port uint #The destination port for RPCBind probes (default 111) --rpcbind-port-nfs uint #The destination port for NFS probes (default 2049) --s7comm-request-extended-information #If true, request extended device information. --sample-duration string #Specify the duration in seconds to sample network traffic (or ‘0’ for non-stop) (default “300”) --sample-excludes string #Specify host exclusions --sample-interfaces string #Specify a comma-separated list of network interfaces (or ‘all’ for everything) --sample-targets string #Specify the discovery scope (default “10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16”) -S, --screenshots #Capture screenshots from scan target web services (default true) --sentinelone-api-url string #The URL used for the SentinelOne account’s API access --sentinelone-client-id string #The client ID for the SentinelOne account --sentinelone-client-secret string #The client secret for the SentinelOne account --sentinelone-exclude-unknown #Exclude assets that cannot be merged into an existing asset --shodan-api-key string #The key used for the Shodan account’s API access --shodan-exclude-unknown #Exclude assets that cannot be merged into an existing asset --shodan-mode string #The search mode (assets or query). The assets option queries the scan targets (default “assets”) --shodan-query string #The search string to use in query mode --sip-port uint #The destination port for SIP probes (default 5060) --snmp-comms string #The comma-separated list of SNMP v1/v2c communities (default “public,private”) --snmp-disable-bulk #If true, do not use bulk walking operations --snmp-max-repetitions uint #The maximum number of repetitions in a bulk walk operation (default 16) --snmp-max-retries int #The maximum number of retries for an SNMP operation (default 1) --snmp-poll-interval uint #The minimum number of seconds between polling each host after initial discovery (default 300) --snmp-port uint #The destination port for SNMP probes (default 161) --snmp-timeout uint #The maximum number of seconds for each individual SNMP operation (default 5) --snmp-v3-auth-passphrase string #The authentication passphrase --snmp-v3-auth-protocol string #The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (default “none”) --snmp-v3-context string #The optional SNMP v3 context to supply --snmp-v3-privacy-passphrase string #The privacy passphrase --snmp-v3-privacy-protocol string #The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (default “none”) --snmp-v3-username string #The username to use for SNMP v3 authentication --snmp-walk-timeout uint #The maximum number of seconds for each SNMP walk operation (default 60) --ssdp-port uint #The destination port for UPnP/SSDP probes (default 1900) --ssh-fingerprint #Enable fingerprinting using partial authentication (default true) --ssh-fingerprint-username string #The username to use for partial authentication SSH fingerprinting (default “STATUS”) --steam-ports string #The destination ports for Steam discovery probes (default “27036”) --subnet-ping #Only scan subnets that have at least one active response using the subnet-ping settings --subnet-ping-arp-fast #Enables fast mode by ARP scanning at the scan rate vs host rate (subnet ping) --subnet-ping-aws-instances-access-key string #The access key for the AWS account (subnet ping) --subnet-ping-aws-instances-assume-role-name string #The role to assume for all accounts in the organization for cross-account access (subnet ping) --subnet-ping-aws-instances-delete-stale #Automatically delete stale AWS assets (subnet ping) --subnet-ping-aws-instances-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-aws-instances-include-stopped #Include assets that are not currently running (subnet ping) --subnet-ping-aws-instances-regions string #The comma-separated list of regions for the AWS account (subnet ping) --subnet-ping-aws-instances-secret-access-key string #The secret access key for the AWS account (subnet ping) --subnet-ping-aws-instances-service-options string #The comma-separated list of services to sync data from (defaults,ec2,elb,elbv2,rds,lambda) (subnet ping) (default “defaults”) --subnet-ping-aws-instances-site-per-account #Automatically create a new site per account (subnet ping) --subnet-ping-aws-instances-site-per-vpc #Automatically create a new site per VPC (subnet ping) --subnet-ping-aws-instances-token string #The session token for the AWS account (subnet ping) --subnet-ping-azure-client-id string #The application ID (client ID) for the Azure account (subnet ping) --subnet-ping-azure-client-secret string #The client secret for the Azure account (subnet ping) --subnet-ping-azure-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-azure-multi-subscription #Access all subscriptions in the directory (tenant) for the Azure account (subnet ping) --subnet-ping-azure-password string #The password for the Azure account (subnet ping) --subnet-ping-azure-service-options string #The comma-separated list of services to sync data from (defaults,vm,vmss,azsql,cosmos,lb,functionapp) (subnet ping) (default “defaults”) --subnet-ping-azure-site-per-subscription #Automatically create a new site per subscription (subnet ping) --subnet-ping-azure-subscription-id string #The subscription ID for the Azure account (subnet ping) --subnet-ping-azure-tenant-id string #The directory ID (tenant ID) for the Azure account (subnet ping) --subnet-ping-azure-username string #The username for the Azure account (subnet ping) --subnet-ping-azuread-client-id string #The application ID (client ID) for the Azure account (subnet ping) --subnet-ping-azuread-client-secret string #The client secret for the Azure account (subnet ping) --subnet-ping-azuread-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-azuread-include-inactive #Include assets that are marked as inactive in the AzureAD account (subnet ping) --subnet-ping-azuread-password string #The password for the AzureAD account (subnet ping) --subnet-ping-azuread-service-options string #The comma-separated list of services to sync data from (defaults,dev,user,group) (subnet ping) (default “defaults”) --subnet-ping-azuread-tenant-id string #The directory ID (tenant ID) for the Azure account (subnet ping) --subnet-ping-azuread-username string #The username for the AzureAD account (subnet ping) --subnet-ping-bacnet-ports string #The destination ports for BACnet probes (subnet ping) (default “46808,47808,48808”) --subnet-ping-bedrock-ports string #The destination ports for Bedrock probes (subnet ping) (default “19132”) --subnet-ping-censys-api-url string #The API endpoint to use for Censys Search (subnet ping) (default “https://search.censys.io”) --subnet-ping-censys-client-id string #The Client ID to use for Censys Search authentication (subnet ping) --subnet-ping-censys-client-secret string #The Client Secret to use for Censys Search authentication (subnet ping) --subnet-ping-censys-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-censys-mode string #The search mode (assets or query). The assets option queries the scan targets (subnet ping) (default “assets”) --subnet-ping-censys-query string #The search string to use in query mode (subnet ping) --subnet-ping-coap-port uint #The destination port for CoAP probes (subnet ping) (default 5683) --subnet-ping-crestron-port uint #The destination port for Crestron probes (subnet ping) (default 41794) --subnet-ping-crowdstrike-api-url string #The URL used for the CrowdStrike account’s API access (subnet ping) --subnet-ping-crowdstrike-client-id string #The client ID for the CrowdStrike account (subnet ping) --subnet-ping-crowdstrike-client-secret string #The client secret for the CrowdStrike account (subnet ping) --subnet-ping-crowdstrike-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-crowdstrike-filter string #An optional Falcon Query Language (FQL) filter for imported assets (subnet ping) --subnet-ping-crowdstrike-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (subnet ping) --subnet-ping-crowdstrike-risks string #Minimum risk of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”) --subnet-ping-crowdstrike-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”) --subnet-ping-dahua-dhip-ports string #The destination ports for Dahua DHIP discovery probes (subnet ping) (default “37810”) --subnet-ping-defender365-client-id string #The application ID (client ID) for the Azure account (subnet ping) --subnet-ping-defender365-client-secret string #The client secret for the Azure account (subnet ping) --subnet-ping-defender365-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-defender365-include-inactive #Include assets that have stopped reporting to the Microsoft 365 Defender service (subnet ping) --subnet-ping-defender365-tenant-id string #The directory ID (tenant ID) for the Azure account (subnet ping) --subnet-ping-dnp3-address-probe-timeout int #Time limit (in seconds) for DNP address discovery. (subnet ping) (default 30) --subnet-ping-dnp3-banner-address-discovery string #One of ‘require’, ‘prefer’, or ‘ignore’. (subnet ping) (default “ignore”) --subnet-ping-dnp3-destination-address-discovery-range string #A numeric range of addresses to attempt to discover. (subnet ping) (default “0-32”) --subnet-ping-dnp3-explorer-address int #Source DNP3 address for the explorer. (subnet ping) (default -1) --subnet-ping-dns-disable-google-myaddr #Disables resolution of upstream DNS via Google myaddr service (subnet ping) --subnet-ping-dns-disable-meraki-detection #Disables detection of Meraki DNS interception (subnet ping) --subnet-ping-dns-port uint #The destination port for DNS probes (subnet ping) (default 53) --subnet-ping-dns-resolve-name string #The target hostname for DNS queries (‘off’ to disable) (subnet ping) (default “www.google.com”) --subnet-ping-dns-trace-domain string #The subdomain to use for trace requests (‘off’ to disable) (subnet ping) (default “helper.rumble.network”) --subnet-ping-dtls-ports string #The destination ports for DTLS probes (subnet ping) (default “443,3391,4433,5246,5349,5684”) --subnet-ping-echo-report-errors #Report errors from intermediate in-scope hosts (subnet ping) --subnet-ping-ethernetip-udp-ports string #The destination ports for EtherNet/IP UDP probes (subnet ping) (default “44818”) --subnet-ping-ethernetip-use-tagged-context string #Set this to true to use a runZero-specific sender context for debugging. (subnet ping) (default “false”) --subnet-ping-fins-port uint #The destination port for FINS probes (subnet ping) (default 9600) --subnet-ping-gcp-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-gcp-service-options string #The comma-separated list of services to sync data from (defaults,vm,lb,cloudsql) (subnet ping) (default “defaults”) --subnet-ping-gcp-site-per-project #Automatically create a new site per project (subnet ping) --subnet-ping-genudp-payload-base64 string #The generic udp payload as base64 (subnet ping) --subnet-ping-genudp-payload-hex string #The generic udp payload as hexadecimal (subnet ping) --subnet-ping-genudp-payload-text string #The generic udp payload as plain text (subnet ping) --subnet-ping-genudp-ports string #The destination ports for the generic udp probe (subnet ping) --subnet-ping-googleworkspace-client-email string #The email address of the service account (subnet ping) --subnet-ping-googleworkspace-client-id string #The ID of the service account (subnet ping) --subnet-ping-googleworkspace-customer-id string #An optional customer ID for multi-tenant environments (subnet ping) (default “my_customer”) --subnet-ping-googleworkspace-delegate string #The email address of an admin account with directory access (subnet ping) --subnet-ping-googleworkspace-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-googleworkspace-private-key string #The PEM encoded private key (subnet ping) --subnet-ping-googleworkspace-private-key-id string #The ID of the private key (subnet ping) --subnet-ping-googleworkspace-project-id string #The project ID of the service account (subnet ping) --subnet-ping-googleworkspace-service-options string #The comma-separated list of services to sync data from (defaults,chromeos,mobile,endpoint,user,group) (subnet ping) (default “defaults”) --subnet-ping-hiddiscoveryd-port uint #The destination port for HID discoveryd probes (subnet ping) (default 4070) --subnet-ping-igel-discovery-ports string #The destination ports for IGEL discovery probes (subnet ping) (default “30005”) --subnet-ping-ike-port uint #The destination port for IKE probes (subnet ping) (default 500) --subnet-ping-insightvm-api-url string #The URL used for the InsightVM account’s API access (subnet ping) --subnet-ping-insightvm-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-insightvm-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (subnet ping) --subnet-ping-insightvm-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) (default true) --subnet-ping-insightvm-password string #The password for the InsightVM account (subnet ping) --subnet-ping-insightvm-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”) --subnet-ping-insightvm-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”) --subnet-ping-insightvm-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping) --subnet-ping-insightvm-username string #The username for the InsightVM account (subnet ping) --subnet-ping-intune-client-id string #The application ID (client ID) for the Azure account (subnet ping) --subnet-ping-intune-client-secret string #The client secret for the Azure account (subnet ping) --subnet-ping-intune-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-intune-password string #The password for the Intune account (subnet ping) --subnet-ping-intune-tenant-id string #The directory ID (tenant ID) for the Azure account (subnet ping) --subnet-ping-intune-username string #The username for the Intune account (subnet ping) --subnet-ping-ipmi-port uint #The destination port for IPMI probes (subnet ping) (default 623) --subnet-ping-kerberos-port uint #The destination port for kerberos probes (subnet ping) (default 88) --subnet-ping-knxnet-ports string #The destination ports for knxnet probes (subnet ping) (default “3671”) --subnet-ping-l2t-port uint #The destination port for L2T probes (subnet ping) (default 2228) --subnet-ping-l2tp-ports string #The destination ports for L2TP probes (subnet ping) (default “1701”) --subnet-ping-lantronix-port uint #The destination port for Lantronix probes (subnet ping) (default 30718) --subnet-ping-layer2-add-targets #Set this false to skip scanning discovered targets (subnet ping) (default true) --subnet-ping-layer2-force #Set this to true to force discovery even without local targets (subnet ping) --subnet-ping-layer2-max-retries uint #The desired number of retries (subnet ping) (default 3) --subnet-ping-layer2-tcp-ports string #The TCP ports to ping for local device discovery (subnet ping) (default “22,80,135,179,443,3389,5040,7547,62078”) --subnet-ping-layer2-udp-trace-port uint #The UDP port number to use for UDP trace requests (subnet ping) (default 9) --subnet-ping-ldap-base-dn string #The base DN used for LDAP searches (subnet ping) --subnet-ping-ldap-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-ldap-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) --subnet-ping-ldap-legacy-tls #Set this to true to authenticate over legacy TLS versions (< 1.2) (subnet ping) --subnet-ping-ldap-password string #The password for the LDAP account (subnet ping) --subnet-ping-ldap-service-options string #The comma-separated list of services to sync data from (defaults,computer,user,group) (subnet ping) (default “defaults”) --subnet-ping-ldap-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping) --subnet-ping-ldap-url string #The URL used for the LDAP server (subnet ping) --subnet-ping-ldap-username string #The username for the LDAP account (subnet ping) --subnet-ping-max-attempts int #Set the maximum number of attempts for each probe (default 1) --subnet-ping-max-ttl int #Set the default TTL on subnet-ping probe packets (default 255) --subnet-ping-mdns-port uint #The destination port for MDNS probes (subnet ping) (default 5353) --subnet-ping-memcache-port uint #The destination port for memcached probes (subnet ping) (default 11211) --subnet-ping-miradore-api-key string #The API key for the Miradore account (subnet ping) --subnet-ping-miradore-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-miradore-hostname string #The Miradore web console hostname (url) (subnet ping) --subnet-ping-modbus-identification-level string #Identification level, one of ‘basic’, ‘regular’, or ’extended’. (subnet ping) (default “regular”) --subnet-ping-mode string #Set the subnet-ping discovery profile: auto (default “auto”) --subnet-ping-mssql-port uint #The destination port for MSSQL probes (subnet ping) (default 1434) --subnet-ping-natpmp-port uint #The destination port for NATPMP probes (subnet ping) (default 5351) --subnet-ping-nessus-access-key string #The access key for the Nessus Professional account (subnet ping) --subnet-ping-nessus-api-url string #The URL used for the Nessus Professional account’s API access (subnet ping) --subnet-ping-nessus-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-nessus-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (subnet ping) --subnet-ping-nessus-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) (default true) --subnet-ping-nessus-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”) --subnet-ping-nessus-secret-key string #The secret key for the Nessus Professional account (subnet ping) --subnet-ping-nessus-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”) --subnet-ping-nessus-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping) --subnet-ping-net-size int #Set the subnet size to use for the subnet ping (default 256) --subnet-ping-netbios-port uint #The destination port for NetBIOS Name Service probes (subnet ping) (default 137) --subnet-ping-ntp-port uint #The destination port for NTP probes (subnet ping) (default 123) --subnet-ping-openvpn-ports string #The destination ports for OpenVPN probes (subnet ping) (default “1194”) --subnet-ping-passes int #Set the number of passes for the subnet-ping phase (default 1) --subnet-ping-pca-port uint #The destination port for PCAnywhere probes (subnet ping) (default 5632) --subnet-ping-probes string #Launch a subset of the probes for the subnet-ping, comma-delimited (default “arp,echo,syn,connect,netbios,snmp,ntp,sunrpc,ike,openvpn,mdns”) --subnet-ping-psdisco-ports string #The destination ports for playstation discovery probes (subnet ping) (default “987,9302”) --subnet-ping-qualys-api-url string #The URL used for the Qualys account’s API access (subnet ping) --subnet-ping-qualys-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-qualys-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (subnet ping) --subnet-ping-qualys-include-unscanned #Include assets that have not been assessed for vulnerabilities (subnet ping) --subnet-ping-qualys-password string #The password for the Qualys account (subnet ping) --subnet-ping-qualys-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”) --subnet-ping-qualys-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”) --subnet-ping-qualys-username string #The username for the Qualys account (subnet ping) --subnet-ping-rdns-max-concurrent int #The maximum number of concurrent DNS lookups (subnet ping) (default 64) --subnet-ping-rdns-timeout uint #The DNS PTR lookup timeout in seconds (subnet ping) (default 3) --subnet-ping-rpcbind-port uint #The destination port for RPCBind probes (subnet ping) (default 111) --subnet-ping-rpcbind-port-nfs uint #The destination port for NFS probes (subnet ping) (default 2049) --subnet-ping-s7comm-request-extended-information #If true, request extended device information. (subnet ping) --subnet-ping-sample-duration string #Specify the duration in seconds to sample network traffic (or ‘0’ for non-stop) (subnet ping) (default “300”) --subnet-ping-sample-excludes string #Specify host exclusions (subnet ping) --subnet-ping-sample-interfaces string #Specify a comma-separated list of network interfaces (or ‘all’ for everything) (subnet ping) --subnet-ping-sample-rate int #Set the sample rate of addresses within each subnet as a percentage (default 4) --subnet-ping-sample-targets string #Specify the discovery scope (subnet ping) (default “10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 169.254.0.0/16”) --subnet-ping-sentinelone-api-url string #The URL used for the SentinelOne account’s API access (subnet ping) --subnet-ping-sentinelone-client-id string #The client ID for the SentinelOne account (subnet ping) --subnet-ping-sentinelone-client-secret string #The client secret for the SentinelOne account (subnet ping) --subnet-ping-sentinelone-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-shodan-api-key string #The key used for the Shodan account’s API access (subnet ping) --subnet-ping-shodan-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-shodan-mode string #The search mode (assets or query). The assets option queries the scan targets (subnet ping) (default “assets”) --subnet-ping-shodan-query string #The search string to use in query mode (subnet ping) --subnet-ping-sip-port uint #The destination port for SIP probes (subnet ping) (default 5060) --subnet-ping-snmp-comms string #The comma-separated list of SNMP v1/v2c communities (subnet ping) (default “public,private”) --subnet-ping-snmp-disable-bulk #If true, do not use bulk walking operations (subnet ping) --subnet-ping-snmp-max-repetitions uint #The maximum number of repetitions in a bulk walk operation (subnet ping) (default 16) --subnet-ping-snmp-max-retries int #The maximum number of retries for an SNMP operation (subnet ping) (default 1) --subnet-ping-snmp-poll-interval uint #The minimum number of seconds between polling each host after initial discovery (subnet ping) (default 300) --subnet-ping-snmp-port uint #The destination port for SNMP probes (subnet ping) (default 161) --subnet-ping-snmp-timeout uint #The maximum number of seconds for each individual SNMP operation (subnet ping) (default 5) --subnet-ping-snmp-v3-auth-passphrase string #The authentication passphrase (subnet ping) --subnet-ping-snmp-v3-auth-protocol string #The authentication protocol (none, md5, sha, sha224, sha256, sha384, sha512) (subnet ping) (default “none”) --subnet-ping-snmp-v3-context string #The optional SNMP v3 context to supply (subnet ping) --subnet-ping-snmp-v3-privacy-passphrase string #The privacy passphrase (subnet ping) --subnet-ping-snmp-v3-privacy-protocol string #The privacy protocol (none, des, aes, aes192, aes256, aes192c, aes256c) (subnet ping) (default “none”) --subnet-ping-snmp-v3-username string #The username to use for SNMP v3 authentication (subnet ping) --subnet-ping-snmp-walk-timeout uint #The maximum number of seconds for each SNMP walk operation (subnet ping) (default 60) --subnet-ping-ssdp-port uint #The destination port for UPnP/SSDP probes (subnet ping) (default 1900) --subnet-ping-ssh-fingerprint #Enable fingerprinting using partial authentication (subnet ping) (default true) --subnet-ping-ssh-fingerprint-username string #The username to use for partial authentication SSH fingerprinting (subnet ping) (default “STATUS”) --subnet-ping-steam-ports string #The destination ports for Steam discovery probes (subnet ping) (default “27036”) --subnet-ping-syn-disable-bogus-filter #Disable bogus service detection and filtering (subnet ping) --subnet-ping-syn-forwarding-check #Perform an IP forwarding check as part of the scan (subnet ping) (default true) --subnet-ping-syn-forwarding-check-target string #An external IPv4 address for the forwarding check (default:runzero) (subnet ping) (default “13.248.161.247”) --subnet-ping-syn-max-retries uint #The maximum number of retries trace and SYN requests (subnet ping) (default 2) --subnet-ping-syn-report-resets #Set this to true to report RST responses (subnet ping) (default true) --subnet-ping-syn-reset-sessions #Reset middle-box/firewall sessions automatically (subnet ping) (default true) --subnet-ping-syn-reset-sessions-delay uint #Minimum delay in milliseconds between a SYN and a session reset (subnet ping) --subnet-ping-syn-reset-sessions-limit uint #Maximum number of in-flight sessions before forcing session resets (subnet ping) (default 50) --subnet-ping-syn-traceroute #Perform a multi-protocol traceroute as part of the scan (subnet ping) (default true) --subnet-ping-syn-udp-trace-port uint #The UDP port number to use for UDP trace requests (subnet ping) (default 9) --subnet-ping-tcp-ports string #The list of TCP ports to subnet-ping using the syn and connect probes (default “22,80,135,179,443,3389,5040,7547,62078”) --subnet-ping-tenable-access-key string #The access key for the Tenable.io account (subnet ping) --subnet-ping-tenable-api-url string #The URL used for the Tenable.io account’s API access (subnet ping) --subnet-ping-tenable-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-tenable-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (subnet ping) --subnet-ping-tenable-include-unscanned #Include assets that have not been assessed for vulnerabilities (subnet ping) --subnet-ping-tenable-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”) --subnet-ping-tenable-secret-key string #The secret key for the Tenable.io account (subnet ping) --subnet-ping-tenable-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”) --subnet-ping-tenablesecuritycenter-access-key string #The access key for the Tenable Security Center account (subnet ping) --subnet-ping-tenablesecuritycenter-api-url string #The URL used for the Tenable Security Center account’s API access (subnet ping) --subnet-ping-tenablesecuritycenter-batch-size string #The number of records to request at a time. (between 2000 and 10000) (subnet ping) (default “2000”) --subnet-ping-tenablesecuritycenter-exclude-unknown #Exclude assets that cannot be merged into an existing asset (subnet ping) --subnet-ping-tenablesecuritycenter-fingerprint-only #Import vulnerabilites for fingerprinting purposes only (subnet ping) --subnet-ping-tenablesecuritycenter-insecure string #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) --subnet-ping-tenablesecuritycenter-query-id string #The ID of an existing vulnerability query in the Tenable Security Center account (subnet ping) --subnet-ping-tenablesecuritycenter-query-mode string #Set to ‘filters’ to provide ‘severities’ and ‘risks’ values to import. Set to ‘query-id’ to provide a value for ‘query-id’. (subnet ping) (default “filters”) --subnet-ping-tenablesecuritycenter-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (subnet ping) (default “None,Low,Medium,High,Critical”) --subnet-ping-tenablesecuritycenter-secret-key string #The secret key for the Tenable Security Center account (subnet ping) --subnet-ping-tenablesecuritycenter-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (subnet ping) (default “Info,Low,Medium,High,Critical”) --subnet-ping-tenablesecuritycenter-sync-since string #Specify an initial date to sync data from. (subnet ping) --subnet-ping-tenablesecuritycenter-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping) --subnet-ping-tftp-ports string #The destination ports for TFTP probes (subnet ping) (default “69”) --subnet-ping-tos int #Set the default ToS on subnet-ping probe packets --subnet-ping-ubnt-port uint #The destination port for Ubiquiti probes (subnet ping) (default 10001) --subnet-ping-verbose #Display verbose output for the subnet-ping --subnet-ping-very-verbose #Display very verbose output for the subnet-ping --subnet-ping-vmware-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (subnet ping) (default true) --subnet-ping-vmware-password string #The password to use for VMware SDK authentication (read-only) (subnet ping) --subnet-ping-vmware-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication (subnet ping) --subnet-ping-vmware-username string #The username to use for VMware SDK authentication (read-only) (subnet ping) --subnet-ping-webmin-ports string #The destination ports for webmin probes (subnet ping) (default “10000”) --subnet-ping-wlan-list-poll-interval uint #The minimum number of seconds between polls of the access point list (subnet ping) (default 300) --subnet-ping-wsd-port uint #The destination port for WSD probes (subnet ping) (default 3702) --syn-disable-bogus-filter #Disable bogus service detection and filtering --syn-forwarding-check #Perform an IP forwarding check as part of the scan (default true) --syn-forwarding-check-target string #An external IPv4 address for the forwarding check (default:runzero) (default “13.248.161.247”) --syn-max-retries uint #The maximum number of retries trace and SYN requests (default 2) --syn-report-resets #Set this to true to report RST responses (default true) --syn-reset-sessions #Reset middle-box/firewall sessions automatically (default true) --syn-reset-sessions-delay uint #Minimum delay in milliseconds between a SYN and a session reset --syn-reset-sessions-limit uint #Maximum number of in-flight sessions before forcing session resets (default 50) --syn-traceroute #Perform a multi-protocol traceroute as part of the scan (default true) --syn-udp-trace-port uint #The UDP port number to use for UDP trace requests (default 9) --tcp-excludes string #The list of TCP ports to always exclude -p, --tcp-ports string #The list of TCP ports scan using the syn and connect probes (see below for default) --tcp-skip-protocol #Set this to skip protocol detection on TCP ports --tenable-access-key string #The access key for the Tenable.io account --tenable-api-url string #The URL used for the Tenable.io account’s API access --tenable-exclude-unknown #Exclude assets that cannot be merged into an existing asset --tenable-fingerprint-only #Import vulnerabilites for fingerprinting purposes only --tenable-include-unscanned #Include assets that have not been assessed for vulnerabilities --tenable-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”) --tenable-secret-key string #The secret key for the Tenable.io account --tenable-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”) --tenablesecuritycenter-access-key string #The access key for the Tenable Security Center account --tenablesecuritycenter-api-url string #The URL used for the Tenable Security Center account’s API access --tenablesecuritycenter-batch-size string #The number of records to request at a time. (between 2000 and 10000) (default “2000”) --tenablesecuritycenter-exclude-unknown #Exclude assets that cannot be merged into an existing asset --tenablesecuritycenter-fingerprint-only #Import vulnerabilites for fingerprinting purposes only --tenablesecuritycenter-insecure string #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) --tenablesecuritycenter-query-id string #The ID of an existing vulnerability query in the Tenable Security Center account --tenablesecuritycenter-query-mode string #Set to ‘filters’ to provide ‘severities’ and ‘risks’ values to import. Set to ‘query-id’ to provide a value for ‘query-id’. (default “filters”) --tenablesecuritycenter-risks string #Risk levels of imported vulnerabilities (None, Low, Medium, High, Critical) (default “None,Low,Medium,High,Critical”) --tenablesecuritycenter-secret-key string #The secret key for the Tenable Security Center account --tenablesecuritycenter-severities string #Severity levels of imported vulnerabilities (Info, Low, Medium, High, Critical) (default “Info,Low,Medium,High,Critical”) --tenablesecuritycenter-sync-since string #Specify an initial date to sync data from. --tenablesecuritycenter-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication --text #Force text-only mode (no console ui) --tftp-ports string #The destination ports for TFTP probes (default “69”) --tos int #Set the default ToS on probe packets --ubnt-port uint #The destination port for Ubiquiti probes (default 10001) --upload #Automatically upload results to the runZero Console -u, --upload-site string #Specify the Site ID or Name to upload the raw scan results to if –upload is specified (default “Primary”) -v, --verbose #Display verbose output --very-verbose #Display very verbose output --vmware-insecure #Set this to true to authenticate to untrusted endpoints (self-signed or no IP SAN) (default true) --vmware-password string #The password to use for VMware SDK authentication (read-only) --vmware-thumbprints string #A set of IP=SHA256:B64HASH pairs to trust for authentication --vmware-username string #The username to use for VMware SDK authentication (read-only) --webmin-ports string #The destination ports for webmin probes (default “10000”) --wlan-list-poll-interval uint #The minimum number of seconds between polls of the access point list (default 300) --wsd-port uint #The destination port for WSD probes (default 3702)