Credential-less Discovery with Nmap

  • Rversion finale: Australia
  • Mis à jour 12 mars 2026
  • 5 minutes de lecture

    • If the instance fails to identify a configuration item (CI) because of authentication failure, Discovery or Service Mapping can run selected Network Mapper (Nmap) commands with a MID Server to collect some basic information about the CI without using credentials.

    A MID Server administrator can install Nmap on individual MID Servers running on a Windows host. Those MID Servers can then discover some basic information about CIs in your network when normal authentication fails.
    Important :
    Self-hosted customers whose network security does not permit downloads from install.service-now.com must install and configure Nmap manually on their system. Refer to Install Nmap on a self-hosted system for instructions.

    Credential-less Discovery can create or modify host and application CIs when credentials are missing or misconfigured. If a credential-based Discovery is performed successfully after Nmap creates a CI, the system reconciles the information gathered from each type of discovery.

    What Nmap can discover

    The Nmap commands executed during credential-less Discovery can:
    • Perform reverse DNS name resolution to identify the host from the IPv4 address.
    • Return the MAC address of the host if that host is on the same subnet as the host executing the Nmap command.
    • Detect applications installed on a target host.
    • Detect the operating system of a target host and the OS version.
    Remarque :

    Credential-less Discovery classifies routers and switches as hardware. It does not create or update CIs specifically for them.

    Credential-less Discovery should only be used on known subnets where credentials are not viable and should not be used long term.

    Nmap credential-less Discovery scans in cloud computing platforms

    It is often against the terms of service to run Nmap scans to or from any resource within a cloud computing service such as Amazon Web Service, Microsoft Azure, IBM Cloud, or Google Cloud Platform. For example, the Amazon Web Service (AWS) environment is tightly regulated and requires the permission of AWS through the AWS Vulnerability/Penetration Testing Request form. Unauthorized tests against AWS services or AWS-owned resources are prohibited. For this reason, credential-less Discovery within a cloud computing service environment is not appropriate, and if a violation of their policy occurs, could result in expulsion from the service. Please contact your platform service provider for information on limitations or permission requirements for running Nmap.

    Components installed with Nmap

    The Discovery - IP Based [com.snc.discovery.ip_based] plugin that provides the Nmap functionality is activated automatically when either Discovery or Service Mapping is active. These Nmap components are provided by the Discovery - IP Based plugin:
    Component Description
    System property The mid.discovery.credentialless.enable property enables or disables Nmap for all MID Servers on which Nmap is installed that are connected to the instance. This property is installed with the Discovery plugin and is enabled by default. It is configurable by a system administrator.
    MID Server properties These properties, from the MID Server Property [ecc_agent_property] table, are not intended to be configured:
    • mid.nmap.version: Version of Nmap that is installed on MID Servers in your environment. This field is visible on the MID Server [ecc_agent] form after Nmap is installed.
    • nmap.safe.scripts: Defines the list of Nmap scripts that are classified as safe for use during execution of Nmap’s Application Version Detection phase (-sV command option).
    • nmap.npcap.version: The version of Npcap that is installed with Nmap. The Nmap installer can only perform upgrades of existing Npcap installations it encounters.
    Fields
    • Credentialless Discovery Port [cl_port]: Optional field on the Application [cmdb_ci_appl] table that displays the number of a port scanned by credential-less Discovery. This port number is used to determine whether an application returned by Nmap has a matching CI in the CMDB or if a new CI must be created.
    • Discovery source [discovery_source]: Optional field in the Configuration Item [cmdb_ci] table to which the CredentiallessDiscovery choice is added. This option shows that credential-less Discovery was used to create a CI.
    Nmap MID Server capability The Nmap MID Server capabilities is added to the MID Server when Nmap is installed and removed automatically when Nmap in uninstalled. Only MID Servers with this capability can perform credential-less Discovery. A system administrator cannot add or remove this capability manually. Self-hosted customers who have the maint role can modify or delete the Nmap capability, but should not do so.

    Service Mapping doesn’t check for the presence of the Nmap capability and selects the MID Server based on the IP address only. To ensure that Service Mapping doesn’t select a MID Server without the Nmap capability, install Nmap on all MID Servers assigned to the IP address ranges for which you want credential-less Discovery to be available. If Service Mapping selects a MID Server for credential-less Discovery that doesn’t have Nmap capabilities, this error message appears in the map, at the site of the CI being discovered: Nmap is not installed on MID Server. Verify all MIDs configured to handle selected IP Address have Nmap Capability. Nmap root directory path does not exist: <path>

    Remarque :
    The ALL MID Server capability does not include the Nmap capability.
    Npcap Npcap is Nmap's packet capture library for Windows. Npcap allows Nmap to perform port scans quickly and to identify the family of the operating system running on the target. Only one copy of Npcap is installed per MID Server host.

    Because Npcap can be used by other applications, uninstalling Nmap does not automatically uninstall Npcap. You must uninstall Npcap manually, after determining that no other dependencies exist.
    Patterns
    • Credentialless Discovery Network Device: Scans a host IP address using an Nmap command to identify the host. This pattern launches the Credentialless Discovery Network Device – PreLaunch script to retrieve the list of ports to explore from the IP Service [cmdb_ip_service] table. Do not modify this script.
    • Credentialless Discovery Application: Scans a port at an IP address using an Nmap command to identify the application service actively listening on that port. Service Mapping launches this pattern when all credential-based port classification steps fail. Discovery creates a CI in the Application [cmdb_ci_appl] table if the port is open and it can identify the service by name and product. If the service does not respond to any of the scan attempts, Nmap consults its nmap-services registry and guesses at which service is most likely running on that port. If Nmap has to guess what application is running on a scanned port, the Credentialless Discovery Application pattern does not create an application CI or update an existing CI.
    MID Server script includes
    • SetCredentialLessDeviceClassName: Determines which host CI to create or update after the successful execution of the Nmap command. Do not modify this script.
    • CredentialLessApplicationClassNameMapper: Maps the service product, service name, and extra service information supplied by Nmap for the scanned port to a supported application table in the instance. System administrators can modify this script.
    • SetCredentialLessApplicationClassName: Ensures that the CredentialLessApplicationClassNameMapper script is invoked only once. Do not modify this script.
    System script include The CredentiallessDiscoveryAjax script include runs on the instance and handles the installation and uninstallation of Nmap on Windows MID Servers, executed from UI actions on the form. Do not modify this script.