So many of us have been there….we look at a log, an alert, a ticket, and think “I have no idea what that device is.” Having worked countless incident responses it almost always happens. Asset management is one of the most difficult things anyone in tech has to maintain. I include it in tabletop exercises all of the time. “You have been contacted by an external party that device X is sending spam from your network.” There are many different services, applications, processes, etc. in the market that can assist in your work towards having better asset management. However, we know that not everyone has the budget for more tools and services, and even if you do, sometimes it’s nice to spot check to make sure they are working and finding everything as intended.
This is where network scanning with Nmap comes in handy. Nmap is not just for finding open ports; it's also an excellent tool for discovering and cataloging the devices on your network. In this article, we'll walk you through using Nmap to create an inventory of your network assets. We've also worked with the fine folks at Lawrence Systems on a video tutorial, which you can follow along with below.
Network asset discovery is the process of identifying and cataloging all devices connected to a network. This includes servers, workstations, network devices, printers, and even IoT devices. A thorough asset discovery process provides you with a clear picture of your network, which is essential for:
Nmap, originally designed for port scanning, has evolved into a versatile tool for network exploration and security auditing. Its ability to discover hosts, identify operating systems, and enumerate services makes it ideal for asset discovery.
Before we dive into specific commands, ensure you have Nmap installed on your system. If you haven't installed it yet, refer to the "How To Install Nmap" section in the article we linked above.
To start, let's perform a basic network sweep to identify live hosts:
nmap 172.16.16.0/24
This command sends a ping to every possible IP address in the 192.168.1.0/24 subnet and lists the hosts that respond. The -sn flag tells Nmap to perform a ping scan without port scanning:
nmap -sn 172.16.16.0/24
To get information about services running on the discovered hosts:
nmap -sV 172.16.16.4
The -sV flag enables version scanning, which attempts to determine the version of services running on open ports.
Once you've identified live hosts, you can use OS detection to gather more information:
sudo nmap -O 172.16.16.4
The -O flag enables OS detection. Note that this requires root privileges, hence the sudo command.
For a more comprehensive scan, you can combine these techniques:
sudo nmap -sV -O 172.16.16.4
This command will perform both version scanning and OS detection on all live hosts in the subnet.
Nmap's Scripting Engine (NSE) provides additional capabilities for gathering detailed information about devices. Here's an example using the "smb-os-discovery" script to gather information about Windows machines:
nmap --script smb-os-discovery 172.16.16.0/24
This script will attempt to gather detailed OS information from Windows machines using SMB.
To save your results for later analysis or to import into other tools, use Nmap's output options:
sudo nmap -sV -O 172.16.16.0/24 --oX network_inventory.xml
This command saves the results in XML format, which can be easily parsed by other tools or scripts.
For ongoing asset management and discovery, you can automate these scans using task scheduling tools like cron (Linux) or Task Scheduler (Windows). Here's a simple bash script that you could schedule to run periodically:
#!/bin/bash
DATE=$(date +"%Y%m%d")
nmap -sV -O 172.16.16.0/24 -oX /path/to/network_inventory_$DATE.xml
This script performs a version and OS scan, saving the results with a date stamp in the filename.
While already useful, we can use the xsltproc command to process and re-format the results into a more human-readable HTML page using libxslt. First you’ll need to install the package if you haven’t already:
install xsltproc
Next use the command flag-oto define where the HTML output should be saved, followed by the path for the .xml file of your nmap scan results.
xsltproc -o /path/to/network_inventory_x.html /path/to/network_inventory_$DATE.xml
(Be sure to replace$DATEwith the date the scan was run if processing a scan run on a different day!) If you want to prettify your results even more, you can customize the HTML page with an XSL stylesheet. While you can write your own, our friends at Lawrence Systems have conveniently added a sheet you can download, here:
NMAP_stylesheet.xsl (click to read in a new tab, or save to file for ready use)
Once you’ve written or downloaded your stylesheet, you just need to add its path as a variable between your HTML output and XML input:
xsltproc -o /path/to/network_inventory_$DATE.html /path/to/NMAP_stylesheet.xsl /path/to/network_inventory_$DATE.xml
After running these scans, you'll have a wealth of information about your network. Here's what to look for:
Remember, while Nmap is a powerful tool for asset discovery, it should be used responsibly. Always ensure you have permission to scan the network, and be aware that some scans can be intrusive or potentially disruptive.
Nmap has many uses. Using Nmap for network inventory and asset discovery provides a solid foundation for maintaining a secure and well-managed network. You can use Blumira's Free Domain Assessment to regularly scanning your network and analyzing the results you can stay on top of changes, identify potential security risks, and ensure your asset inventory remains up-to-date.
Remember, knowing what's on your network is the first step in protecting it. Happy scanning!