Nmap Alarm – For When the Target Won’t Stay Online

While not the most useful tool, I wanted to share the Nmap alarm that I used on a recent engagement.

Nmap Alarm – Introduction

During an internal engagement, there was one host (actually the only practical target) that was proving a bit problematic.

We knew that we had access to this host, but it would only be online occasionally and seemingly randomly. Note: as I found out later, it was because this was the only workstation at the site, and the user would put it to sleep when he finished.

In this case, I needed to know when I would be able to attack, regardless of what time it was.

Building the Alarm

First, I just threw together a quick wrapper script for nmap that would serve as my alarm.

This script just scans the target IP and port every 5 seconds, and then print the “Ring terminal bell” character every one second.

while :
    sleep 5
    if [[ $(nmap -p 445 -oG - | grep -i open) ]]; then
        echo "!!!!!!!!!!!445 is open GO GO GO GO GO GO GO GO GO GO!!!!!!!!!"
        while :
          echo -ne "\x07"
          sleep 1
        echo "Nope, still dead."

While not the prettiest script, this worked out perfectly for my scenario.

Rays-MacBook-Pro:tools doyler$ ./alarm.sh 
Nope, still dead.
Nope, still dead.
Nope, still dead.


!!!!!!!!!!!445 is open GO GO GO GO GO GO GO GO GO GO!!!!!!!!!

Nmap Alarm – Conclusion

The main point of this post wasn’t alarm.sh, but rather an interesting solution to an engagement problem that could happen to anyone.

Note that you will need to restart the alarm script if the host goes offline. My first script doesn’t restart the scanning, but this could be easily added.

Hopefully this will at least lead you to more create solutions for weird pentesting problems!

If there is any interest, then I can put this script on my GitHub and make occasional updates. Alternatively, I could add this as a feature to my Python Port Scanner.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *