Asset scanning with nmap and ndiff

Jack Wallen
Oct 22, 2009
Updated • Feb 13, 2018
Network
|
4

If you are in a small business or a larger enterprise you know you need to keep track of all those machines. Sure you could easily tag and record them as they go from the box to the desk, but that doesn't always happen. And the larger the company the more likely something is able to get by you without you getting a complete record of the system. If that is the case you need some tool to help you ascertain what you have out there. Add to that the idea that we are more and more living in a homogeneous IT world, where more than one operating system might be living on your network.

Having a tool that can quickly, and regularly, take snapshots of your network landscape is critical to keeping tabs on your PCs. Of course you can shell out some budget dollars for a proprietary tool, but why bother when you can fire up a Linux machine and use the trusty Nmap tool for the job.

Nmap is a command line tool that rapidly scans a network gathering information about machines and ports. It is easy to use and flexible, making it perfect for the job of asset scanning. In this tutorial you will see how to set up a system that will regularly scan your network and create a report that can then be used to keep inventory of your networked machines.

Installing

Before we get to the actual scanning we need to install a couple of applications. Since I am using a Ubuntu system, we'll run the installation using apt-get. With some simple modifications, you can do the same on a fedora system. The two applications to install are: nmap and ndiff. We use ndiff to compare the results of scans. To install these applications open up a terminal window and issue the following command:

sudo apt-get install nmap ndiff

You will have to accept dependencies, at which point the two applications will install. Upon completion of the installation, you are ready to scan.

Using nmap

Nmap is actually a fairly powerful tool. If you issue the command man nmap you will see just how powerful this tool is. You can also see how many arguments you can use with Nmap as well as what each argument does. Fortunately I will show you a simple command you can issue to make this a bit easier.

I am going to illustrate how these tools work together by running an nmap scan on a small internal network. I will then scan the network after making a change to one machine and see if ndiff catches the change.

The command for the scan is:

sudo nmap -n -PN 192.168.1.1/24 -O > network_scan

I will then run that same scan after making the change with one alteration:

sudo nmap -n -PN 192.168.1.1/24 -O > network2_scan

The above commands will output to the files network_scan, and network2_scan.

Once you have the two files you will compare them using the ndiff command like so:

ndiff -b network_scan -o network2_scan

The two options used are:

  • b - Baseline.
  • o - Observed.

You can think of Baseline as your control group.

Figure 1
Figure 1

The results of the command are shown in Figure 1.

The results show exactly what occurred in my network change. I shut down the machine associated with IP address 192.168.1.37.

Of course you could also get a much clearer picture of your network by combing through the results of the initial scan, but if you are looking for how your network topography has changed from scan to scan, using ndiff is the best way.

To see the full usage of both nmap and ndiff, take a look at the man pages. I will warn you, they are fairly complex. But this tutorial should give you a solid understanding of how the basics of the tools work.

Summary
Asset scanning with nmap and ndiff
Article Name
Asset scanning with nmap and ndiff
Description
Having a tool that can quickly, and regularly, take snapshots of your network landscape is critical to keeping tabs on your PCs. Of course you can shell out some budget dollars for a proprietary tool, but why bother when you can fire up a Linux machine and use the trusty Nmap tool for the job.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. mqqol said on March 21, 2010 at 10:36 pm
    Reply

    Hi,

    I found your article useful: it’s simple, effective and quick.
    I found another solution, if integrated with OSSEC, if you have it:
    http://www.ossec.net/wiki/Know_How:Nmap

    Regards

  2. Patrick said on October 28, 2009 at 6:11 pm
    Reply

    Excellent article.
    As a former Network Admin for a school, I know how valuable this tutorial is.

    just one thing though, shouldn’t it be heterogeneous not homogeneous?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.