Using NMAP and Slack for Notification of Network Changes

Slack is becoming a more common collaboration in the workplace, not to mention it’s pretty much the “gold standard” for various tech-based community chat rooms.  Because Slack has a built-in notification system I though that it would be interesting to see if it was possible to leverage it as an alert system for network changes, like a new assets appearing on the LAN or other incidents of interest.

Instead of diving head first into cobbling my own solution together, undoubtedly consuming days (if not weeks of my time), I decided to put my google-fu skills to use and see if anything similar has been done. That is where I came across Jerry Gamblin’s SlackMap bash script on Github.

This script is meant to run as a scheduled task on a regular basis. It leverages NMAP to perform a scan with the settings of your choosing and then writes the results to a file. The next time the script is executed, it compares the results with at of the previous file and sends a notification of the changes to your Slack channel.

It’s a fairly simple process to set this up, just not well documented, so that is what I’ll attempt to accomplish with this post.

The first thing you will need (besides making sure NMAP is installed and that you have a copy of the scrip found here: https://gist.github.com/jgamblin/7d64a284e5291a444e12c16daebc81e0) is a slack workspace to use for this project. If you do not have one already, you can create one at  https://slack.com/get-started.    

If you don’t want to use your main account to be the one positing notification to the channel, you will need to create (invite) a secondary one.

Now that you are in your work space, click the plus icon beside “Channel” to create a new one for the slackmap notifications to be posted to.

For the script to be able to post to your work space if will need to have an API token for that workspace.  The easiest way to generate an API token is by creating an app via https://api.slack.com/apps.

You will need to give your app a name and specify the workspace.

Now that you have the foundation for a Slack app you need to assign permissions so it has the ability to post to your channels. This is done my clicking on “Permission” and scroll down to the “Scopes” section. Once there, you need to add the “files:writeLuser” permissions.

In this section you can also set other parameters such as restricting IP address that connections will be accepted from. Once all changes are saved, you need to scroll back to the top of the page and click the “Install App to Workspace” button. After you confirm the settings, you will receive your token that you should copy and store in a safe place.

With your Slack channel setup and token in hand, its now time to open the slackmap.sh script and make the necessary changes. The first is the change the “TARGETS” to match those of your subnets or host. Next is to change the “channels” to the one that you want to use in your workspace. Then finally you need to paste in your token.

The final set in this process is to set the script to run on a schedule that meets your monitoring needs. For this I used Cron which comes pre-loaded with most (if not all) Linux distributions. If you are not familiar with using Cron (or Crontab to be exact) or you just need a refresher, there is a good write up on howtogeek.com. If you plan on scheduling this script to run multiple time per day, you should run it manually first once to gauge how long it takes to complete the scans based on your environment. That way you can be sure to space out the timing on the schedule to ensure that one has time to complete prior to the next instance starting.

Remember that the default settings of slackmap.sh is just one-use case. You have the full power of NMAP (or another tool of your choosing) at your fingertips. Be creative and customize the script to best suit your needs.