So many of us have been there….we look at a log, an alert, a ticket, and think “I have no idea what that device is.” Having worked countless incident responses it almost always happens. Asset management is one of the most difficult things anyone in tech has to maintain. I include it in tabletop exercises all of the time. “You have been contacted by an external party that device X is sending spam from your network.” There are many different services, applications, processes, etc. in the market that can assist in your work towards having better asset management. However, we know that not everyone has the budget for more tools and services, and even if you do, sometimes it’s nice to spot check to make sure they are working and finding everything as intended.
This is where network scanning with Nmap comes in handy. Nmap is not just for finding open ports; it's also an excellent tool for discovering and cataloging the devices on your network. In this article, we'll walk you through using Nmap to create an inventory of your network assets.
Network asset discovery is the process of identifying and cataloging all devices connected to a network. This includes servers, workstations, network devices, printers, and even IoT devices. A thorough asset discovery process provides you with a clear picture of your network, which is essential for:
Nmap, originally designed for port scanning, has evolved into a versatile tool for network exploration and security auditing. Its ability to discover hosts, identify operating systems, and enumerate services makes it ideal for asset discovery.
Before we dive into specific commands, ensure you have Nmap installed on your system. If you haven't installed it yet, refer to the "How To Install Nmap" section in the article we linked above.
To start, let's perform a basic network sweep to identify live hosts:
nmap 172.16.16.0/24
This command sends a ping to every possible IP address in the 192.168.1.0/24 subnet and lists the hosts that respond. The -sn flag tells Nmap to perform a ping scan without port scanning:
nmap -sn 172.16.16.0/24
To get information about services running on the discovered hosts:
nmap -sV 172.16.16.4
The -sV flag enables version scanning, which attempts to determine the version of services running on open ports.
Once you've identified live hosts, you can use OS detection to gather more information:
sudo nmap -O 172.16.16.4
The -O flag enables OS detection. Note that this requires root privileges, hence the sudo command.
For a more comprehensive scan, you can combine these techniques:
sudo nmap -sV -O 172.16.16.4
This command will perform both version scanning and OS detection on all live hosts in the subnet.
Nmap's Scripting Engine (NSE) provides additional capabilities for gathering detailed information about devices. Here's an example using the "smb-os-discovery" script to gather information about Windows machines:
nmap --script smb-os-discovery 172.16.16.0/24
This script will attempt to gather detailed OS information from Windows machines using SMB.
To save your results for later analysis or to import into other tools, use Nmap's output options:
sudo nmap -sV -O 172.16.16.0/24 --oX network_inventory.xml
This command saves the results in XML format, which can be easily parsed by other tools or scripts.
For ongoing asset management and discovery, you can automate these scans using task scheduling tools like cron (Linux) or Task Scheduler (Windows). Here's a simple bash script that you could schedule to run periodically:
#!/bin/bash
DATE=$(date +"%Y%m%d")
nmap -sV -O 172.16.16.0/24 -oX /path/to/network_inventory_$DATE.xml
This script performs a version and OS scan, saving the results with a date stamp in the filename.
After running these scans, you'll have a wealth of information about your network. Here's what to look for:
Remember, while Nmap is a powerful tool for asset discovery, it should be used responsibly. Always ensure you have permission to scan the network, and be aware that some scans can be intrusive or potentially disruptive.
Nmap has many uses. Using Nmap for network inventory and asset discovery provides a solid foundation for maintaining a secure and well-managed network. You can use Blumira's Free Domain Assessment to regularly scanning your network and analyzing the results you can stay on top of changes, identify potential security risks, and ensure your asset inventory remains up-to-date.
Remember, knowing what's on your network is the first step in protecting it. Happy scanning!