Skip to content

Instantly share code, notes, and snippets.

@Sawaba
Last active February 20, 2018 15:46
Show Gist options
  • Save Sawaba/3b4b0ea1b5412d5f9609b7454f5b1563 to your computer and use it in GitHub Desktop.
Save Sawaba/3b4b0ea1b5412d5f9609b7454f5b1563 to your computer and use it in GitHub Desktop.
The beginning of a project to try to discover all active networks on an internal LAN. I hadn't figured out how to do the 10.0.0.0 class A, so it currently looks for all RFC1918 ranges EXCEPT the largest of the bunch. Sorry :( Without access to a large LAN, it was hard to continue development.
@echo off
goto begin
+-----------------------------------------------------------------------------+
| Internal Network Discovery Scan |
| |
| DESCRIPTION: This script discovers NETWORKS, not hosts. It attempts to find |
| every class C in use throughout the enterprise. Note that, on larger ranges,|
| we're sampling IPs to save time. This is a calculated time/accuracy tradeoff|
| |
| AUTHOR: Adrian Sanabria |
| CREATED: 10/10/12 |
| LAST UPDATED: 10/10/12 |
+-----------------------------------------------------------------------------+
:begin
REM We need a filename-friendly version of today's date...
for /f "tokens=1,2,3,4 delims=/ " %%a in ('date /t') do set curdate=%%b%%c%%d& set dirmask=%%d-%%b-Networks
echo Current Date is %curdate%.
echo Dirmask is %dirmask%
echo Beginning network discovery scans. Ready to go?
pause
REM Nobody likes a directory with a million files in it, so we're going to
REM create a folder structure to hold the scan results. The folder format will
REM be YYYY-MM-Networks
mkdir %dirmask%
REM Scan all the RFC1918 Networks to just find each Class C in use.
REM The goal at this point is not to find every active host, just every
REM active network.
REM
REM In between each, we will run list scans (only tries reverse DNS on each IP)
REM to see if we missed any networks
nmap -vv -sn -T4 -oA %dirmask%\Network_Discovery_%curdate%_AllInternal 172.16-31.0-254.1-1 192.168.0-254.1-1
REM Calculated that a list scan on a Class A network would take 12 days. Not
REM going to do that right now. Even just scanning the first 16 IPs will take
REM 19 hours.
REM nmap -vv -sL -oA %dirmask%\Network_ListScan_%curdate%_1ClassA 10.0-254.0-254.1-1
nmap -vv -sL -oA %dirmask%\Network_ListScan_%curdate%_AllInternalExceptClassA 172.16-31.0-254.1-16 192.168.0-254.1-254
REM Gather the results from pingscans
for /f "eol=C tokens=1,2,3,4,5,6,* delims=. " %%a in ('find "Status: Up" %dirmask%\Network_Discovery_%curdate%_AllInternal.gnmap') do echo %%b.%%c.%%d.0/24 >> %dirmask%\NetworkInternalNets_%curdate%.txt
REM Process results from listscans
REM If we got DNS results, we're going to add the network we got them from to
REM NetworkInternalNets_date.txt
for /f "eol=# tokens=1,2,3,4,5,6,* delims=. " %%a in (Network_ListScan_%curdate%_AllInternalExceptClassA.gnmap) do if NOT "()"=="%%f" echo %%b.%%c.%%d.0/24 >> %dirmask%\NetworkInternalNets_%curdate%.txt
notepad.exe %dirmask%\NetworkInternalNets_%curdate%.txt
echo Finished!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment