Wednesday, September 23, 2009

Powershell Ping Sweep

Ed Skoudis came up with some fantastic Command Line Kung Fu for Windows to do some basic scanning. Powershell is becoming more and more common so I decided to port these commands to powershell. I think Ed would agree that the standard windows commands can be rather painful and aren't easily extensible (blasted windows) and I hoped to make it slightly less agonizing. In order to make it easier to understand, I won't use the shortcuts in my examples for the foreach-object cmdlet (%) or where-object cmdlet (?).

The first CLKF I thought I would tackle was the ping sweep. You can check out the great write-up over at the Command Line Kung Fu Blog.

Taken from the blog, here is the Windows command to do ping sweep at the command line and its associated output:

C:\>for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

Reply from bytes=32 time=4ms TTL=64
Reply from bytes=32 time=5ms TTL=64
Reply from bytes=32 time=4ms TTL=64

The above command uses a FOR loop to ping each device and looks for "Reply" in the output. If there is a "Reply" then the host is up (duh).
Here is the powershell version and its output:

PS C:\>1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") } | where-object {$_.Status -eq "success"} | select Address


At first glance the results are very similar and you would think, "Why all the extra typing? The second command is 2.5 times longer!" The big difference between the standard windows command line and powershell is that the latter uses objects, which gives a lot of our shell. Not let's see how it works...
In the above command the range operator (..) generates a list of the numbers 1 through 255. The cool thing is you don't have to use just a single range, you can string them together like this (1..5),7,(9..10) which would give you the numbers 1-10 skipping 6 and 8.

foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") }

The foreach-object takes the numbers fed into the pipeline and operates on them one at a time. First, it creates a new ping object and then calls the send method. The parameter given to the send method is a string concatenation of 10.10.10. and the number from $_, which is the "current pipeline object." The $_ variable in our example will contain the numbers 1-255.
where-object {$_.Status -eq "success"}
The output of the send method is the PingReply object which contains a status. We can filter the results only successful pings reply objects will be sent further down the pipeline.
Select Address

Finally, all we care about is the address so that is the only piece we have displayed.

Now that we know how it works, let's pimp out our powershell version.

First, we don't have to just use a contiguous set of numbers. If we wanted to scan all ip address before, after and we could use this:

(1..99),(200..255),155 | foreach-object ....
We can use the results to feed into other commands. You can ping sweep an entire subnet and have it automatically do an nslookup, attempt to list the contents of the c$ share, and tell you that you are doing a good job (a little positive reinforcement never hurts).

PS C:\>1..255 | foreach-object { (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_") } | where-object {$_.Status -eq "success"} | foreach-object { nslookup $_; gci "\\$($_.Address)\c$"; echo "Good Job" }

The ping sweep can be sped up by setting a timeout value (in milliseconds). In the example below we set the timeout value to 100ms.
... (new-object System.Net.Networkinformation.Ping).Send("10.10.10.$_", 100) ...
Next time we'll look into using the powershell version of nslookup and the brute force reverse dns lookup.

No comments:

Post a Comment