Credential-less discovery with Nmap
If the instance fails to identify a configuration item (CI) because of authentication failure, Discovery or Service Mapping can run selected Network Mapper (Nmap) commands with a MID Server to collect some basic information about the CI without using credentials.
Credential-less discovery can create or modify host and application CIs when credentials are missing or misconfigured. If a credential-based discovery is performed successfully after Nmap creates a CI, the system reconciles the information gathered from each type of discovery.
What Nmap can discover
- Perform reverse DNS name resolution to identify the host from the IPv4 address.
- Return the MAC address of the host if that host is on the same subnet as the host executing the Nmap command.
- Detect applications installed on a target host.
- Detect the operating system of a target host and the OS version.
Nmap credential-less discovery scans in cloud computing platforms
It is often against the terms of service to run Nmap scans to or from any resource within a cloud computing service such as Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, or Google Cloud Platform (GCP). For example, the AWS environment is tightly regulated and requires the permission of AWS through the AWS Vulnerability/Penetration Testing Request form. Unauthorized tests against AWS services or AWS-owned resources are prohibited. For this reason, credential-less discovery within a cloud computing service environment is not appropriate, and if a violation of their policy occurs, could result in expulsion from the service. Contact your platform service provider for information on limitations or permission requirements for running Nmap.
Components installed with Nmap
| Component | Description |
|---|---|
| System properties |
|
| MID Server properties | These properties, from the MID Server Property [ecc_agent_property] table, aren't intended to be configured:
|
| Fields |
|
| Nmap MID Server capability | The Nmap MID Server capabilities is added to the MID Server when Nmap is installed and removed automatically when Nmap is uninstalled. Only MID Server instances with this capability can perform credential-less discovery. A system administrator can't add or remove this capability manually. Self-hosted users who have the maint role can
modify or delete the Nmap capability, but shouldn't do so. Service Mapping doesn’t check for the presence of the Nmap capability and selects the MID Server based on the IP address only. To prevent Service Mapping from selecting a MID Server without the Nmap capability, install Nmap on all MID Servers assigned to the IP address ranges for which you want credential-less discovery to be available. If Service Mapping selects a MID Server for credential-less discovery that doesn’t have Nmap capabilities, this error message appears in the map, at the site of the CI being discovered: Note: The ALL MID Server capability does not include the Nmap capability. |
| Npcap | Npcap is Nmap's packet capture library for Windows. Npcap enables Nmap to perform port scans quickly and to identify the family of the operating system running on the target. Only one copy of Npcap is installed per MID Server host. Because Npcap can be used by other applications, uninstalling Nmap does not automatically uninstall Npcap. You must uninstall Npcap manually, after determining that no other dependencies exist. |
| Patterns |
|
| MID Server script includes |
|
| System script include | The CredentiallessDiscoveryAjax script include runs on the instance and handles the installation and uninstallation of Nmap on Windows MID Server instances, executed from UI actions on the form. don't modify this script. |