Nmap commands and data collected with credential-less Discovery

  • Release version: Xanadu
  • Updated August 1, 2024
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Nmap commands and data collected with credential-less Discovery

    This guide details how ServiceNow utilizes Nmap within credential-less Discovery to collect host and application data safely and effectively. Nmap operates in phases, running controlled commands to identify live hosts, their operating systems, open ports, and running applications. This information enables the creation and updating of Configuration Items (CIs) in the CMDB, supporting accurate asset and service management.

    Show full answer Show less

    Host Discovery with Nmap

    During host discovery, Nmap determines if a host is online and gathers key data such as:

    • Operating system family: If the OS is one of six supported server families, ServiceNow creates/updates the host CI with the appropriate server class; otherwise, it uses the base hardware class.
    • MAC address: Returned only if the scanned host is on the same subnet as the Windows MID Server running Nmap.

    The MID Server initiates Nmap with an IP address and ports from the IP Service table. Hosts are confirmed as "up" if ports respond as open or open/filtered.

    Key Nmap Commands for Host Discovery

    • -PS (TCP SYN): Determines host status by sending SYN packets to specified ports. Requires raw packet privileges (root/admin).
    • -PA (TCP ACK): Detects hosts behind packet filters/firewalls by sending ACK packets. Also requires raw packet privileges.
    • -O (OS Detection): Uses TCP/IP stack fingerprinting to identify OS family, vendor, and device type. Runs after application/version detection and requires raw packet privileges.
    • -p: Specifies ports to scan.
    • -T4: Uses aggressive timing for faster scans.
    • -v: Enables verbose output for progress and detail.
    • -Pn: Disables host discovery ping, scanning all hosts as online.
    • -r: Scans ports consecutively without randomization.
    • --reason: Provides explanations for port state classifications.
    • --system-dns: Uses the OS DNS resolver for reverse lookups to match MID Server results.

    Application Discovery with Nmap

    Once a host is confirmed online, Nmap scans specified ports to identify active applications and services. It collects:

    • Port state: Identifies open or open|filtered status.
    • Service name: Name of the service accepting packets.
    • Service product: Application name running on the port.
    • Extra service information: Additional details aiding application identification.

    Only applications with definitive service names and products are used to create or update application CIs.

    Key Nmap Commands for Application Discovery

    • -sS (TCP SYN scan): Performs stealth half-open scans to differentiate between open, closed, or filtered ports. Requires raw packet privileges.
    • -sV (Service/version detection): Probes open ports to identify service protocol, application name, version, device type, and OS family. Does not require raw packet privileges.
    • --datadir: Specifies directory with safe Nmap scripts for application/version detection.
    • Additional options include -p (port), -T4 (timing), -v (verbose), -Pn (skip ping), -r (consecutive ports), --reason, and --system-dns.

    Practical Benefits for ServiceNow Customers

    • Enables automated, credential-less discovery of hosts and applications, reducing manual effort and improving CMDB accuracy.
    • Supports detailed OS and application identification to classify and update Configuration Items properly.
    • Utilizes safe and controlled Nmap commands tailored for enterprise environments, respecting privileges and network configurations.
    • Provides mechanisms to handle hosts behind firewalls or packet filters to maximize discovery coverage.
    • Returns detailed port and service information, facilitating precise asset and service management.

    Nmap executes in phases when collecting data and runs a controlled set of safe commands with two patterns for exploring applications and devices.

    Data returned by Nmap from host Discovery

    Nmap returns the following data for a host it determines is up:
    • Operating system family: If the operating system family is one of the six supported server operating system families, then a host CI associated with the appropriate server class is used to create or update the host CI. If the operating system family returned by Nmap is not one of the supported server operating systems, then a host CI is created or updated using the base Hardware [cmdb_ci_hardware] class.
    • MAC address: If the scanned host is located on the same subnet as the Windows MID Server host that is executing the Nmap commands, then Nmap returns the remote host's MAC address.

    Commands run by Nmap during host Discovery

    The MID Server passes the IP address of a remote host to the Nmap command and a set of ports, taken from the IP Service table. The host must be reported by Nmap to be up. The host is up if the port state returned by Nmap is open or open/filtered. If the host is reported to be up, then the operating system family returned is examined to determine the class used to create or update the host CI.
    Command Description
    -PS TCP SYN option determines if the host is online. This option that sends an empty, raw TCP packet with the SYN flag set to all the specified ports on the scan list. Nmap reports the host is online if a SYN/ACK TCP packet is returned and if an RST is returned, indicating that the port is closed. The Nmap host machine tears down the nascent connection with an RST, instead of an ACK, since the SYN/ACK response is unexpected from its perspective. If multiple port probes are specified, they are sent in parallel.
    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows.
    -PA Detects packet-filtering devices. This option is a TCP ACK host Discovery, using a specified list of ports. If no list is defined, the default port 80 is used.

    Nmap sends an empty, raw TCP packet with the ACK flag set. This action acknowledges data over an established TCP connection, causing the remote host to respond with an RST packet. If the remote host does respond with an RST packet, Nmap knows the host is online. The ACK ping probe may get past packet filtering of TCP SYN packets by stateless packet filtering, network entities, such as firewalls, routers, and host routing tables/firewall software. Stateful firewalls drop unexpected packets, causing the ACK packet to be dropped, which increases the likelihood of the SYN TCP probe getting through.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    Note:
    Both Ping SYN (-PS) and Ping ACK (-PA) packets types can be configured together in the same scan attempt.
    -O Enables OS detection against a remote hostm providing the vendor name, underlying OS, OS generation, and device type, such as a router or a switch.

    Nmap uses TCP/IP stack fingerprinting to determine the OS family running on the host. Nmap sends a series of TCP and UPD packets to the host and examines the responses. After testing the responses thoroughly, Nmap compares results to its nmap-os-db database and prints the OS details, if there is a match. If Nmap is not able to guess the OS, and at least one open port and one closed port were found, then it generates a fingerprint and a URL to submit to nmap.org.

    OS detection does not use scripts from the Nmap Scripting Engine (NSE). OS detection runs after Application/Service Version detection, which helps the accuracy of OS Detection. However, the results of the two scan types might be contradictory. OS Detection runs at the TCP transport layer, while Application/Service Version Detection runs at a higher level in the TCP stack.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    -p List of ports to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.

    Data returned by Nmap during application Discovery

    Nmap returns the following application data from a host it determines is up:
    • Port state:
      • open: An application is actively accepting TCP (or UDP) packets on the port.
      • open|filtered: Nmap cannot determine if the port is open or filtered. An open port may not return a response when using Nmap’s UDP, IP protocol, FIN, NULL and Xmas scans.
    • Service name: Name of the service actively accepting TCP (or UDP) packets on the service port.
    • Service product: Name of the application running on the open port, as identified by Nmap.
    • Extra service information: Any additional information returned by Nmap that Discovery can use to identify the application.

    Commands run by Nmap during application Discovery

    The MID Server passes one IP address for a remote host to the Nmap command and one port to scan. Nmap attempts to identify the application actively listening on the port and then determines whether it should create a new CI or update an existing one. The host must be reported by Nmap to be up.

    Nmap uses this information to determine which course to take:
    • Service product
    • Service name
    • Extra service information
    • State of the scanned port
      Note:
      The service product and service name values cannot be NULL, and the service name cannot end with a question mark. Nmap appends a question mark to a service name when it guesses at the application listening on the scanned port. The instance does not create or update an application CI if Nmap cannot retrieve the application name from its static nmap-services registry file.
    Command Description
    -sS TCP SYN (stealth) port scan. This is the default scan option and never completes TCP connections. Scans can differentiate between ports that are open, closed, or filtered.

    TCP SYN scan implements a half-open reset that aborts the request before the connection can be established. The port is open (the application is listening) if a SYN/ACK is returned. The port is closed if an RST is returned. If no response is received after multiple retransmissions, the port is marked filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10,13) is received.

    Requirements:
    • Raw packet privileges
    • Must run as root
    • Windows administrator privileges
    -sV Probes open ports to determine the service protocol, application name, version number, hostname, device type, OS Family and miscellaneous details such as the SSH protocol version.
    When Nmap receives a response it cannot match to the database it prints out a fingerprint and URL for submission to nmap.org. If looks for the port number in its static nmap-services registry file to determine the name of an application service that might be actively listening on the port. The service name returned by Nmap is appended with a question mark, indicating that Nmap had to guess at its identity. The instance does not create or update an application CI when Nmap guesses at the application running on an open port.
    Note:
    This command does not require raw-packet privileges.
    --datadir Path to the directory containing the safe set of Nmap scripts to be run during Application/Version detection.
    -p Single port to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.