Nmap Alarm – For When the Target Won’t Stay Online

While not the most useful tool, I wanted to share the Nmap alarm that I used on a recent engagement.

Nmap Alarm - Introduction

During an internal engagement, there was one host (actually the only practical target) that was proving a bit problematic.

We knew that we had access to this host, but it would only be online occasionally and seemingly randomly. Note: as I found out later, it was because this was the only workstation at the site, and the user would put it to sleep when he finished.

In this case, I needed to know when I would be able to attack, regardless of what time it was.

Building the Alarm

First, I just threw together a quick wrapper script for nmap that would serve as my alarm.

This script just scans the target IP and port every 5 seconds, and then print the "Ring terminal bell" character every one second.

while :
    sleep 5
    if [[ $(nmap -p 445 -oG - | grep -i open) ]]; then
        echo "!!!!!!!!!!!445 is open GO GO GO GO GO GO GO GO GO GO!!!!!!!!!"
        while :
          echo -ne "\x07"
          sleep 1
        echo "Nope, still dead."

While not the prettiest script, this worked out perfectly for my scenario.

Rays-MacBook-Pro:tools doyler$ ./alarm.sh 
Nope, still dead.
Nope, still dead.
Nope, still dead.


!!!!!!!!!!!445 is open GO GO GO GO GO GO GO GO GO GO!!!!!!!!!

Nmap Alarm - Conclusion

The main point of this post wasn't alarm.sh, but rather an interesting solution to an engagement problem that could happen to anyone.

Note that you will need to restart the alarm script if the host goes offline. My first script doesn't restart the scanning, but this could be easily added.

Hopefully this will at least lead you to more create solutions for weird pentesting problems!

If there is any interest, then I can put this script on my GitHub and make occasional updates. Alternatively, I could add this as a feature to my Python Port Scanner.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.

This site uses Akismet to reduce spam. Learn how your comment data is processed.