How to discover devices from PAM

Document ID : KB000110008
Last Modified Date : 21/08/2018
Show Technical Document Details
Introduction:
Customer installed PAM 3.1.1 and tried using "PAM -> Device -> Discovery" to discover the target Windows servers.
Their servers have TCP Port 3389 open, but PAM still can not discover the server.
Environment:
PAM 3.1.1
Instructions:
The TCP Ports that need to be open at the target devices are the Access Methods and Services that you chose while creating the Device Scan Profile.
PAM does not rely on Ping (as in "ping 172.17.8.4") to determine the availability of target device nor TCP 3389 to detect a Windows Machine.
PAM uses nmap command with specific ports defined in the Device Scan Profile for scanning so limiting the Access Method and Services list should lessen the time required to scan target devices.

A Sample nmap command run from PAM would be as below.
nmap -T4 -A -oX - -p 22,23,992,443,3389,80,5900 172.17.8.0/6

-T4 : This is speed template, this parameter tells nmap how quickly to perform the scan.
-A : This parameter tells nmap to perform OS and version checking.
-oX: This parameter tells nmap to output the report in XML format.
-p : This parameter tells nmap to check for specific ports only

When discovering a specific IP where the target has firewall to block the ping and Remote Access service disabled, it will still be discovered because nmap is detecting an active device/host via arp-response.

Following is a sample discovering a specific IP (where the target blocks Ping and Remote Access disabled).
As long as the arp-response (at tcp layer, not application layer) returns with MAC address, nmap would determine the target is up.
nmap also does reverse dns lookup to retrieve the hostname.
It also shows tcp port 3389 had no response.
And also did traceroute to determine hops.

nmap -T4 -A -oX - -p 3389 172.17.8.4

root@pam-02:~# nmap -T4 -A -oX - -p 3389 172.17.8.4
<?xml version="1.0"?>
<!DOCTYPE nmaprun>
<?xml-stylesheet href="file:///usr/bin/../share/nmap/nmap.xsl" type="text/xsl"?>
<!-- Nmap 6.47 scan initiated Thu Aug  9 03:35:28 2018 as: nmap -T4 -A -oX - -p 3389 172.17.8.4 -->
<nmaprun scanner="nmap" args="nmap -T4 -A -oX - -p 3389 172.17.8.4" start="1533785728" startstr="Thu Aug  9 03:35:28 2018" version="6.47" xmloutputversion="1.04">
<scaninfo type="syn" protocol="tcp" numservices="1" services="3389"/>
<verbose level="0"/>
<debugging level="0"/>
<host starttime="1533785728" endtime="1533785736"><status state="up" reason="arp-response" reason_ttl="0"/>
<address addr="172.17.8.4" addrtype="ipv4"/>
<address addr="00:0C:29:1B:E2:93" addrtype="mac" vendor="VMware"/>
<hostnames>
<hostname name="win-04.test.lab" type="PTR"/>
</hostnames>
<ports><port protocol="tcp" portid="3389"><state state="filtered" reason="no-response" reason_ttl="0"/><service name="ms-wbt-server" method="table" conf="3"/></port>
</ports>
<os></os>
<distance value="1"/>
<trace>
<hop ttl="1" ipaddr="172.17.8.4" rtt="0.28" host="win-04.test.lab"/>
</trace>
<times srtt="280" rttvar="5000" to="100000"/>
</host>
<runstats><finished time="1533785736" timestr="Thu Aug  9 03:35:36 2018" elapsed="9.55" summary="Nmap done at Thu Aug  9 03:35:36 2018; 1 IP address (1 host up) scanned in 9.55 seconds" exit="success"/><hosts up="1" down="0" total="1"/>
</runstats>
</nmaprun>



In order to configure Device Discovery, please follow the steps below:

There is a B Class subnet configured as below.
172.17.8.0/255.255.252.0 (or 172.17.8.0/6)

There are 4 Windows 2012 R2 servers on the following IP address.
172.17.8.1
172.17.8.2
172.17.8.3
172.17.8.4

Create a Device Scan Profile as below.
Anything not defined below are default settings.

[Profile]
Name: Windows 2012 R2 Devices
Default OS: Windows 2012

[Inclusions]
Target IP Addresses: 172.17.8.0/6
                                Or, 172.17.8.1-20

[Tags]
Tag Name: Windows Server 2012 R2

Then select the "Windows 2012 R2 Devices" profile and click "Run" button.
You will get "Confirmation: PAM-UI-2005: Profile Job submitted" message.
Check "Device Scan History" and you will find the scan profile name and the time it was run and the summary.
You must wait until the "Status" in "Discovery Jobs" shows as "Completed".
If you have specified the whole subnet and is taking too long for the job to complete, you can cancel the job and narrow down the scope to scan.

In the summary I see:
Discovered: 4
New: 4
Nout Found: 0

Then navigate to "Discovered Devices" and you will see the 4 servers that was found.

I have:
[Device Name] [OS] [Status] [Last Discovery Time] [Is Managed]
win-01.test.lab Win7 New 2018/08/08 06:49:23 GMT-0000
win-02.test.lab Win2012 New 2018/08/08 06:49:23 GMT-0000
win-03.test.lab Vista New 2018/08/08 06:49:23 GMT-0000
win-04.test.lab Win2012 New 2018/08/08 06:49:23 GMT-0000

Note that all the machines were Windows Server 2012 R2 but the OS is not detected accurately.
You can define Default OS to Windows 2012 in that case.

When the devices are not discovered, it is usually related to the IP Range specified taking too long to complete the job.
Ensure the IP format and range is entered correct and the Job status does not appear as cancelled.
 
Additional Information:
https://www.cyberciti.biz/security/nmap-command-examples-tutorials/
https://docops.ca.com/ca-privileged-access-manager/3-1-1/EN/release-information/known-issues#KnownIssues-Windows2016notrecognizedinDeviceDiscovery(DE346437)
http://www.subnet-calculator.com/subnet.php?net_class=B