Nmap commands and data collected with credential-less Discovery

  • Release version: Yokohama
  • Updated January 30, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Nmap commands and data collected with credential-less Discovery

    This content details how Nmap is used within ServiceNow's credential-less Discovery process to collect data about hosts and applications on a network. Nmap executes controlled, safe commands in phases to identify active hosts, their operating systems, and the applications running on open ports. The information gathered helps create or update Configuration Items (CIs) in the ServiceNow CMDB, improving asset visibility and management without requiring credentials.

    Show full answer Show less

    Host Discovery with Nmap

    During host Discovery, Nmap determines if a host is online and collects key data such as:

    • Operating system family: Identifies one of six supported server OS families to classify hosts appropriately; unsupported OSes are classified as generic hardware CIs.
    • MAC address: Collected if the host is on the same subnet as the Windows MID Server running Nmap.

    Nmap runs specific TCP-based probes to detect host availability and OS details:

    • -PS (TCP SYN): Sends SYN packets to specified ports to check if the host responds with SYN/ACK (online) or RST (closed port). Requires raw packet privileges and administrative rights.
    • -PA (TCP ACK): Sends ACK packets to bypass certain firewalls and detect hosts responding with RST. Also requires elevated privileges.
    • -O (OS detection): Uses TCP/IP stack fingerprinting to identify OS family, vendor, and device type by sending TCP and UDP packets and analyzing responses.
    • Additional options modify scanning behavior such as port selection (-p), timing (-T4), verbosity (-v), disabling ping (-Pn), and DNS lookup methods (--system-dns).

    Application Discovery with Nmap

    For application Discovery, Nmap scans specific ports on hosts determined to be up and attempts to identify active services and applications by:

    • Checking port state (open, open|filtered).
    • Retrieving service names and product information from its static registry.
    • Gathering extra service details that assist in accurate CI creation or updates.

    Key Nmap commands used include:

    • -sS (TCP SYN scan): Performs stealth scans to identify open, closed, or filtered ports without completing TCP handshakes; requires administrative privileges.
    • -sV (Service version detection): Probes open ports to determine application name, version, protocol, OS family, and device type; does not require raw packet privileges.
    • Options for specifying a single port (-p), aggressive timing (-T4), verbosity (-v), disabling ping (-Pn), and output redirection (-X, 2> file-path) are also supported.

    Note that application CIs are only created or updated when Nmap returns a confident identification of the service and product; uncertain or guessed identifications (indicated by question marks) do not result in CI changes.

    Practical Implications for ServiceNow Customers

    • This credential-less Discovery approach using Nmap enables customers to efficiently discover network hosts and applications without requiring credentials, reducing security risks and administrative overhead.
    • Collected OS and application data improve CMDB accuracy by categorizing hosts correctly and identifying running services, which supports IT operations, compliance, and asset management.
    • Understanding the specific Nmap commands and their requirements helps customers configure MID Servers appropriately, ensuring successful discovery scans with necessary privileges.
    • Options to customize scanning behavior (e.g., port selection, timing, DNS resolution) provide flexibility to adapt Discovery to various network environments and constraints.

    Nmap executes in phases when collecting data and runs a controlled set of safe commands with two patterns for exploring applications and devices.

    Data returned by Nmap from host Discovery

    Nmap returns the following data for a host it determines is up:
    • Operating system family: For one of the six supported server operating system families, a host CI is created or updated using the appropriate server class. For unsupported operating system families, a host CI is created or updated using the base Hardware [cmdb_ci_hardware] class.
    • MAC address: Nmap returns the remote host's MAC address if the scanned host is on the same subnet as the Windows MID Server host running the Nmap commands.

    Commands run by Nmap during host Discovery

    The MID Server passes the IP address of a remote host to the Nmap command and a set of ports, taken from the IP Service table. The host must be reported by Nmap to be up. The host is up if the port state returned by Nmap is open or open/filtered. If the host is reported to be up, then the operating system family returned is examined to determine the class used to create or update the host CI.
    Command Description
    -PS TCP SYN option determines if the host is online. This option that sends an empty, raw TCP packet with the SYN flag set to all the specified ports on the scan list. Nmap reports the host is online if a SYN/ACK TCP packet is returned and if an RST is returned, indicating that the port is closed. The Nmap host machine tears down the nascent connection with an RST, instead of an ACK, since the SYN/ACK response is unexpected from its perspective. If multiple port probes are specified, they are sent in parallel.
    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows.
    -PA Detects packet-filtering devices. This option is a TCP ACK host Discovery, using a specified list of ports. If no list is defined, the default port 80 is used.

    Nmap sends an empty, raw TCP packet with the ACK flag set. This action acknowledges data over an established TCP connection, causing the remote host to respond with an RST packet. If the remote host does respond with an RST packet, Nmap knows the host is online. The ACK ping probe may get past packet filtering of TCP SYN packets by stateless packet filtering, network entities, such as firewalls, routers, and host routing tables/firewall software. Stateful firewalls drop unexpected packets, causing the ACK packet to be dropped, which increases the likelihood of the SYN TCP probe getting through.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    Note:
    Both Ping SYN (-PS) and Ping ACK (-PA) packets types can be configured together in the same scan attempt.
    -O Enables OS detection against a remote hostm providing the vendor name, underlying OS, OS generation, and device type, such as a router or a switch.

    Nmap uses TCP/IP stack fingerprinting to determine the OS family running on the host. Nmap sends a series of TCP and UPD packets to the host and examines the responses. After testing the responses thoroughly, Nmap compares results to its nmap-os-db database and prints the OS details, if there is a match. If Nmap cannot guess the OS, it checks for at least one open port and one closed port. When both are found, it generates a fingerprint and a URL to submit to nmap.org.

    OS detection does not use scripts from the Nmap Scripting Engine (NSE). OS detection runs after Application/Service Version detection, which helps the accuracy of OS Detection. However, the results of the two scan types might be contradictory. OS Detection runs at the TCP transport layer, while Application/Service Version Detection runs at a higher level in the TCP stack.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    -p List of ports to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.

    Data returned by Nmap during application Discovery

    Nmap returns the following application data from a host it determines is up:
    • Port state:
      • open: An application is actively accepting TCP (or UDP) packets on the port.
      • open|filtered: Nmap cannot determine if the port is open or filtered. An open port may not return a response when using Nmap’s UDP, IP protocol, FIN, NULL and Xmas scans.
    • Service name: Name of the service actively accepting TCP (or UDP) packets on the service port.
    • Service product: Name of the application running on the open port, as identified by Nmap.
    • Extra service information: Any additional information returned by Nmap that Discovery can use to identify the application.

    Commands run by Nmap during application Discovery

    The MID Server passes one IP address for a remote host to the Nmap command and one port to scan. Nmap attempts to identify the application actively listening on the port and then determines whether it should create a new CI or update an existing one. The host must be reported by Nmap to be up.

    Nmap uses this information to determine which course to take:
    • Service product
    • Service name
    • Extra service information
    • State of the scanned port
      Note:
      The service product and service name values cannot be NULL, and the service name cannot end with a question mark. Nmap appends a question mark to a service name when it guesses at the application listening on the scanned port. The instance does not create or update an application CI if Nmap cannot retrieve the application name from its static nmap-services registry file.
    Command Description
    -sS TCP SYN (stealth) port scan. This is the default scan option and never completes TCP connections. Scans can differentiate between ports that are open, closed, or filtered.

    TCP SYN scan implements a half-open reset that aborts the request before the connection can be established. The port is open (the application is listening) if a SYN/ACK is returned. The port is closed if an RST is returned. If no response is received after multiple retransmissions, the port is marked filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10,13) is received.

    Requirements:
    • Raw packet privileges
    • Must run as root
    • Windows administrator privileges
    -sV Probes open ports to determine the service protocol, application name, version number, hostname, device type, OS Family and miscellaneous details such as the SSH protocol version.
    When Nmap receives a response it cannot match to the database it prints out a fingerprint and URL for submission to nmap.org. If looks for the port number in its static nmap-services registry file to determine the name of an application service that might be actively listening on the port. The service name returned by Nmap is appended with a question mark, indicating that Nmap had to guess at its identity. The instance does not create or update an application CI when Nmap guesses at the application running on an open port.
    Note:
    This command does not require raw-packet privileges.
    --datadir Path to the directory containing the safe set of Nmap scripts to be run during Application/Version detection.
    -p Single port to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.