Credential-less discovery with Nmap

  • Release version: Zurich
  • Updated May 31, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Credential-less discovery with Nmap

    Credential-less discovery with Nmap allows ServiceNow Discovery and Service Mapping to identify basic information about configuration items (CIs) on your network when credential-based authentication fails. By installing Nmap on Windows MID Server instances, the system can execute selected Nmap commands to gather data without requiring credentials. This approach helps create or update host and application CIs when credentials are missing or misconfigured, and subsequent credential-based discoveries can reconcile the gathered information.

    Show full answer Show less

    This method is intended for use on known subnets where credentials cannot be used and is not recommended for long-term use or cloud environments due to potential terms of service violations.

    Key Features

    • Discovery capabilities: Nmap can perform reverse DNS lookups, retrieve MAC addresses on the same subnet, detect installed applications, and identify operating systems and versions.
    • Integration with MID Server: Nmap is installed on Windows MID Servers and adds a specific capability required for credential-less discovery. This capability is managed automatically during installation and removal.
    • Configuration controls: System properties control enabling Nmap credential-less discovery and define port scanning behaviors (fast mode or extended ports). MID Server properties track installed Nmap and Npcap versions and safe Nmap scripts.
    • Patterns and scripts: Prebuilt credential-less discovery patterns scan hosts and application ports, creating or updating CIs when services are identified. Scripts map Nmap results to appropriate application tables and handle installation/uninstallation tasks.
    • Npcap dependency: Npcap is required for packet capture on Windows MID Servers to support Nmap scanning. It is installed and upgraded with Nmap but must be uninstalled manually if no longer needed.

    Important Considerations

    • Credential-less discovery should only be used on trusted subnets and not within cloud provider environments without explicit permission, as unauthorized scanning may violate service agreements.
    • Self-hosted customers with restricted internet access must manually install and configure Nmap and follow specific instructions.
    • Service Mapping does not verify the presence of the Nmap capability on MID Servers; to avoid errors, ensure Nmap is installed on all MID Servers assigned to relevant IP ranges.
    • If Nmap cannot accurately identify an application during credential-less discovery, no application CI is created or updated to prevent inaccurate data.

    What ServiceNow Customers Can Expect

    By enabling Nmap credential-less discovery, you can improve CI coverage in environments where credentials are unavailable or fail, capturing essential host and application information. This capability complements credential-based discovery by filling gaps and ensuring more complete CMDB data. However, it requires careful management of MID Server installations and adherence to cloud provider policies to avoid scanning violations. Proper configuration ensures that Discovery and Service Mapping workflows leverage Nmap effectively without manual intervention.

    If the instance fails to identify a configuration item (CI) because of authentication failure, Discovery or Service Mapping can run selected Network Mapper (Nmap) commands with a MID Server to collect some basic information about the CI without using credentials.

    A MID Server administrator can install Nmap on individual MID Server instances running on a Windows host. Those MID Server instances can then discover some basic information about CIs in your network when normal authentication fails.
    Important:
    Self-hosted users whose network security doesn't permit downloads from install.service-now.com must install and configure Nmap manually on their system. Refer to Install Nmap on a self-hosted system for instructions.

    Credential-less discovery can create or modify host and application CIs when credentials are missing or misconfigured. If a credential-based discovery is performed successfully after Nmap creates a CI, the system reconciles the information gathered from each type of discovery.

    What Nmap can discover

    The Nmap commands executed during credential-less discovery can:
    • Perform reverse DNS name resolution to identify the host from the IPv4 address.
    • Return the MAC address of the host if that host is on the same subnet as the host executing the Nmap command.
    • Detect applications installed on a target host.
    • Detect the operating system of a target host and the OS version.
    Note:
    Credential-less discovery classifies routers and switches as hardware. It does not create or update CIs specifically for them. Use it only on known subnets where credentials aren't viable, and don't use it long term.

    Nmap credential-less discovery scans in cloud computing platforms

    It is often against the terms of service to run Nmap scans to or from any resource within a cloud computing service such as Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, or Google Cloud Platform (GCP). For example, the AWS environment is tightly regulated and requires the permission of AWS through the AWS Vulnerability/Penetration Testing Request form. Unauthorized tests against AWS services or AWS-owned resources are prohibited. For this reason, credential-less discovery within a cloud computing service environment is not appropriate, and if a violation of their policy occurs, could result in expulsion from the service. Contact your platform service provider for information on limitations or permission requirements for running Nmap.

    Components installed with Nmap

    The Discovery - IP Based plugin (com.snc.discovery.ip_based) that provides the Nmap functionality is activated automatically when either Discovery or Service Mapping is active. These Nmap components are provided by the Discovery - IP Based plugin:
    Component Description
    System properties
    • mid.discovery.credentialless.enable: Enables or disables Nmap for all MID Server instances on which Nmap is installed that are connected to the instance. This property is installed with the Discovery plugin and is enabled by default. It is configurable by a system administrator.
    • mid.discovery.credentialless.alt_port_options: Starting from Discovery and Service Mapping Patterns version 1.31.0, controls the port range that Nmap scans during credential-less discovery. Set to F to use Nmap fast mode (top 100 ports), or T to scan the top 1,000 ports (Nmap default). By default, ports are collected from the IP Services [cmdb_ip_service] table based on records where the Credentialless Discovery [cl_discovery] field is set to true.
    MID Server properties These properties, from the MID Server Property [ecc_agent_property] table, aren't intended to be configured:
    • mid.nmap.version: Version of Nmap that is installed on MID Server instances in your environment. This field is visible on the MID Server [ecc_agent] form after Nmap is installed.
    • nmap.safe.scripts: Defines the list of Nmap scripts that are classified as safe for use during execution of Nmap's Application Version Detection phase (-sV command option).
    • nmap.npcap.version: The version of Npcap that is installed with Nmap. The Nmap installer can only perform upgrades of existing Npcap installations it encounters.
    Fields
    • Credentialless Discovery Port [cl_port]: Optional field on the Application [cmdb_ci_appl] table that displays the number of a port scanned by credential-less discovery. This port number is used to determine whether an application returned by Nmap has a matching CI in the CMDB or if a new CI must be created.
    • Discovery source [discovery_source]: Optional field in the Configuration Item [cmdb_ci] table to which the CredentiallessDiscovery choice is added. This option shows that credential-less discovery was used to create a CI.
    Nmap MID Server capability The Nmap MID Server capabilities is added to the MID Server when Nmap is installed and removed automatically when Nmap is uninstalled. Only MID Server instances with this capability can perform credential-less discovery. A system administrator can't add or remove this capability manually. Self-hosted users who have the maint role can modify or delete the Nmap capability, but shouldn't do so.

    Service Mapping doesn’t check for the presence of the Nmap capability and selects the MID Server based on the IP address only. To prevent Service Mapping from selecting a MID Server without the Nmap capability, install Nmap on all MID Servers assigned to the IP address ranges for which you want credential-less discovery to be available. If Service Mapping selects a MID Server for credential-less discovery that doesn’t have Nmap capabilities, this error message appears in the map, at the site of the CI being discovered: Nmap is not installed on MID Server. Verify all MIDs configured to handle selected IP Address have Nmap Capability. Nmap root directory path does not exist: <path>

    Note:
    The ALL MID Server capability does not include the Nmap capability.
    Npcap Npcap is Nmap's packet capture library for Windows. Npcap enables Nmap to perform port scans quickly and to identify the family of the operating system running on the target. Only one copy of Npcap is installed per MID Server host.

    Because Npcap can be used by other applications, uninstalling Nmap does not automatically uninstall Npcap. You must uninstall Npcap manually, after determining that no other dependencies exist.
    Patterns
    • Credentialless Discovery Network Device: Scans a host IP address using an Nmap command to identify the host. This pattern launches the Credentialless Discovery Network Device - PreLaunch script to retrieve the list of ports to explore from the IP Service [cmdb_ip_service] table. Don't modify this script.
    • Credentialless Discovery Application: Scans a port at an IP address using an Nmap command to identify the application service actively listening on that port. Service Mapping launches this pattern when all credential-based port classification steps fail. Discovery creates a CI in the Application [cmdb_ci_appl] table if the port is open and it can identify the service by name and product. If the service does not respond to any of the scan attempts, Nmap consults its nmap-services registry and guesses at which service is most likely running on that port. If Nmap has to guess what application is running on a scanned port, the Credentialless Discovery Application pattern does not create an application CI or update an existing CI.
    MID Server script includes
    • SetCredentialLessDeviceClassName: Determines which host CI to create or update after the successful execution of the Nmap command. don't modify this script.
    • CredentialLessApplicationClassNameMapper: Maps the service product, service name, and extra service information supplied by Nmap for the scanned port to a supported application table in the instance. System administrators can modify this script.
    • SetCredentialLessApplicationClassName: Verifies that the CredentialLessApplicationClassNameMapper script is invoked only once. don't modify this script.
    System script include The CredentiallessDiscoveryAjax script include runs on the instance and handles the installation and uninstallation of Nmap on Windows MID Server instances, executed from UI actions on the form. don't modify this script.