So many of us have been there….we look at a log, an alert, a ticket, and think “I have no idea what that device is.” Having worked countless incident responses it almost always happens. Asset management is one of the most difficult things anyone in tech has to maintain. I include it in tabletop exercises all of the time. “You have been contacted by an external party that device X is sending spam from your network.” There are many different services, applications, processes, etc. in the market that can assist in your work towards having better asset management. However, we know that not everyone has the budget for more tools and services, and even if you do, sometimes it’s nice to spot check to make sure they are working and finding everything as intended.
This is where network scanning with Nmap comes in handy. Nmap is not just for finding open ports; it's also an excellent tool for discovering and cataloging the devices on your network. In this article, we'll walk you through using Nmap to create an inventory of your network assets.
What is Network Asset Discovery?
Network asset discovery is the process of identifying and cataloging all devices connected to a network. This includes servers, workstations, network devices, printers, and even IoT devices. A thorough asset discovery process provides you with a clear picture of your network, which is essential for:
- Security Management: You can't protect what you don't know about.
- Compliance: Many regulations require maintaining an up-to-date inventory.
- Resource planning: Understanding your current assets helps in planning for future needs.
- Troubleshooting: A complete inventory can speed up problem resolution.
Nmap: Your Swiss Army Knife for Asset Discovery
Nmap, originally designed for port scanning, has evolved into a versatile tool for network exploration and security auditing. Its ability to discover hosts, identify operating systems, and enumerate services makes it ideal for asset discovery.
Before we dive into specific commands, ensure you have Nmap installed on your system. If you haven't installed it yet, refer to the "How To Install Nmap" section in the article we linked above.
Basic Network Sweep
To start, let's perform a basic network sweep to identify live hosts:
nmap 172.16.16.0/24
This command sends a ping to every possible IP address in the 192.168.1.0/24 subnet and lists the hosts that respond. The -sn flag tells Nmap to perform a ping scan without port scanning:
nmap -sn 172.16.16.0/24
Version Scanning
To get information about services running on the discovered hosts:
nmap -sV 172.16.16.4
The -sV flag enables version scanning, which attempts to determine the version of services running on open ports.
OS Detection
Once you've identified live hosts, you can use OS detection to gather more information:
sudo nmap -O 172.16.16.4
The -O flag enables OS detection. Note that this requires root privileges, hence the sudo command.
Combining Techniques
For a more comprehensive scan, you can combine these techniques:
sudo nmap -sV -O 172.16.16.4
This command will perform both version scanning and OS detection on all live hosts in the subnet.
Using NSE Scripts for Detailed Information
Nmap's Scripting Engine (NSE) provides additional capabilities for gathering detailed information about devices. Here's an example using the "smb-os-discovery" script to gather information about Windows machines:
nmap --script smb-os-discovery 172.16.16.0/24
This script will attempt to gather detailed OS information from Windows machines using SMB.
Outputting Results
To save your results for later analysis or to import into other tools, use Nmap's output options:
sudo nmap -sV -O 172.16.16.0/24 --oX network_inventory.xml
This command saves the results in XML format, which can be easily parsed by other tools or scripts.
Automating Asset Discovery
For ongoing asset management and discovery, you can automate these scans using task scheduling tools like cron (Linux) or Task Scheduler (Windows). Here's a simple bash script that you could schedule to run periodically:
#!/bin/bash
DATE=$(date +"%Y%m%d")
nmap -sV -O 172.16.16.0/24 -oX /path/to/network_inventory_$DATE.xml
This script performs a version and OS scan, saving the results with a date stamp in the filename.
Interpreting the Results
After running these scans, you'll have a wealth of information about your network. Here's what to look for:
- Unexpected Devices: Any hosts that you weren't aware of could be unauthorized devices.
- Outdated Operating Systems: Identify systems running old, potentially vulnerable OS versions.
- Unnecessary Services: Look for services running on devices where they shouldn't be.
- Inconsistencies: Compare the results with your existing inventory to spot discrepancies.
Remember, while Nmap is a powerful tool for asset discovery, it should be used responsibly. Always ensure you have permission to scan the network, and be aware that some scans can be intrusive or potentially disruptive.
Conclusion
Nmap has many uses. Using Nmap for network inventory and asset discovery provides a solid foundation for maintaining a secure and well-managed network. You can use Blumira's Free Domain Assessment to regularly scanning your network and analyzing the results you can stay on top of changes, identify potential security risks, and ensure your asset inventory remains up-to-date.
Remember, knowing what's on your network is the first step in protecting it. Happy scanning!
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsMicrosoft to Enable Domain Controller Enforcement Mode by Default on Feb. 9
Read MoreThe Hedgehog Defense – Default Apps
Read MoreHow to Secure Remote Access for Manufacturing Operations
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.