We’ll start our discussion of network inventorying with Nmap. This is the simplest, easiest-to-install option we have. Nmap is a versatile open-source network-scanning tool. We’ll just cover the basics of using it for putting together a network inventory.
Nmap can be installed on Linux or Mac by using the standard package managers. The Nmap maintainers also provide Windows binaries. The Nmap website provides detailed installation and usage instructions, and it tells you where you can buy the printed Nmap book.
Nmap uses unauthenticated scans to give us a coarse-grained picture of what’s on our network. We’ll use Nmap to detect three things about our network:
- What machines are on our network
- What ports are open on those machines
- What operating systems are running on those machines
The first two are fairly obvious. If a computer is on our network, it will generally respond to pings and the like. If a machine is listening on a given port, it will respond to SYN packets.
Detecting the operating system is less straightforward. Nmap can make some guesses about what operating system is running on another computer based on how that computer responds to specially crafted, nonstandard network traffic. It’s only a guess, not a guarantee. But even guesses can be useful while we’re trying to put together a network inventory.
Suppose you’re scanning your accounting department’s subnet, and you expect to see only Windows workstations on that part of your network. If Nmap finds a host that appears to run Linux, that’s worth a look. Most likely you have a printer or some other appliance on your network that you’d forgotten about. It could also be that Nmap is mistaken. But there is the possibility that something is running on your network that shouldn’t be there.
Even if the OS detection isn’t 100 percent accurate, this scanning can still provide useful data. Most of the time the scan is accurate, so you shouldn’t need to wade through too many false positives.
Getting familiar with normal traffic
Another benefit of this kind of scan is that it will help us develop an intuition for what kinds of machines and what kinds of traffic are normal for our network. Going back to our example of scanning our accounting department’s subnet, if we see an HTTP server running on an accountant’s workstation, that should grab our attention. Accountants generally aren’t interested in installing web servers. If one is running on an accountant’s workstation, that could be a sign of malware, so talk to the person who uses that workstation and find out if it’s supposed to be there. If it is supposed to be there, congratulations! You have a new piece of software to add to your network inventory. If this web server is not supposed to be there, however, congratulations! You found something that shouldn’t be there. You’ll need to decide how to respond to this incident.
Now that we have Nmap installed and know what we hope to learn from running it, let’s see how to use it. Nmap is a command-line tool, so we’ll run it from a shell such as bash. Let’s start by running
nmap --help to make sure we’ve installed it correctly. Nmap’s help output is pretty verbose. You should see something like the following: