Nmap commands and data collected with credential-less Discovery

  • Release version: Australia
  • Updated March 12, 2026
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Nmap commands and data collected with credential-less Discovery

    This document explains how Nmap is used within ServiceNow’s credential-less Discovery to collect data from remote hosts and applications safely and efficiently. Nmap operates in phases, running controlled, safe commands to discover and identify hosts, their operating systems, and the applications they run. The data collected supports accurate Configuration Item (CI) creation or updates in the ServiceNow CMDB.

    Show full answer Show less

    Host Discovery with Nmap

    Nmap determines if a host is up and returns key information such as:

    • Operating system family: Used to classify the host CI either under supported server OS families or a generic hardware class for unsupported OS types.
    • MAC address: Returned only if the scanned host is on the same subnet as the Windows MID Server running Nmap.

    The MID Server runs Nmap commands by passing the target IP and ports from the IP Service table. Hosts are considered online if ports respond as open or open/filtered.

    Key Nmap Host Discovery Commands:

    • -PS (TCP SYN): Sends SYN packets to specified ports to detect online hosts by SYN/ACK or RST responses. Requires raw packet privileges and admin/root rights.
    • -PA (TCP ACK): Sends ACK packets to bypass some firewalls and detect hosts via RST responses. Also requires raw packet privileges and admin/root rights.
    • -O (OS Detection): Uses TCP/IP stack fingerprinting to identify the OS family, vendor, device type, and OS generation. Runs after application version detection for improved accuracy. Requires admin/root rights.
    • Additional switches like -p (port list), -T4 (aggressive timing), -v (verbose), -Pn (skip ping), and DNS resolution options support customization and detailed output.

    Application Discovery with Nmap

    For hosts confirmed as up, Nmap scans specific ports to identify running applications and gather detailed service information. This data helps determine whether to create or update application CIs.

    Returned application data includes:

    • Port state: Indicates if a port is open or open|filtered.
    • Service name: The name of the service accepting traffic on the port.
    • Service product: The application running on the port.
    • Extra service information: Additional details to aid application identification.

    Key Nmap Application Discovery Commands:

    • -sS (TCP SYN scan): Performs stealth scans to determine port states without completing TCP handshakes. Requires admin/root privileges.
    • -sV (Service/version detection): Probes open ports to identify service protocols, application names, versions, OS family, and device types. Does not require raw packet privileges.
    • Other options such as --datadir for specifying safe script directories, -p for port specification, -T4 for timing, -v for verbosity, and -Pn for skipping host ping enhance scan control and output detail.

    Practical Benefits for ServiceNow Customers

    • Enables automated, credential-less discovery of hosts and applications to maintain accurate and up-to-date CMDB entries.
    • Supports safe scanning with controlled Nmap commands that require appropriate privileges and avoid intrusive connections.
    • Provides detailed OS and application information critical for asset management, security assessments, and IT operations.
    • Offers flexibility in scanning approaches to bypass network filtering and firewalls, improving discovery coverage.

    Nmap executes in phases when collecting data and runs a controlled set of safe commands with two patterns for exploring applications and devices.

    Data returned by Nmap from host Discovery

    Nmap returns the following data for a host it determines is up:
    • Operating system family: For one of the six supported server operating system families, a host CI is created or updated using the appropriate server class. For unsupported operating system families, a host CI is created or updated using the base Hardware [cmdb_ci_hardware] class.
    • MAC address: Nmap returns the remote host's MAC address if the scanned host is on the same subnet as the Windows MID Server host running the Nmap commands.

    Commands run by Nmap during host Discovery

    The MID Server passes the IP address of a remote host to the Nmap command and a set of ports, taken from the IP Service table. The host must be reported by Nmap to be up. The host is up if the port state returned by Nmap is open or open/filtered. If the host is reported to be up, then the operating system family returned is examined to determine the class used to create or update the host CI.
    Command Description
    -PS TCP SYN option determines if the host is online. This option that sends an empty, raw TCP packet with the SYN flag set to all the specified ports on the scan list. Nmap reports the host is online if a SYN/ACK TCP packet is returned and if an RST is returned, indicating that the port is closed. The Nmap host machine tears down the nascent connection with an RST, instead of an ACK, since the SYN/ACK response is unexpected from its perspective. If multiple port probes are specified, they are sent in parallel.
    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows.
    -PA Detects packet-filtering devices. This option is a TCP ACK host Discovery, using a specified list of ports. If no list is defined, the default port 80 is used.

    Nmap sends an empty, raw TCP packet with the ACK flag set. This action acknowledges data over an established TCP connection, causing the remote host to respond with an RST packet. If the remote host does respond with an RST packet, Nmap knows the host is online. The ACK ping probe may get past packet filtering of TCP SYN packets by stateless packet filtering, network entities, such as firewalls, routers, and host routing tables/firewall software. Stateful firewalls drop unexpected packets, causing the ACK packet to be dropped, which increases the likelihood of the SYN TCP probe getting through.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    Note:
    Both Ping SYN (-PS) and Ping ACK (-PA) packets types can be configured together in the same scan attempt.
    -O Enables OS detection against a remote hostm providing the vendor name, underlying OS, OS generation, and device type, such as a router or a switch.

    Nmap uses TCP/IP stack fingerprinting to determine the OS family running on the host. Nmap sends a series of TCP and UPD packets to the host and examines the responses. After testing the responses thoroughly, Nmap compares results to its nmap-os-db database and prints the OS details, if there is a match. If Nmap cannot guess the OS, it checks for at least one open port and one closed port. When both are found, it generates a fingerprint and a URL to submit to nmap.org.

    OS detection does not use scripts from the Nmap Scripting Engine (NSE). OS detection runs after Application/Service Version detection, which helps the accuracy of OS Detection. However, the results of the two scan types might be contradictory. OS Detection runs at the TCP transport layer, while Application/Service Version Detection runs at a higher level in the TCP stack.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    -p List of ports to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.

    Data returned by Nmap during application Discovery

    Nmap returns the following application data from a host it determines is up:
    • Port state:
      • open: An application is actively accepting TCP (or UDP) packets on the port.
      • open|filtered: Nmap cannot determine if the port is open or filtered. An open port may not return a response when using Nmap’s UDP, IP protocol, FIN, NULL and Xmas scans.
    • Service name: Name of the service actively accepting TCP (or UDP) packets on the service port.
    • Service product: Name of the application running on the open port, as identified by Nmap.
    • Extra service information: Any additional information returned by Nmap that Discovery can use to identify the application.

    Commands run by Nmap during application Discovery

    The MID Server passes one IP address for a remote host to the Nmap command and one port to scan. Nmap attempts to identify the application actively listening on the port and then determines whether it should create a new CI or update an existing one. The host must be reported by Nmap to be up.

    Nmap uses this information to determine which course to take:
    • Service product
    • Service name
    • Extra service information
    • State of the scanned port
      Note:
      The service product and service name values cannot be NULL, and the service name cannot end with a question mark. Nmap appends a question mark to a service name when it guesses at the application listening on the scanned port. The instance does not create or update an application CI if Nmap cannot retrieve the application name from its static nmap-services registry file.
    Command Description
    -sS TCP SYN (stealth) port scan. This is the default scan option and never completes TCP connections. Scans can differentiate between ports that are open, closed, or filtered.

    TCP SYN scan implements a half-open reset that aborts the request before the connection can be established. The port is open (the application is listening) if a SYN/ACK is returned. The port is closed if an RST is returned. If no response is received after multiple retransmissions, the port is marked filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10,13) is received.

    Requirements:
    • Raw packet privileges
    • Must run as root
    • Windows administrator privileges
    -sV Probes open ports to determine the service protocol, application name, version number, hostname, device type, OS Family and miscellaneous details such as the SSH protocol version.
    When Nmap receives a response it cannot match to the database it prints out a fingerprint and URL for submission to nmap.org. If looks for the port number in its static nmap-services registry file to determine the name of an application service that might be actively listening on the port. The service name returned by Nmap is appended with a question mark, indicating that Nmap had to guess at its identity. The instance does not create or update an application CI when Nmap guesses at the application running on an open port.
    Note:
    This command does not require raw-packet privileges.
    --datadir Path to the directory containing the safe set of Nmap scripts to be run during Application/Version detection.
    -p Single port to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.