Credential-less discovery with Nmap

  • Release version: Australia
  • Updated May 31, 2026
  • 5 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Credential-less discovery with Nmap

    Credential-less discovery with Nmap enables ServiceNow Discovery and Service Mapping to gather basic configuration item (CI) information without using credentials when authentication fails. This capability runs Nmap commands via a MID Server installed on Windows hosts to identify hosts and applications in the network. It is especially useful for discovering CIs when credentials are missing or misconfigured, allowing creation or modification of host and application CIs that are later reconciled if credential-based discovery runs successfully.

    Show full answer Show less

    Note that credential-less discovery is intended for use only on known subnets where credentials cannot be used and should not be relied on long term. It is also generally prohibited to perform Nmap scans within cloud platforms such as AWS, Azure, IBM Cloud, or GCP without explicit permission, so customers should verify policies with their cloud providers before use.

    Key Features

    • Nmap discovery capabilities: Performs reverse DNS resolution, returns MAC addresses on the same subnet, detects installed applications, and identifies operating system and version.
    • Plugin and system properties: The Discovery - IP Based plugin enables Nmap features automatically when Discovery or Service Mapping is active. System properties control enabling Nmap globally and the port ranges scanned.
    • MID Server integration: Nmap is installed on Windows MID Servers, adding a specific Nmap MID Server capability that allows credential-less discovery. Only MID Servers with this capability can perform these scans.
    • Npcap dependency: Npcap is installed alongside Nmap on MID Server hosts to enable fast port scanning and OS detection; it must be uninstalled manually if no longer needed.
    • Patterns and scripts: Two main patterns—Credentialless Discovery Network Device and Credentialless Discovery Application—drive host and application discovery. Several system scripts manage CI creation and mapping based on Nmap scan results.
    • Fields for tracking discovery: Specific fields on the CMDB application and CI tables indicate ports scanned and discovery source as credential-less discovery.

    Practical Considerations for ServiceNow Customers

    • Install Nmap manually on self-hosted instances where direct downloads from ServiceNow are restricted.
    • Ensure Nmap is installed on all MID Servers assigned to IP ranges where credential-less discovery is desired, as Service Mapping selects MID Servers based on IP address only.
    • Avoid running Nmap scans in cloud environments without explicit authorization to comply with provider policies and avoid service disruption.
    • Credential-less discovery is a fallback mechanism and not a replacement for credential-based discovery; it helps gather partial data when credentials fail.
    • System administrators can configure system properties to control port scanning behavior and can modify some scripts to tailor application mapping.

    Expected Outcomes

    Using Nmap credential-less discovery, ServiceNow customers can:

    • Identify basic host and application information without requiring credentials, improving discovery coverage when authentication fails.
    • Create or update host and application CIs that are reconciled with full credential-based discovery results later, ensuring CMDB accuracy.
    • Gain insight into network devices and applications even in restricted environments, with clear limitations and compliance considerations for cloud platforms.
    • Leverage configured MID Servers with Nmap capabilities for efficient, controlled scans that complement existing credential-based discovery workflows.

    If the instance fails to identify a configuration item (CI) because of authentication failure, Discovery or Service Mapping can run selected Network Mapper (Nmap) commands with a MID Server to collect some basic information about the CI without using credentials.

    A MID Server administrator can install Nmap on individual MID Server instances running on a Windows host. Those MID Server instances can then discover some basic information about CIs in your network when normal authentication fails.
    Important:
    Self-hosted users whose network security doesn't permit downloads from install.service-now.com must install and configure Nmap manually on their system. Refer to Install Nmap on a self-hosted system for instructions.

    Credential-less discovery can create or modify host and application CIs when credentials are missing or misconfigured. If a credential-based discovery is performed successfully after Nmap creates a CI, the system reconciles the information gathered from each type of discovery.

    What Nmap can discover

    The Nmap commands executed during credential-less discovery can:
    • Perform reverse DNS name resolution to identify the host from the IPv4 address.
    • Return the MAC address of the host if that host is on the same subnet as the host executing the Nmap command.
    • Detect applications installed on a target host.
    • Detect the operating system of a target host and the OS version.
    Note:
    Credential-less discovery classifies routers and switches as hardware. It does not create or update CIs specifically for them. Use it only on known subnets where credentials aren't viable, and don't use it long term.

    Nmap credential-less discovery scans in cloud computing platforms

    It is often against the terms of service to run Nmap scans to or from any resource within a cloud computing service such as Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, or Google Cloud Platform (GCP). For example, the AWS environment is tightly regulated and requires the permission of AWS through the AWS Vulnerability/Penetration Testing Request form. Unauthorized tests against AWS services or AWS-owned resources are prohibited. For this reason, credential-less discovery within a cloud computing service environment is not appropriate, and if a violation of their policy occurs, could result in expulsion from the service. Contact your platform service provider for information on limitations or permission requirements for running Nmap.

    Components installed with Nmap

    The Discovery - IP Based plugin (com.snc.discovery.ip_based) that provides the Nmap functionality is activated automatically when either Discovery or Service Mapping is active. These Nmap components are provided by the Discovery - IP Based plugin:
    Component Description
    System properties
    • mid.discovery.credentialless.enable: Enables or disables Nmap for all MID Server instances on which Nmap is installed that are connected to the instance. This property is installed with the Discovery plugin and is enabled by default. It is configurable by a system administrator.
    MID Server properties These properties, from the MID Server Property [ecc_agent_property] table, aren't intended to be configured:
    • mid.nmap.version: Version of Nmap that is installed on MID Server instances in your environment. This field is visible on the MID Server [ecc_agent] form after Nmap is installed.
    • nmap.safe.scripts: Defines the list of Nmap scripts that are classified as safe for use during execution of Nmap's Application Version Detection phase (-sV command option).
    • nmap.npcap.version: The version of Npcap that is installed with Nmap. The Nmap installer can only perform upgrades of existing Npcap installations it encounters.
    Fields
    • Credentialless Discovery Port [cl_port]: Optional field on the Application [cmdb_ci_appl] table that displays the number of a port scanned by credential-less discovery. This port number is used to determine whether an application returned by Nmap has a matching CI in the CMDB or if a new CI must be created.
    • Discovery source [discovery_source]: Optional field in the Configuration Item [cmdb_ci] table to which the CredentiallessDiscovery choice is added. This option shows that credential-less discovery was used to create a CI.
    Nmap MID Server capability The Nmap MID Server capabilities is added to the MID Server when Nmap is installed and removed automatically when Nmap is uninstalled. Only MID Server instances with this capability can perform credential-less discovery. A system administrator can't add or remove this capability manually. Self-hosted users who have the maint role can modify or delete the Nmap capability, but shouldn't do so.

    Service Mapping doesn’t check for the presence of the Nmap capability and selects the MID Server based on the IP address only. To prevent Service Mapping from selecting a MID Server without the Nmap capability, install Nmap on all MID Servers assigned to the IP address ranges for which you want credential-less discovery to be available. If Service Mapping selects a MID Server for credential-less discovery that doesn’t have Nmap capabilities, this error message appears in the map, at the site of the CI being discovered: Nmap is not installed on MID Server. Verify all MIDs configured to handle selected IP Address have Nmap Capability. Nmap root directory path does not exist: <path>

    Note:
    The ALL MID Server capability does not include the Nmap capability.
    Npcap Npcap is Nmap's packet capture library for Windows. Npcap enables Nmap to perform port scans quickly and to identify the family of the operating system running on the target. Only one copy of Npcap is installed per MID Server host.

    Because Npcap can be used by other applications, uninstalling Nmap does not automatically uninstall Npcap. You must uninstall Npcap manually, after determining that no other dependencies exist.
    Patterns
    • Credentialless Discovery Network Device: Scans a host IP address using an Nmap command to identify the host. This pattern launches the Credentialless Discovery Network Device - PreLaunch script to retrieve the list of ports to explore from the IP Service [cmdb_ip_service] table. Don't modify this script.
    • Credentialless Discovery Application: Scans a port at an IP address using an Nmap command to identify the application service actively listening on that port. Service Mapping launches this pattern when all credential-based port classification steps fail. Discovery creates a CI in the Application [cmdb_ci_appl] table if the port is open and it can identify the service by name and product. If the service does not respond to any of the scan attempts, Nmap consults its nmap-services registry and guesses at which service is most likely running on that port. If Nmap has to guess what application is running on a scanned port, the Credentialless Discovery Application pattern does not create an application CI or update an existing CI.
    MID Server script includes
    • SetCredentialLessDeviceClassName: Determines which host CI to create or update after the successful execution of the Nmap command. don't modify this script.
    • CredentialLessApplicationClassNameMapper: Maps the service product, service name, and extra service information supplied by Nmap for the scanned port to a supported application table in the instance. System administrators can modify this script.
    • SetCredentialLessApplicationClassName: Verifies that the CredentialLessApplicationClassNameMapper script is invoked only once. don't modify this script.
    System script include The CredentiallessDiscoveryAjax script include runs on the instance and handles the installation and uninstallation of Nmap on Windows MID Server instances, executed from UI actions on the form. don't modify this script.