MID Server Credential-less Discovery with Nmap

If the instance fails to identify a configuration item (CI) because of authentication failure, Discovery or Service Mapping can run selected Network Mapper (Nmap) commands with a MID Server to collect some basic information about the CI without using credentials.

A MID Server administrator can install Nmap on individual MID Servers running on a Windows host. Those MID Servers can then discover some basic information about CIs in your network when normal authentication fails.

Credential-less discovery can create or modify host and application CIs when credentials are missing or misconfigured. If a credential-based discovery is performed successfully after Nmap creates a CI, the system reconciles the information gathered from each type of discovery.
Restriction: Self-hosted customers whose network security does not permit downloads from install.service-now.com, cannot configure Nmap for credential-less Discovery. The Nmap installation process that runs on the MID Server host also configures the components that make Nmap work. This process cannot be invoked by running the Nmap executable independently.

What Nmap can discover

The Nmap commands executed during credential-less Discovery can:
  • Perform reverse DNS name resolution to identify the host from the IPv4 address.
  • Return the MAC address of the host if that host is on the same subnet as the host executing the Nmap command.
  • Detect applications installed on a target host.
  • Detect the operating system of a target host and the OS version.

Using credential-less Discovery with Amazon Web Service (AWS)

Running Nmap scans to or from any resource within the Amazon Web Service AWS environment is tightly regulated and requires the permission of AWS through the AWS Vulnerability/Penetration Testing Request form. AWS only permits testing of EC2 and RDS instances that you own. Tests against any other AWS services or AWS-owned resources are prohibited. In addition, any Nmap scan of a permitted instance must be performed within an approved time window. For these reasons, credential-less Discovery within an AWS environment is not appropriate, and if a violation of their policy occurs, could result in expulsion from the service.

Components installed with Nmap

The Discovery - IP Based [com.snc.discovery.ip_based] plugin that provides the Nmap functionality is activated automatically when either Discovery or Service Mapping is active. These Nmap components are provided by the Discovery - IP Based plugin:
Component Description
System property The mid.discovery.credentialless.enable property enables or disables Nmap for all MID Servers on which Nmap is installed that are connected to the instance. This property is installed with the Discovery plugin and is enabled by default. It is configurable by a system administrator.
Note: This property is not recognized by Service Mapping. For details, see KB0639977.
MID Server properties These properties, from the MID Server Property [ecc_agent_property] table, are not intended to be configured:
  • mid.nmap.version: Version of Nmap that is installed on MID Servers in your environment. This field is visible on the MID Server [ecc_agent] form after Nmap is installed.
  • nmap.safe.scripts: Defines the list of Nmap scripts that are classified as safe for use during execution of Nmap’s Application Version Detection phase (-sV command option).
  • nmap.npcap.version: The version of Npcap that is installed with Nmap. The Nmap installer can only perform upgrades of existing Npcap installations it encounters.
  • Credentialless Discovery Port [cl_port]: Optional field on the Application [cmdb_ci_appl] table that displays the number of a port scanned by credential-less Discovery. This port number is used to determine whether an application returned by Nmap has a matching CI in the CMDB or if a new CI must be created.
  • Discovery source [discovery_source]: Optional field in the Configuration Item [cmdb_ci] table to which the CredentiallessDiscovery choice is added. This option shows that credential-less Discovery was used to create a CI.
Nmap MID Server capability The Nmap capability is added to the MID Server when Nmap is installed and removed automatically when Nmap in uninstalled. Only MID Servers with this capability can perform credential-less Discovery. A system administrator cannot add or remove this capability manually. Self-hosted customers who have the maint role can modify or delete the Nmap capability, but should not do so.

Service Mapping does not check for the presence of the Nmap capability and selects the MID Server based on the IP address only. To ensure that Service Mapping does not select a MID Server without the Nmap capability, install Nmap on all MID Servers assigned to the IP address ranges on which you want credential-less Discovery to be available.

Note: The ALL MID Server capability does not include the Nmap capability.
Npcap Npcap is Nmap's packet capture library for Windows. Npcap allows Nmap to perform port scans quickly and to identify the family of the operating system running on the target. Only one copy of Npcap is installed per MID Server host. The Nmap uninstaller does not remove Npcap from the host. This must be done manually.
  • Credentialless Discovery Network Device: Scans a host IP address using an Nmap command to identify the host. This pattern launches the Credentialless Discovery Network Device – PreLaunch script to retrieve the list of ports to explore from the IP Service [cmdb_ip_service] table. Do not modify this script.
  • Credentialless Discovery Application: Scans a port at an IP address using an Nmap command to identify the application service actively listening on that port. Service Mapping launches this pattern when all credential-based port classification steps fail. Discovery creates a CI in the Application [cmdb_ci_appl] table if the port is open and it can identify the service by name and product. If the service does not respond to any of the scan attempts, Nmap consults its nmap-services registry and guesses at which service is most likely running on that port. If Nmap has to guess what application is running on a scanned port, the Credentialless Discovery Application pattern does not create an application CI or update an existing CI.
MID Server script includes
  • SetCredentialLessDeviceClassName: Determines which host CI to create or update after the successful execution of the Nmap command. Do not modify this script.
  • CredentialLessApplicationClassNameMapper: Maps the service product, service name, and extra service information supplied by Nmap for the scanned port to a supported application table in the instance. System administrators can modify this script.
  • SetCredentialLessApplicationClassName: Ensures that the CredentialLessApplicationClassNameMapper script is invoked only once. Do not modify this script.
System script include The CredentiallessDiscoveryAjax script include runs on the instance and handles the installation and uninstallation of Nmap on Windows MID Servers, executed from UI actions on the form. Do not modify this script.