Wednesday, September 23, 2009

Powershell NSLookup Brute Force

Stealing two other commands from Mr. Skoudis we can do an nslookup of each host in a range.

for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"
10.10.10.1
10.10.10.2
10.10.10.3
Name:    server.blah.com
10.10.10.4

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
Name:    server.blah.com

10.10.10.3

The first command shows each IP as it is looked up. The second only shows those that successfully resolve.
Here is the powershell version and it's output:

1..255 | % { [System.Net.Dns]::GetHostByAddress("10.10.10.$_") } 2> Out-Null | Format-List
HostName    : server.blah.com
Aliases     : {loadbalancer.blah.com, service.blah.com, service2.blah.com, service3.blah.com}
AddressList : {10.10.10.3}


You'll notice a big difference from the first output. The standard nslookup just returns one result, while the powershell version gets all the aliases. We may not have ever known about those other DNS entries otherwise.
Using the [System.Net.Dns]::GetHostByAddress() method gives us more power, plus we can send the objects we want down the pipeline for further actions. We use the 2> Out-Null so that the error messages for the unresolvable IP addresses aren't shown.

No comments:

Post a Comment