Network Scanning
Network scanning is the foundation of infrastructure discovery in NopeSight. Using multiple protocols and intelligent scanning techniques, the platform automatically discovers devices, maps network topology, and identifies services running across your network.
Scanning Protocols
🔌 WMI (Windows Management Instrumentation)
Overview WMI provides deep Windows system information through a standardized interface. It's the primary protocol for discovering Windows servers and workstations.
Collected Information
Hardware:
- CPU specifications and utilization
- Memory configuration and usage
- Disk drives and partitions
- Network adapters and configuration
- BIOS/UEFI information
Software:
- Installed applications
- Windows features and roles
- Running services and processes
- Windows updates and patches
- Registry information
System:
- Event logs
- Performance counters
- User accounts
- Scheduled tasks
- Firewall rules
Configuration Requirements
# Enable WMI on target systems
Enable-PSRemoting -Force
Set-Item wsman:\localhost\client\trustedhosts * -Force
Enable-NetFirewallRule -DisplayName "Windows Management Instrumentation (WMI-In)"
# Required ports
TCP 135 (RPC Endpoint Mapper)
Dynamic RPC ports (49152-65535)
🐧 SSH (Secure Shell)
Overview SSH enables secure discovery of Linux, Unix, and network devices. It provides command-line access for comprehensive system interrogation.
Collected Information
System Information:
- OS version and kernel
- Hardware details (dmidecode)
- CPU and memory info
- Network configuration
- Disk and filesystem data
Software Inventory:
- Package manager listings
- Running processes
- System services
- Configuration files
- Installed libraries
Performance Data:
- Resource utilization
- Network statistics
- Disk I/O metrics
- System load averages
Best Practices
# Create dedicated discovery user
sudo useradd -m -s /bin/bash discovery_user
sudo usermod -aG sudo discovery_user
# Configure sudoers for specific commands
echo "discovery_user ALL=(ALL) NOPASSWD: /usr/sbin/dmidecode, /bin/netstat, /sbin/ip" >> /etc/sudoers.d/discovery
# Use SSH keys for authentication
ssh-keygen -t rsa -b 4096 -f discovery_key
ssh-copy-id -i discovery_key.pub discovery_user@target_host
📡 SNMP (Simple Network Management Protocol)
Version Support
- SNMPv1: Basic, community-based (not recommended)
- SNMPv2c: Community-based with improvements
- SNMPv3: Secure with authentication and encryption
Common OIDs Collected
System Information:
- sysDescr (1.3.6.1.2.1.1.1): System description
- sysObjectID (1.3.6.1.2.1.1.2): Device type
- sysUpTime (1.3.6.1.2.1.1.3): Uptime
- sysContact (1.3.6.1.2.1.1.4): Contact info
- sysName (1.3.6.1.2.1.1.5): Hostname
- sysLocation (1.3.6.1.2.1.1.6): Physical location
Interface Data:
- ifTable (1.3.6.1.2.1.2.2): Network interfaces
- ifSpeed: Interface speeds
- ifOperStatus: Operational status
- ifInOctets/ifOutOctets: Traffic counters
Device-Specific:
- Cisco MIBs for Cisco devices
- HP MIBs for HP equipment
- Vendor-specific extensions
SNMPv3 Configuration
# Configure SNMPv3 user
snmpusm -v 3 -u discovery_user -l authPriv \
-a SHA -A "auth_password" \
-x AES -X "priv_password" \
target_device create
Scanning Techniques
IP Range Scanning
Subnet Discovery
Scanning Strategy:
Small Networks (/24 - /22):
- Full range scan
- All ports checked
- Deep discovery
Medium Networks (/21 - /16):
- Intelligent sampling
- Common ports only
- Parallel execution
Large Networks (/15 and larger):
- Segmented scanning
- Priority targeting
- Scheduled phases
Smart Scanning Algorithm
Port Scanning Strategies
Common Service Ports
Web Services:
- 80 (HTTP)
- 443 (HTTPS)
- 8080, 8443 (Alternative)
Database Services:
- 1433 (SQL Server)
- 3306 (MySQL)
- 5432 (PostgreSQL)
- 1521 (Oracle)
- 27017 (MongoDB)
Infrastructure:
- 22 (SSH)
- 23 (Telnet)
- 161 (SNMP)
- 3389 (RDP)
- 5985 (WinRM)
Application Services:
- 25 (SMTP)
- 110 (POP3)
- 143 (IMAP)
- 389 (LDAP)
- 636 (LDAPS)
Scanning Profiles
{
"quick_scan": {
"ports": [22, 80, 443, 3389],
"timeout": 1000,
"retries": 1
},
"standard_scan": {
"ports": "top_100_common",
"timeout": 2000,
"retries": 2
},
"deep_scan": {
"ports": "1-65535",
"timeout": 3000,
"retries": 3,
"service_detection": true
}
}
Service Detection
Banner Grabbing
# Example service identification
def identify_service(ip, port):
banners = {
"SSH-": "SSH Server",
"220 ": "SMTP Server",
"HTTP/": "Web Server",
"Microsoft-IIS": "IIS Web Server",
"Apache": "Apache Web Server",
"nginx": "Nginx Web Server"
}
# Connect and read banner
banner = grab_banner(ip, port)
for signature, service in banners.items():
if signature in banner:
return service
return "Unknown Service"
AI-Enhanced Detection
Traditional Detection:
- Port 1433 open → SQL Server
- Basic identification
AI Detection:
- Port 1433 open
- Banner analysis
- Response patterns
- Behavioral analysis
→ SQL Server 2019 Enterprise Edition
→ Clustered instance "PROD-SQL-01"
→ Part of AlwaysOn Availability Group
Discovery Optimization
Performance Tuning
Parallel Scanning
Configuration:
Concurrent Threads: 50
Timeout per Host: 5 seconds
Retry Attempts: 2
Queue Size: 1000
Performance Metrics:
Hosts/Minute: 600
Network Usage: < 10 Mbps
CPU Usage: < 30%
Memory: < 2GB
Adaptive Throttling
// Dynamic scan rate adjustment
{
"throttling_rules": {
"network_congestion": {
"threshold": "80%",
"action": "reduce_threads",
"factor": 0.5
},
"target_overload": {
"indicator": "timeouts > 20%",
"action": "increase_timeout",
"adjustment": "+50%"
},
"business_hours": {
"schedule": "09:00-17:00",
"max_threads": 25,
"priority": "critical_only"
}
}
}
Intelligent Scheduling
Time-Based Discovery
Production Servers:
Schedule: "Every 4 hours"
Window: "Any time"
Priority: "High"
Method: "Agent-based"
User Workstations:
Schedule: "Daily"
Window: "19:00-07:00"
Priority: "Medium"
Method: "Agentless"
Network Devices:
Schedule: "Every 2 hours"
Window: "Any time"
Priority: "High"
Method: "SNMP"
Development/Test:
Schedule: "Weekly"
Window: "Weekend"
Priority: "Low"
Method: "Mixed"
Advanced Techniques
Topology Mapping
Layer 2 Discovery
Techniques:
- CDP (Cisco Discovery Protocol)
- LLDP (Link Layer Discovery Protocol)
- STP (Spanning Tree Protocol)
- ARP table analysis
- MAC address tables
Generated Data:
- Physical connections
- VLAN assignments
- Switch port mappings
- Network segments
- Redundancy paths
Layer 3 Discovery
Techniques:
- Routing table analysis
- OSPF/BGP neighbor discovery
- Traceroute mapping
- Next-hop analysis
- Subnet identification
Generated Data:
- Logical network paths
- Router relationships
- Network boundaries
- Default gateways
- Route redundancy
Cloud Discovery
AWS Integration
# Discover AWS resources
def discover_aws_resources():
regions = ec2.describe_regions()
for region in regions['Regions']:
ec2_regional = boto3.client('ec2', region_name=region['RegionName'])
# Discover EC2 instances
instances = ec2_regional.describe_instances()
# Discover VPCs
vpcs = ec2_regional.describe_vpcs()
# Discover security groups
security_groups = ec2_regional.describe_security_groups()
# Process and store in CMDB
process_aws_resources(instances, vpcs, security_groups)
Azure Discovery
Resource Types:
- Virtual Machines
- Virtual Networks
- Storage Accounts
- SQL Databases
- App Services
- Load Balancers
API Endpoints:
- management.azure.com
- Resource Graph queries
- Metadata service
- Tag information
Security Considerations
Credential Management
Secure Storage
Credential Vault:
Encryption: AES-256
Key Management: HSM-backed
Access Control: Role-based
Audit Logging: All access
Rotation: Automated
Best Practices:
- Use read-only credentials
- Implement least privilege
- Regular rotation schedule
- Monitor usage patterns
- Alert on anomalies
Network Impact
Minimizing Disruption
Scan Impact Mitigation:
Rate Limiting:
- Max 100 connections/second
- Per-host limit: 5 concurrent
- Backoff on failure
IDS/IPS Friendly:
- Slow scan option
- Whitelisting support
- Signature avoidance
- Official scan windows
Resource Protection:
- CPU threshold monitoring
- Memory limit checks
- Connection pooling
- Graceful degradation
Troubleshooting
Common Issues
No Response from Target
Possible Causes:
1. Firewall blocking
2. Service disabled
3. Network unreachable
4. Incorrect credentials
Resolution Steps:
1. Test network connectivity (ping)
2. Verify port access (telnet/nc)
3. Check firewall logs
4. Validate credentials
5. Review service status
Incomplete Discovery
Symptoms:
- Partial data collection
- Missing attributes
- Timeout errors
Solutions:
- Increase timeout values
- Use alternative protocols
- Deploy discovery agent
- Check resource constraints
- Review permissions
Performance Issues
Slow Scanning
Diagnosis:
- Monitor scan queue depth
- Check network utilization
- Review thread count
- Analyze timeout rates
Optimization:
- Increase parallel threads
- Optimize timeout values
- Use caching for repeat scans
- Implement scan priorities
- Segment large networks
Best Practices
1. Planning
- ✅ Document network topology
- ✅ Identify scan windows
- ✅ Prepare credentials
- ✅ Notify stakeholders
2. Implementation
- ✅ Start with small segments
- ✅ Monitor scan impact
- ✅ Validate discovered data
- ✅ Adjust parameters as needed
3. Maintenance
- ✅ Regular credential updates
- ✅ Performance monitoring
- ✅ Coverage analysis
- ✅ Security reviews
Next Steps
- 📖 Agent Deployment - Installing discovery agents
- 📖 Credential Management - Secure credential handling
- 📖 Discovery Patterns - Custom discovery rules