Nmap commands and data collected with credential-less Discovery

  • Release version: Zurich
  • Updated July 31, 2025
  • 7 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Nmap commands and data collected with credential-less Discovery

    This document details how Nmap is used within ServiceNow Discovery to perform credential-less scanning of hosts and applications. Nmap runs a series of controlled, safe commands to detect devices, operating systems, and applications without requiring credentials. The scanning occurs in phases, focusing on host discovery first, followed by application discovery, and helps create or update Configuration Items (CIs) in the CMDB.

    Show full answer Show less

    Host Discovery with Nmap

    During host discovery, Nmap determines if a host is online and collects key data:

    • Operating System Family: Identifies one of six supported server OS families to classify or update the host CI. Unsupported OS families default to a hardware CI.
    • MAC Address: Retrieved if the target host is on the same subnet as the Windows MID Server running Nmap.

    The MID Server runs Nmap commands using IP addresses and ports from the IP Service table. Hosts are considered "up" if ports are open or open/filtered.

    Key Nmap Commands for Host Discovery

    • -PS (TCP SYN Ping): Sends SYN packets to specified ports to verify host availability. Requires raw packet privileges and administrative rights.
    • -PA (TCP ACK Ping): Sends ACK packets to bypass some firewalls and detect hosts behind packet filters. Also requires elevated privileges.
    • -O (OS Detection): Uses TCP/IP stack fingerprinting to identify the OS family, version, and device type by examining TCP and UDP responses.
    • -p: Specifies ports to scan.
    • -T4: Uses aggressive timing to speed up scanning.
    • -v: Enables verbose output for progress visibility.
    • -Pn: Skips host discovery to scan all hosts as online.
    • --reason: Provides explanations for port state classifications.
    • --system-dns: Uses the operating system DNS resolver for reverse DNS lookups, ensuring MID Server and Discovery results match.

    Application Discovery with Nmap

    Once a host is identified as up, Nmap scans specific ports to detect active applications and services. It collects:

    • Port State: Identifies if a port is open or open/filtered.
    • Service Name: The service actively listening on the port.
    • Service Product: The application name running on the port.
    • Extra Service Information: Additional details to aid application identification.

    Only services with definite names (non-null and not ending with a question mark) are used to create or update application CIs.

    Key Nmap Commands for Application Discovery

    • -sS (TCP SYN Scan): Performs stealth scanning to identify open, closed, or filtered ports without completing TCP connections. Requires raw packet privileges.
    • -sV (Service Version Detection): Probes open ports to determine service protocol, application name, version, device type, and OS family. Does not require raw packet privileges.
    • --datadir: Specifies directory with safe Nmap scripts for detailed application/version detection.
    • -p: Single port to scan.
    • -T4: Aggressive timing for faster scans.
    • -v: Verbose output for detailed progress and script information.
    • -Pn: Skips host discovery phase to scan all hosts as online.
    • --reason: Explains port state classification.
    • --system-dns: Uses OS DNS resolver for reverse DNS lookups consistent with MID Server results.

    Practical Benefits for ServiceNow Customers

    • Enables automated discovery of hosts and applications without requiring credentials, reducing security risks and administrative overhead.
    • Supports accurate classification and updating of host and application CIs in the CMDB, improving IT asset visibility.
    • Uses safe, controlled Nmap commands with configurable options to adapt scanning to diverse network environments, including those behind firewalls.
    • Provides detailed OS and application information to support IT operations, security, and compliance initiatives.

    Nmap executes in phases when collecting data and runs a controlled set of safe commands with two patterns for exploring applications and devices.

    Data returned by Nmap from host Discovery

    Nmap returns the following data for a host it determines is up:
    • Operating system family: For one of the six supported server operating system families, a host CI is created or updated using the appropriate server class. For unsupported operating system families, a host CI is created or updated using the base Hardware [cmdb_ci_hardware] class.
    • MAC address: Nmap returns the remote host's MAC address if the scanned host is on the same subnet as the Windows MID Server host running the Nmap commands.

    Commands run by Nmap during host Discovery

    The MID Server passes the IP address of a remote host to the Nmap command and a set of ports, taken from the IP Service table. The host must be reported by Nmap to be up. The host is up if the port state returned by Nmap is open or open/filtered. If the host is reported to be up, then the operating system family returned is examined to determine the class used to create or update the host CI.
    Command Description
    -PS TCP SYN option determines if the host is online. This option that sends an empty, raw TCP packet with the SYN flag set to all the specified ports on the scan list. Nmap reports the host is online if a SYN/ACK TCP packet is returned and if an RST is returned, indicating that the port is closed. The Nmap host machine tears down the nascent connection with an RST, instead of an ACK, since the SYN/ACK response is unexpected from its perspective. If multiple port probes are specified, they are sent in parallel.
    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows.
    -PA Detects packet-filtering devices. This option is a TCP ACK host Discovery, using a specified list of ports. If no list is defined, the default port 80 is used.

    Nmap sends an empty, raw TCP packet with the ACK flag set. This action acknowledges data over an established TCP connection, causing the remote host to respond with an RST packet. If the remote host does respond with an RST packet, Nmap knows the host is online. The ACK ping probe may get past packet filtering of TCP SYN packets by stateless packet filtering, network entities, such as firewalls, routers, and host routing tables/firewall software. Stateful firewalls drop unexpected packets, causing the ACK packet to be dropped, which increases the likelihood of the SYN TCP probe getting through.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    Note:
    Both Ping SYN (-PS) and Ping ACK (-PA) packets types can be configured together in the same scan attempt.
    -O Enables OS detection against a remote hostm providing the vendor name, underlying OS, OS generation, and device type, such as a router or a switch.

    Nmap uses TCP/IP stack fingerprinting to determine the OS family running on the host. Nmap sends a series of TCP and UPD packets to the host and examines the responses. After testing the responses thoroughly, Nmap compares results to its nmap-os-db database and prints the OS details, if there is a match. If Nmap cannot guess the OS, it checks for at least one open port and one closed port. When both are found, it generates a fingerprint and a URL to submit to nmap.org.

    OS detection does not use scripts from the Nmap Scripting Engine (NSE). OS detection runs after Application/Service Version detection, which helps the accuracy of OS Detection. However, the results of the two scan types might be contradictory. OS Detection runs at the TCP transport layer, while Application/Service Version Detection runs at a higher level in the TCP stack.

    Requirements:
    • Raw packet privileges.
    • Must run as root on UNIX.
    • Administrator privileges on Windows .
    -p List of ports to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.

    Data returned by Nmap during application Discovery

    Nmap returns the following application data from a host it determines is up:
    • Port state:
      • open: An application is actively accepting TCP (or UDP) packets on the port.
      • open|filtered: Nmap cannot determine if the port is open or filtered. An open port may not return a response when using Nmap’s UDP, IP protocol, FIN, NULL and Xmas scans.
    • Service name: Name of the service actively accepting TCP (or UDP) packets on the service port.
    • Service product: Name of the application running on the open port, as identified by Nmap.
    • Extra service information: Any additional information returned by Nmap that Discovery can use to identify the application.

    Commands run by Nmap during application Discovery

    The MID Server passes one IP address for a remote host to the Nmap command and one port to scan. Nmap attempts to identify the application actively listening on the port and then determines whether it should create a new CI or update an existing one. The host must be reported by Nmap to be up.

    Nmap uses this information to determine which course to take:
    • Service product
    • Service name
    • Extra service information
    • State of the scanned port
      Note:
      The service product and service name values cannot be NULL, and the service name cannot end with a question mark. Nmap appends a question mark to a service name when it guesses at the application listening on the scanned port. The instance does not create or update an application CI if Nmap cannot retrieve the application name from its static nmap-services registry file.
    Command Description
    -sS TCP SYN (stealth) port scan. This is the default scan option and never completes TCP connections. Scans can differentiate between ports that are open, closed, or filtered.

    TCP SYN scan implements a half-open reset that aborts the request before the connection can be established. The port is open (the application is listening) if a SYN/ACK is returned. The port is closed if an RST is returned. If no response is received after multiple retransmissions, the port is marked filtered. The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2,3,9,10,13) is received.

    Requirements:
    • Raw packet privileges
    • Must run as root
    • Windows administrator privileges
    -sV Probes open ports to determine the service protocol, application name, version number, hostname, device type, OS Family and miscellaneous details such as the SSH protocol version.
    When Nmap receives a response it cannot match to the database it prints out a fingerprint and URL for submission to nmap.org. If looks for the port number in its static nmap-services registry file to determine the name of an application service that might be actively listening on the port. The service name returned by Nmap is appended with a question mark, indicating that Nmap had to guess at its identity. The instance does not create or update an application CI when Nmap guesses at the application running on an open port.
    Note:
    This command does not require raw-packet privileges.
    --datadir Path to the directory containing the safe set of Nmap scripts to be run during Application/Version detection.
    -p Single port to scan.
    -T4 Nmap aggressive timing template.
    -v Enable verbose detail. This command is normally used to provide progress indication to viewers of standard output. However, it can cause the Nmap Scripting Engine (NSE) scripts to provide additional detail.
    -Pn Disable the default ping. This command skips the initial Nmap host discovery scan phase and treats all hosts as if they are online. Use this command if you want a port scan even if the set of ports run by the default Discovery probes will not find an open port.
    -r Scan ports consecutively, without randomizing.
    --reason Explains why Nmap classified a port with a specific state.
    --system-dns Use the DNS resolver of the operating system for reverse DNS lookup, rather than the DNS name servers. This option is slower than using DNS servers, since it can only resolve one IP address at a time, while multiple rDNS requests are performed in parallel. However, the value returned matches the value returned by the MID Server that is used to create host CIs.
    -X - Redirects stdout to a XML file.
    2> <file-path> Redirects errors messages written by Nmap to stderr to the specified file.