Security

Reply
Occasional Contributor II

NMAP does not work

I cannot make nmap work at a certain environment. I enabled nmap in cluser settings, enbaled profiling in the services and ran a subnet scan. Still no port data in any profiled endpoint. 

If I am not missing something in the config, it may be a firewall blocking issue. I will investigate in the FW logs, but I'd also like to know if there are ways to troubleshoot nmap in CPPM. 

The simplest way would have been to run nmap from the Linux CLI on CPPM server, but the OS shell it is not available to mortals which are not TAC.   

Occasional Contributor II

Re: NMAP does not work

Update: I managed to make NMAP work - almost. the packet capture was a great help. 

The piece which still does not work is NMAP by the Audit server: I enabled Audit and profiler on a service. The endpoint is being profiled after connection, but not with NMAP (no port info). 

Any lead from the distiguished experts? I suspect it is becasue CPPM does not know which ip to NMAP too. 

 

MVP

Re: NMAP does not work

I'm experiencing the same thing (or so I thnik) - when a device is just a MAC address presented for dot1x/MAC-auth there's nothing for nmap to talk to (it does require an IP address) but futher it appears that CPPM only checks SNMP, SSH and WMI listening devices.

I'm trying to scan/identify IoT devices which don't do SNMP, I don't know the SSH credentials (yet) and are't Windows devices so don't do WMI.

If I'm right, I'm a little disappointed with the nmap implementation.

 

Here's hoping someone who knows more than me about it can set use straight.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Occasional Contributor II

Re: NMAP does not work

I gathered some more insights since I posted the question:

- NMAP (in Audit) will not work until the device is profiled. It makes sense, becasue only then it knows the ip address of the device

- You have to have L3 information (ARP) from some source - DHCP, SPAN port, Router etc. for NMAP to work. Again make sense becasue NMAP is IP based. 

- Obviously the firewall need to allow port scanning. 

- Could have been better to have an audit and profiler log per endpoint. I guess the logs are there, but a little bit scattered. 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: