An nmap-related question:

[G+_Volkan Paksoy]

An nmap-related question:

 

A few years back I developed myself a script that runs nmap periodically and compares the list of hosts it finds agains a pre-defined list I provided.

 

My idea is to disable DHCP. Make a list of all assigned IPs and MAC addresses so that whenever a new device is detected in the network, it would send me a notification. (The script can be found here: http://volkanpaksoy.com/archive/2014/12/15/simple-ids-with-nmap/)

 

Nowadays I have a mind of revisiting and adding more shiny features and making it to run in a Docker container etc. But first I wanted to check with KH community if there is flaw in this approach.

 

Do you think it would be sufficient enough to detect intruders? Is there any way to join a network without being detected by nmap?

 

Any comments & pointers are appreciated.

 

Thanks.

[G+_Gene Hill]

If you don't have DHCP assigning IP addresses, they won't appear on nmap scans ( to the best of my knowledge)

[G+_Akira Yamanita]

If a device has an IP address on the same subnet (assuming the same VLAN), nmap will find it. However, a device can exist on the network with just layer 2 connectivity to execute certain types of attacks. For detecting a Wi-Fi thief or someone in your family connecting something they shouldn’t, nmap would be sufficient.

[G+_Black Merc]

To the last part of 'can a bad actor join a network and not be detected by nmap'...

My thought, simple soho router, copied MAC (router wan)from friendly hardware, friendly placed on subnet, bad actor attaches anything also on subnet...(basic man-in-the-middle)

 

Packet inspection is required to discern bad actor presence.