August 19, 2024

How To Use Nmap for Network Inventory and Asset Discovery

So many of us have been there….we look at a log, an alert, a ticket, and think “I have no idea what that device is.” Having worked countless incident responses it almost always happens. Asset management is one of the most difficult things anyone in tech has to maintain. I include it in tabletop exercises all of the time. “You have been contacted by an external party that device X is sending spam from your network.” There are many different services, applications, processes, etc. in the market that can assist in your work towards having better asset management. However, we know that not everyone has the budget for more tools and services, and even if you do, sometimes it’s nice to spot check to make sure they are working and finding everything as intended.

This is where network scanning with Nmap comes in handy. Nmap is not just for finding open ports; it's also an excellent tool for discovering and cataloging the devices on your network. In this article, we'll walk you through using Nmap to create an inventory of your network assets. We've also worked with the fine folks at Lawrence Systems on a video tutorial, which you can follow along with below.

What is Network Asset Discovery?

Network asset discovery is the process of identifying and cataloging all devices connected to a network. This includes servers, workstations, network devices, printers, and even IoT devices. A thorough asset discovery process provides you with a clear picture of your network, which is essential for:

Security Management: You can't protect what you don't know about.
Compliance: Many regulations require maintaining an up-to-date inventory.
Resource planning: Understanding your current assets helps in planning for future needs.
Troubleshooting: A complete inventory can speed up problem resolution.

Nmap: Your Swiss Army Knife for Asset Discovery

Nmap, originally designed for port scanning, has evolved into a versatile tool for network exploration and security auditing. Its ability to discover hosts, identify operating systems, and enumerate services makes it ideal for asset discovery.

Before we dive into specific commands, ensure you have Nmap installed on your system. If you haven't installed it yet, refer to the "How To Install Nmap" section in the article we linked above.

Basic Network Sweep

To start, let's perform a basic network sweep to identify live hosts:

nmap 172.16.16.0/24

This command sends a ping to every possible IP address in the 192.168.1.0/24 subnet and lists the hosts that respond. The -sn flag tells Nmap to perform a ping scan without port scanning:

nmap -sn 172.16.16.0/24

Version Scanning

To get information about services running on the discovered hosts:

nmap -sV 172.16.16.4

The -sV flag enables version scanning, which attempts to determine the version of services running on open ports.

OS Detection

Once you've identified live hosts, you can use OS detection to gather more information:

sudo nmap -O 172.16.16.4

The -O flag enables OS detection. Note that this requires root privileges, hence the sudo command.

Combining Techniques

For a more comprehensive scan, you can combine these techniques:

sudo nmap -sV -O 172.16.16.4

This command will perform both version scanning and OS detection on all live hosts in the subnet.

Using NSE Scripts for Detailed Information

Nmap's Scripting Engine (NSE) provides additional capabilities for gathering detailed information about devices. Here's an example using the "smb-os-discovery" script to gather information about Windows machines:

nmap --script smb-os-discovery 172.16.16.0/24

This script will attempt to gather detailed OS information from Windows machines using SMB.

Outputting Results

To save your results for later analysis or to import into other tools, use Nmap's output options:

sudo nmap -sV -O 172.16.16.0/24 --oX network_inventory.xml

This command saves the results in XML format, which can be easily parsed by other tools or scripts.

Automating Asset Discovery

For ongoing asset management and discovery, you can automate these scans using task scheduling tools like cron (Linux) or Task Scheduler (Windows). Here's a simple bash script that you could schedule to run periodically:

#!/bin/bash

DATE=$(date +"%Y%m%d")

nmap -sV -O 172.16.16.0/24 -oX /path/to/network_inventory_$DATE.xml

This script performs a version and OS scan, saving the results with a date stamp in the filename.

While already useful, we can use the xsltproc command to process and re-format the results into a more human-readable HTML page using libxslt. First you’ll need to install the package if you haven’t already:

install xsltproc

Next use the command flag-oto define where the HTML output should be saved, followed by the path for the .xml file of your nmap scan results.

xsltproc -o /path/to/network_inventory_x.html /path/to/network_inventory_$DATE.xml

(Be sure to replace$DATEwith the date the scan was run if processing a scan run on a different day!) If you want to prettify your results even more, you can customize the HTML page with an XSL stylesheet. While you can write your own, our friends at Lawrence Systems have conveniently added a sheet you can download, here:

NMAP_stylesheet.xsl (click to read in a new tab, or save to file for ready use)

Once you’ve written or downloaded your stylesheet, you just need to add its path as a variable between your HTML output and XML input:

xsltproc -o /path/to/network_inventory_$DATE.html /path/to/NMAP_stylesheet.xsl /path/to/network_inventory_$DATE.xml

Interpreting the Results

After running these scans, you'll have a wealth of information about your network. Here's what to look for:

Unexpected Devices: Any hosts that you weren't aware of could be unauthorized devices.
Outdated Operating Systems: Identify systems running old, potentially vulnerable OS versions.
Unnecessary Services: Look for services running on devices where they shouldn't be.
Inconsistencies: Compare the results with your existing inventory to spot discrepancies.

Remember, while Nmap is a powerful tool for asset discovery, it should be used responsibly. Always ensure you have permission to scan the network, and be aware that some scans can be intrusive or potentially disruptive.

Conclusion

Nmap has many uses. Using Nmap for network inventory and asset discovery provides a solid foundation for maintaining a secure and well-managed network. You can use Blumira's Free Domain Assessment to regularly scanning your network and analyzing the results you can stay on top of changes, identify potential security risks, and ensure your asset inventory remains up-to-date.

Remember, knowing what's on your network is the first step in protecting it. Happy scanning!

Frequently Asked Questions

How do I schedule automated Nmap scans for continuous asset discovery?

On Linux, create a cron job that runs your scan at a regular interval: 0 2 * * 0 nmap -sn 10.0.0.0/16 -oX /opt/scans/scan-$(date +\%Y\%m\%d).xml runs a host discovery scan every Sunday at 2 AM and saves timestamped XML output. On Windows, use Task Scheduler to run a batch file with the same Nmap command. After each scan, compare the new results against the previous scan using ndiff (included with Nmap): ndiff scan-previous.xml scan-current.xml shows which hosts appeared, disappeared, or changed services. Weekly scans catch most changes in typical environments. For more dynamic networks (guest VLANs, BYOD segments), daily scans are worth the overhead. Store all scan history for at least 90 days so you can trace when a device first appeared on your network.

How do I scan multiple subnets with Nmap in a single command?

List all target ranges separated by spaces: nmap -sn 10.0.1.0/24 10.0.2.0/24 192.168.1.0/24. For environments with many subnets, create a text file with one range per line and use the -iL flag: nmap -sn -iL targets.txt. This keeps your command manageable and lets you version-control your target list. For large environments with hundreds of subnets, break scans into batches to avoid network congestion and excessively long scan times. A full -sn scan of a /16 (65,536 addresses) typically completes in under 10 minutes on a fast network, but adding service detection (-sV) or OS fingerprinting (-O) increases the time dramatically. Scan host discovery first across everything, then run detailed scans only against the live hosts you found.

How do I identify unauthorized devices on my network with Nmap?

Maintain a baseline inventory of known hosts, either as a saved Nmap XML scan or in your asset management system. Run periodic discovery scans and compare results using ndiff or a script that diffs MAC addresses and IPs against your approved list. Flag any new MAC address or IP that does not match your CMDB, DHCP reservations, or static IP records. On local subnets, Nmap captures MAC addresses and vendor OUI information, which helps you quickly classify unknown devices (for example, a Raspberry Pi Foundation MAC on your server VLAN is suspicious). Pay special attention to devices on unexpected subnets or ports. The most common findings are unauthorized IoT devices (smart TVs, personal printers), employee personal equipment, and forgotten test machines that were never decommissioned.

What information can Nmap tell me about discovered devices?

With the right flags, Nmap provides substantial detail. The -sV flag probes open ports to determine the service name and version (for example, Apache httpd 2.4.52 on port 80, or OpenSSH 8.9 on port 22). The -O flag fingerprints the operating system by analyzing TCP/IP stack behavior (for example, Linux 5.x kernel, or Windows Server 2019). On local subnets, Nmap captures the MAC address and identifies the hardware vendor from the OUI prefix. Combining -sV and -O gives you OS, running services with version numbers, open ports, and device manufacturer. Service version data is particularly valuable for vulnerability management because it tells you exactly which software versions need patching. A scan like nmap -sV -O -oX inventory.xml 10.0.1.0/24 produces a machine-readable inventory file that security and IT teams can both use.

What are the limitations of Nmap for network inventory?

Nmap only finds devices that respond to its probes. Hosts behind firewalls that block both ICMP and TCP probes will not appear, even if they are online. Devices powered off or disconnected during the scan window are missed entirely. Nmap provides a point-in-time snapshot, not continuous monitoring, so a device that connects at 3 PM will not show up in a scan that ran at 2 AM. Some hardened hosts or IDS/IPS systems may block or rate-limit Nmap traffic, leading to incomplete results. For full asset visibility, pair Nmap scans with passive network monitoring (which sees devices as they communicate, without sending probes), DHCP log analysis (which records every IP lease), and a SIEM that continuously tracks new devices appearing on your network. Nmap is the best active scanner available, but no single tool provides complete network visibility on its own.

Tag(s): Security How-To , Blog , Nmap

Amanda Berlin

Amanda Berlin is the Senior Product Manager of Cybersecurity at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An...