This one is mostly for the internal security guys as there is nothing stealth about this, sorry pentesters but you have enough of the cool toys. As I have noticed in the past at medium to bigger shops security usually has the best network/asset map. This is due to the basics of our jobs in looking at fine details, most other IT teams move from one project to another keeping the plates spinning. To aid in getting a basic map of systems I created this simple shell script that will create a csv that will include IP, ping status, NETBIOS name and DNS entries.
First create your IP list in excel. These steps assume that we are listing out /24 networks.
- A1 will be the first three octets of the IP. Copy that down to cover the subnet.
- 192.168.6.
- B1 will be 1. Do a “fill series” so that it goes by 1 all the way down to 254.
- C1 will be “=A1&B1″. This will give you each IP.
- Repeat this for each subnet in your list.
- Copy all cells from column C into a simple text editor.
- I find it good to create 3 lists as they will have different scan times and sources.
- inside_infra.txt
- inside_users.txt
- outside.txt
- Below is a sample of what you will see in the text file. With this list we can create a script to scan each item.
192.168.6.1
192.168.6.2
192.168.6.3
192.168.6.4
Create the following 3 folders next to each other so calls in script will line up.
- scripts
- results
- ip_lists
Copy the script below into the “scripts” folder and the ip lists you created into the “ip_lists” folder.
######################################################################
#! /bin/sh
# read text file and run all below for each entry
for ip_addr in $(cat ../ip_lists/inside_infra_ip_list.txt);do
# ping sweep
ping_answer=$(ping -c 1 $ip_addr | grep “bytes from” | cut -d” ” -f 2)
if [ "$ping_answer" = 'bytes' ]
then
system_up=$(echo up)
else
system_up=$(echo down)
fi
# netbios sweep
netbios_name=$(nbtscan -s , $ip_addr | cut -d”,” -f 2 | sed s/\ //g)
# nslookup sweep
dns_name=$(nslookup $ip_addr | grep “name =” | cut -d” ” -f 3 | sed s/.$//)
clean_dns=$(echo $dns_name | sed s/\ /\|/g)
# write to csv file
echo $ip_addr,$system_up,$netbios_name,$clean_dns >> ../results/ip_ping_netbios_dns_list.csv
done
######################################################################
As you can see there is a bunch of details to clean up the output so the csv is nice (no leading or trailing spaces).
Also, there can be many DNS entries for some hosts. I have divided them by a “|” so you can parse out with excel if you like. If we used something like comma or tab then it could cause issues during the first load.
You will need to install nbtscan if your linux OS of choice does not have this by default. For Ubuntu is is “sudo apt-get install nbtscan”.
Change the input and output file names in the script to your needs.
Change into the scripts folder and run it.
- sh ./iplist_full_scan.sh
After it is done look in the results folder for your output.
Here is what you will see in excel. Columns are IP – Ping result – Netbios Name – DNS Name (could be many)
192.168.6.1 up WINDOWS_SERVER windows_server.example.local
192.168.6.2 down ips.example.local
192.168.6.3 up linux_server.example.local
192.168.6.4 up
You will notice patterns like those above. Not all servers respond to ping. Not all server have Netbios names and not lots of non server equipment might not have either but will respond to ping.
