How To Use Nmap for Network Inventory and Asset Discovery

So many of us have been there….we look at a log, an alert, a ticket, and think “I have no idea what that device is.” Having worked countless incident responses it almost always happens. Asset management is one of the most difficult things anyone in tech has to maintain. I include it in tabletop exercises all of the time. “You have been contacted by an external party that device X is sending spam from your network.” There are many different services, applications, processes, etc. in the market that can assist in your work towards having better asset management. However, we know that not everyone has the budget for more tools and services, and even if you do, sometimes it’s nice to spot check to make sure they are working and finding everything as intended.

This is where network scanning with Nmap comes in handy. Nmap is not just for finding open ports; it's also an excellent tool for discovering and cataloging the devices on your network. In this article, we'll walk you through using Nmap to create an inventory of your network assets.

What is Network Asset Discovery?

Network asset discovery is the process of identifying and cataloging all devices connected to a network. This includes servers, workstations, network devices, printers, and even IoT devices. A thorough asset discovery process provides you with a clear picture of your network, which is essential for:

1. Security Management: You can't protect what you don't know about.
2. Compliance: Many regulations require maintaining an up-to-date inventory.
3. Resource planning: Understanding your current assets helps in planning for future needs.
4. Troubleshooting: A complete inventory can speed up problem resolution.

Nmap: Your Swiss Army Knife for Asset Discovery

Nmap, originally designed for port scanning, has evolved into a versatile tool for network exploration and security auditing. Its ability to discover hosts, identify operating systems, and enumerate services makes it ideal for asset discovery.

Before we dive into specific commands, ensure you have Nmap installed on your system. If you haven't installed it yet, refer to the "How To Install Nmap" section in the article we linked above.

Basic Network Sweep

To start, let's perform a basic network sweep to identify live hosts:

nmap -sn 192.168.1.0/24

This command sends a ping to every possible IP address in the 192.168.1.0/24 subnet and lists the hosts that respond. The -sn flag tells Nmap to perform a ping scan without port scanning.

OS Detection

Once you've identified live hosts, you can use OS detection to gather more information:

sudo nmap -O 192.168.1.0/24

The -O flag enables OS detection. Note that this requires root privileges, hence the sudo command.

Version Scanning

To get information about services running on the discovered hosts:

nmap -sV 192.168.1.0/24

The -sV flag enables version scanning, which attempts to determine the version of services running on open ports.

Combining Techniques

For a more comprehensive scan, you can combine these techniques:

sudo nmap -sV -O 192.168.1.0/24

This command will perform both OS detection and version scanning on all live hosts in the subnet.

Using NSE Scripts for Detailed Information

Nmap's Scripting Engine (NSE) provides additional capabilities for gathering detailed information about devices. Here's an example using the "smb-os-discovery" script to gather information about Windows machines:

nmap --script smb-os-discovery 192.168.1.0/24

This script will attempt to gather detailed OS information from Windows machines using SMB.

Outputting Results

To save your results for later analysis or to import into other tools, use Nmap's output options:

nmap -sV -O 192.168.1.0/24 -oX network_inventory.xml

This command saves the results in XML format, which can be easily parsed by other tools or scripts.

Automating Asset Discovery

For ongoing asset management and discovery, you can automate these scans using task scheduling tools like cron (Linux) or Task Scheduler (Windows). Here's a simple bash script that you could schedule to run periodically:

#!/bin/bash

DATE=$(date +"%Y%m%d")

nmap -sV -O 192.168.1.0/24 -oX /path/to/network_inventory_$DATE.xml

This script performs a version and OS scan, saving the results with a date stamp in the filename.

Interpreting the Results

After running these scans, you'll have a wealth of information about your network. Here's what to look for:

1. Unexpected Devices: Any hosts that you weren't aware of could be unauthorized devices.
2. Outdated Operating Systems: Identify systems running old, potentially vulnerable OS versions.
3. Unnecessary Services: Look for services running on devices where they shouldn't be.
4. Inconsistencies: Compare the results with your existing inventory to spot discrepancies.

Remember, while Nmap is a powerful tool for asset discovery, it should be used responsibly. Always ensure you have permission to scan the network, and be aware that some scans can be intrusive or potentially disruptive.

Conclusion

Nmap has many uses. Using Nmap for network inventory and asset discovery provides a solid foundation for maintaining a secure and well-managed network. You can use Blumira's Free Domain Assessment  to regularly scanning your network and analyzing the results you can stay on top of changes, identify potential security risks, and ensure your asset inventory remains up-to-date.  

Remember, knowing what's on your network is the first step in protecting it. Happy scanning!