Nmap Alarm – For When the Target Won’t Stay Online

While not the most useful tool, I wanted to share the Nmap alarm that I used on a recent engagement.

Nmap Alarm – Introduction

During an internal engagement, there was one host (actually the only practical target) that was proving a bit problematic.

We knew that we had access to this host, but it would only be online occasionally and seemingly randomly. Note: as I found out later, it was because this was the only workstation at the site, and the user would put it to sleep when he finished.

In this case, I needed to know when I would be able to attack, regardless of what time it was.

Building the Alarm

First, I just threw together a quick wrapper script for nmap that would serve as my alarm.

This script just scans the target IP and port every 5 seconds, and then print the “Ring terminal bell” character every one second.

#!/bin/bash
while :
do
    sleep 5
    if [[ $(nmap -p 445 192.168.10.72 -oG - | grep -i open) ]]; then
        echo "!!!!!!!!!!!445 is open GO GO GO GO GO GO GO GO GO GO!!!!!!!!!"
        while :
        do
          echo -ne "\x07"
          sleep 1
        done
    else
        echo "Nope, still dead."
    fi
done

While not the prettiest script, this worked out perfectly for my scenario.

Rays-MacBook-Pro:tools doyler$ ./alarm.sh 
Nope, still dead.
Nope, still dead.
Nope, still dead.

...

!!!!!!!!!!!445 is open GO GO GO GO GO GO GO GO GO GO!!!!!!!!!
^C

Nmap Alarm – Conclusion

The main point of this post wasn’t alarm.sh, but rather an interesting solution to an engagement problem that could happen to anyone.

Note that you will need to restart the alarm script if the host goes offline. My first script doesn’t restart the scanning, but this could be easily added.

Hopefully this will at least lead you to more create solutions for weird pentesting problems!

If there is any interest, then I can put this script on my GitHub and make occasional updates. Alternatively, I could add this as a feature to my Python Port Scanner.