Credential-less discovery with Nmap

  • Release version: Yokohama
  • Updated May 31, 2026
  • 6 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Credential-less discovery with Nmap

    Credential-less discovery with Nmap enables ServiceNow Discovery and Service Mapping to collect basic configuration item (CI) information without using credentials when authentication fails. This functionality runs selected Nmap commands via a MID Server installed on a Windows host, allowing detection of host details such as DNS names, MAC addresses, operating systems, and applications. It is designed as a fallback method to gather essential CI data and supports subsequent reconciliation when credential-based discovery completes successfully.

    Show full answer Show less

    This feature is particularly useful in environments where credentials are missing or misconfigured but should be limited to known subnets and not used long term. It is not suitable for cloud platforms like AWS, Azure, IBM Cloud, or GCP due to their strict policies against unauthorized scanning.

    Key Features

    • Nmap Installation: Nmap must be installed on MID Server instances running on Windows hosts. Self-hosted users with network restrictions need to install Nmap manually.
    • Discovery Capabilities: Nmap enables reverse DNS lookups, MAC address retrieval (on the same subnet), application detection, and operating system identification.
    • System and MID Server Properties: Configurable system properties control Nmap activation and scan port ranges. MID Server properties track installed Nmap and Npcap versions and safe Nmap scripts.
    • Credential-less Discovery Patterns: Two main patterns exist—Network Device discovery identifies the host, and Application discovery detects services on specific ports.
    • Capability Management: Installing Nmap adds the Nmap MID Server capability automatically; only MID Servers with this capability can perform credential-less discovery.
    • Npcap Integration: Npcap is required on Windows MID Servers to support packet capture and OS detection. It must be managed separately from Nmap.
    • System Scripts: Several scripts control CI creation and mapping from Nmap results; some are editable for customization, while others are not to be modified.

    Practical Considerations for ServiceNow Customers

    • Use credential-less discovery primarily as a fallback for known subnets where credential-based discovery cannot be performed.
    • Do not rely on credential-less discovery for routers and switches, as these are classified only as hardware without detailed CI updates.
    • For cloud environments, verify platform policies before running Nmap scans to avoid violations or service expulsion.
    • Ensure Nmap is installed on all MID Servers assigned to relevant IP ranges to prevent discovery errors related to missing Nmap capability.
    • Manage Npcap installations carefully, especially when uninstalling Nmap, to avoid disrupting other applications.
    • Credential-less discovery results are reconciled with credential-based discovery once credentials are available, ensuring accurate CMDB data.

    If the instance fails to identify a configuration item (CI) because of authentication failure, Discovery or Service Mapping can run selected Network Mapper (Nmap) commands with a MID Server to collect some basic information about the CI without using credentials.

    A MID Server administrator can install Nmap on individual MID Server instances running on a Windows host. Those MID Server instances can then discover some basic information about CIs in your network when normal authentication fails.
    Important:
    Self-hosted users whose network security doesn't permit downloads from install.service-now.com must install and configure Nmap manually on their system. Refer to Install Nmap on a self-hosted system for instructions.

    Credential-less discovery can create or modify host and application CIs when credentials are missing or misconfigured. If a credential-based discovery is performed successfully after Nmap creates a CI, the system reconciles the information gathered from each type of discovery.

    What Nmap can discover

    The Nmap commands executed during credential-less discovery can:
    • Perform reverse DNS name resolution to identify the host from the IPv4 address.
    • Return the MAC address of the host if that host is on the same subnet as the host executing the Nmap command.
    • Detect applications installed on a target host.
    • Detect the operating system of a target host and the OS version.
    Note:
    Credential-less discovery classifies routers and switches as hardware. It does not create or update CIs specifically for them. Use it only on known subnets where credentials aren't viable, and don't use it long term.

    Nmap credential-less discovery scans in cloud computing platforms

    It is often against the terms of service to run Nmap scans to or from any resource within a cloud computing service such as Amazon Web Services (AWS), Microsoft Azure, IBM Cloud, or Google Cloud Platform (GCP). For example, the AWS environment is tightly regulated and requires the permission of AWS through the AWS Vulnerability/Penetration Testing Request form. Unauthorized tests against AWS services or AWS-owned resources are prohibited. For this reason, credential-less discovery within a cloud computing service environment is not appropriate, and if a violation of their policy occurs, could result in expulsion from the service. Contact your platform service provider for information on limitations or permission requirements for running Nmap.

    Components installed with Nmap

    The Discovery - IP Based plugin (com.snc.discovery.ip_based) that provides the Nmap functionality is activated automatically when either Discovery or Service Mapping is active. These Nmap components are provided by the Discovery - IP Based plugin:
    Component Description
    System properties
    • mid.discovery.credentialless.enable: Enables or disables Nmap for all MID Server instances on which Nmap is installed that are connected to the instance. This property is installed with the Discovery plugin and is enabled by default. It is configurable by a system administrator.
    • mid.discovery.credentialless.alt_port_options: Starting from Discovery and Service Mapping Patterns version 1.31.0, controls the port range that Nmap scans during credential-less discovery. Set to F to use Nmap fast mode (top 100 ports), or T to scan the top 1,000 ports (Nmap default). By default, ports are collected from the IP Services [cmdb_ip_service] table based on records where the Credentialless Discovery [cl_discovery] field is set to true.
    MID Server properties These properties, from the MID Server Property [ecc_agent_property] table, aren't intended to be configured:
    • mid.nmap.version: Version of Nmap that is installed on MID Server instances in your environment. This field is visible on the MID Server [ecc_agent] form after Nmap is installed.
    • nmap.safe.scripts: Defines the list of Nmap scripts that are classified as safe for use during execution of Nmap's Application Version Detection phase (-sV command option).
    • nmap.npcap.version: The version of Npcap that is installed with Nmap. The Nmap installer can only perform upgrades of existing Npcap installations it encounters.
    Fields
    • Credentialless Discovery Port [cl_port]: Optional field on the Application [cmdb_ci_appl] table that displays the number of a port scanned by credential-less discovery. This port number is used to determine whether an application returned by Nmap has a matching CI in the CMDB or if a new CI must be created.
    • Discovery source [discovery_source]: Optional field in the Configuration Item [cmdb_ci] table to which the CredentiallessDiscovery choice is added. This option shows that credential-less discovery was used to create a CI.
    Nmap MID Server capability The Nmap MID Server capabilities is added to the MID Server when Nmap is installed and removed automatically when Nmap is uninstalled. Only MID Server instances with this capability can perform credential-less discovery. A system administrator can't add or remove this capability manually. Self-hosted users who have the maint role can modify or delete the Nmap capability, but shouldn't do so.

    Service Mapping doesn’t check for the presence of the Nmap capability and selects the MID Server based on the IP address only. To prevent Service Mapping from selecting a MID Server without the Nmap capability, install Nmap on all MID Servers assigned to the IP address ranges for which you want credential-less discovery to be available. If Service Mapping selects a MID Server for credential-less discovery that doesn’t have Nmap capabilities, this error message appears in the map, at the site of the CI being discovered: Nmap is not installed on MID Server. Verify all MIDs configured to handle selected IP Address have Nmap Capability. Nmap root directory path does not exist: <path>

    Note:
    The ALL MID Server capability does not include the Nmap capability.
    Npcap Npcap is Nmap's packet capture library for Windows. Npcap enables Nmap to perform port scans quickly and to identify the family of the operating system running on the target. Only one copy of Npcap is installed per MID Server host.

    Because Npcap can be used by other applications, uninstalling Nmap does not automatically uninstall Npcap. You must uninstall Npcap manually, after determining that no other dependencies exist.
    Patterns
    • Credentialless Discovery Network Device: Scans a host IP address using an Nmap command to identify the host. This pattern launches the Credentialless Discovery Network Device - PreLaunch script to retrieve the list of ports to explore from the IP Service [cmdb_ip_service] table. Don't modify this script.
    • Credentialless Discovery Application: Scans a port at an IP address using an Nmap command to identify the application service actively listening on that port. Service Mapping launches this pattern when all credential-based port classification steps fail. Discovery creates a CI in the Application [cmdb_ci_appl] table if the port is open and it can identify the service by name and product. If the service does not respond to any of the scan attempts, Nmap consults its nmap-services registry and guesses at which service is most likely running on that port. If Nmap has to guess what application is running on a scanned port, the Credentialless Discovery Application pattern does not create an application CI or update an existing CI.
    MID Server script includes
    • SetCredentialLessDeviceClassName: Determines which host CI to create or update after the successful execution of the Nmap command. don't modify this script.
    • CredentialLessApplicationClassNameMapper: Maps the service product, service name, and extra service information supplied by Nmap for the scanned port to a supported application table in the instance. System administrators can modify this script.
    • SetCredentialLessApplicationClassName: Verifies that the CredentialLessApplicationClassNameMapper script is invoked only once. don't modify this script.
    System script include The CredentiallessDiscoveryAjax script include runs on the instance and handles the installation and uninstallation of Nmap on Windows MID Server instances, executed from UI actions on the form. don't modify this script.