Network Inventory with Nmap

Learn how to use Nmap for comprehensive network asset discovery and management

Creating and maintaining an accurate network inventory is a fundamental task for network administrators and security professionals. Nmap provides powerful capabilities for discovering, identifying, and documenting network assets efficiently and accurately.

Basic Network Discovery

Ping Sweep

nmap -sn 192.168.1.0/24

Discovers active hosts without port scanning.

ARP Scan (Local Network)

nmap -PR -sn 192.168.1.0/24

Uses ARP requests for faster local network discovery.

Multiple Subnets

nmap -sn 192.168.1.0/24 10.0.0.0/24 172.16.0.0/16

Scans multiple network ranges in a single command.

Comprehensive Asset Discovery

Host Enumeration Techniques

Different network environments may require different host discovery techniques:

Local Network (Layer 2)

# ARP scan (fastest for local networks)
nmap -PR -sn 192.168.1.0/24

# MAC address discovery
nmap -sn --script=broadcast-mac-discovery 192.168.1.0/24

Remote Networks (Layer 3)

# TCP SYN ping to common ports
nmap -PS22,80,443 -sn 10.0.0.0/24

# TCP ACK ping (may bypass simple firewalls)
nmap -PA22,80,443 -sn 10.0.0.0/24

# ICMP echo request
nmap -PE -sn 10.0.0.0/24

Challenging Environments

# Combine multiple ping methods
nmap -PS22,80 -PA443 -PE -PP -sn 172.16.0.0/16

# Skip host discovery entirely
nmap -Pn 192.168.1.0/24

The key is to select the appropriate technique based on the network environment and any security controls in place.

Service Enumeration

Identifying services running on network devices is crucial for a complete inventory:

Basic Service Detection

nmap -sV 192.168.1.0/24

Comprehensive Service Detection

nmap -sV --version-all 192.168.1.0/24

Common Services Only

nmap -sV -F 192.168.1.0/24

Service Detection with Banner Grabbing

nmap -sV --script=banner 192.168.1.0/24

Specific Service Types

# Web servers
nmap -sV -p 80,443,8080,8443 192.168.1.0/24

# Database servers
nmap -sV -p 1433,3306,5432,27017 192.168.1.0/24

# Network infrastructure
nmap -sV -p 22,23,161,443,8443 192.168.1.0/24

Service information helps identify the purpose of each device and potential security implications.

Operating System Identification

Identifying operating systems provides valuable context for network inventory:

Basic OS Detection

nmap -O 192.168.1.0/24

Aggressive OS Detection

nmap -O --osscan-guess 192.168.1.0/24

OS Detection with Service Information

nmap -A 192.168.1.0/24

OS Detection via SMB (Windows Networks)

nmap --script=smb-os-discovery 192.168.1.0/24

Operating system information helps with:

Identifying outdated or unsupported systems
Planning patch management strategies
Assessing potential vulnerabilities
Determining appropriate security controls

Automating Network Inventory

Scheduled Scanning

Create regular network inventory scans using cron jobs or scheduled tasks:

# Create a daily network inventory scan
0 2 * * * /usr/bin/nmap -sn 192.168.1.0/24 -oA /var/log/nmap/daily_inventory_$(date +\%Y\%m\%d)

Differential Analysis

Compare scan results over time to identify changes:

# Compare today's scan with yesterday's
ndiff /var/log/nmap/daily_inventory_20230101.xml /var/log/nmap/daily_inventory_20230102.xml

Integration with Other Tools

Nmap results can be integrated with other tools:

# Convert XML output to HTML report
xsltproc /var/log/nmap/daily_inventory_20230101.xml -o inventory_report.html

# Extract specific information with grep
grep "open port" /var/log/nmap/daily_inventory_20230101.gnmap

Practical Inventory Scenarios

Initial Discovery

# Discover all subnets
nmap -sn 10.0.0.0/8 --exclude 10.128.0.0/9 -oA enterprise_discovery

Detailed Inventory

# For each active subnet
nmap -A 10.1.0.0/24 10.2.0.0/24 10.3.0.0/24 -oA enterprise_detailed

Specific Device Types

# Network infrastructure
nmap -sV -p 22,23,80,443,161 --script=snmp-info 10.0.0.0/16 -oA network_devices

# Server inventory
nmap -sV -p 22,80,443,3389,5985 10.0.0.0/16 --script=ssh-hostkey,ssl-cert -oA servers

Best Practices for Network Inventory

Regular scanning: Schedule periodic scans to keep inventory up to date
Appropriate timing: Use slower timing options during business hours to minimize impact
Comprehensive documentation: Save scan results in multiple formats for future reference
Differential analysis: Compare scan results over time to identify changes
Permission and notification: Always ensure you have permission to scan networks

Next Steps

Now that you understand how to use Nmap for network inventory, you can explore:

Vulnerability Assessment - Learn how to identify potential security weaknesses
Firewall Evasion - Discover techniques for bypassing network security controls

PreviousPractical Applications

NextVulnerability Assessment

Penetration Testing Guide

Hashcat Guide

Hydra Guide

Nikto Guide

OWASP ZAP Guide

Burp Suite Guide

XSS Guide

SQLMap Guide

Reverse Shells Guide

John the Ripper Guide

Nmap Guide