Sawaba/Scan-Discovery-Networks-Internal.cmd

## Scan-Discovery-Networks-Internal.cmd
@echo off
goto begin

+-----------------------------------------------------------------------------+
| Internal Network Discovery Scan                                             |
|                                                                             |
| DESCRIPTION: This script discovers NETWORKS, not hosts. It attempts to find |
| every class C in use throughout the enterprise. Note that, on larger ranges,|
| we're sampling IPs to save time. This is a calculated time/accuracy tradeoff|
|                                                                             |
| AUTHOR: Adrian Sanabria                                                     |
| CREATED: 10/10/12                                                           |
| LAST UPDATED: 10/10/12                                                      |
+-----------------------------------------------------------------------------+

:begin
REM We need a filename-friendly version of today's date...
for /f "tokens=1,2,3,4 delims=/ " %%a in ('date /t') do set curdate=%%b%%c%%d& set dirmask=%%d-%%b-Networks
echo Current Date is %curdate%.
echo Dirmask is %dirmask%
echo Beginning network discovery scans. Ready to go?
pause

REM Nobody likes a directory with a million files in it, so we're going to
REM create a folder structure to hold the scan results. The folder format will
REM be YYYY-MM-Networks
mkdir %dirmask%

REM Scan all the RFC1918 Networks to just find each Class C in use.
REM The goal at this point is not to find every active host, just every
REM active network.
REM
REM In between each, we will run list scans (only tries reverse DNS on each IP)
REM to see if we missed any networks
nmap -vv -sn -T4 -oA %dirmask%\Network_Discovery_%curdate%_AllInternal 172.16-31.0-254.1-1 192.168.0-254.1-1
REM Calculated that a list scan on a Class A network would take 12 days. Not
REM going to do that right now. Even just scanning the first 16 IPs will take
REM 19 hours.
REM nmap -vv -sL -oA %dirmask%\Network_ListScan_%curdate%_1ClassA 10.0-254.0-254.1-1
nmap -vv -sL -oA %dirmask%\Network_ListScan_%curdate%_AllInternalExceptClassA 172.16-31.0-254.1-16 192.168.0-254.1-254

REM Gather the results from pingscans
for /f "eol=C tokens=1,2,3,4,5,6,* delims=.	 " %%a in ('find "Status: Up" %dirmask%\Network_Discovery_%curdate%_AllInternal.gnmap') do echo %%b.%%c.%%d.0/24 >> %dirmask%\NetworkInternalNets_%curdate%.txt

REM Process results from listscans
REM If we got DNS results, we're going to add the network we got them from to
REM NetworkInternalNets_date.txt
for /f "eol=# tokens=1,2,3,4,5,6,* delims=.	 " %%a in (Network_ListScan_%curdate%_AllInternalExceptClassA.gnmap) do if NOT "()"=="%%f" echo %%b.%%c.%%d.0/24 >> %dirmask%\NetworkInternalNets_%curdate%.txt

notepad.exe %dirmask%\NetworkInternalNets_%curdate%.txt
echo Finished!
	@echo off
	goto begin

	+-----------------------------------------------------------------------------+
	\| Internal Network Discovery Scan \|
	\| \|
	\| DESCRIPTION: This script discovers NETWORKS, not hosts. It attempts to find \|
	\| every class C in use throughout the enterprise. Note that, on larger ranges,\|
	\| we're sampling IPs to save time. This is a calculated time/accuracy tradeoff\|
	\| \|
	\| AUTHOR: Adrian Sanabria \|
	\| CREATED: 10/10/12 \|
	\| LAST UPDATED: 10/10/12 \|
	+-----------------------------------------------------------------------------+

	:begin
	REM We need a filename-friendly version of today's date...
	for /f "tokens=1,2,3,4 delims=/ " %%a in ('date /t') do set curdate=%%b%%c%%d& set dirmask=%%d-%%b-Networks
	echo Current Date is %curdate%.
	echo Dirmask is %dirmask%
	echo Beginning network discovery scans. Ready to go?
	pause

	REM Nobody likes a directory with a million files in it, so we're going to
	REM create a folder structure to hold the scan results. The folder format will
	REM be YYYY-MM-Networks
	mkdir %dirmask%

	REM Scan all the RFC1918 Networks to just find each Class C in use.
	REM The goal at this point is not to find every active host, just every
	REM active network.
	REM
	REM In between each, we will run list scans (only tries reverse DNS on each IP)
	REM to see if we missed any networks
	nmap -vv -sn -T4 -oA %dirmask%\Network_Discovery_%curdate%_AllInternal 172.16-31.0-254.1-1 192.168.0-254.1-1
	REM Calculated that a list scan on a Class A network would take 12 days. Not
	REM going to do that right now. Even just scanning the first 16 IPs will take
	REM 19 hours.
	REM nmap -vv -sL -oA %dirmask%\Network_ListScan_%curdate%_1ClassA 10.0-254.0-254.1-1
	nmap -vv -sL -oA %dirmask%\Network_ListScan_%curdate%_AllInternalExceptClassA 172.16-31.0-254.1-16 192.168.0-254.1-254

	REM Gather the results from pingscans
	for /f "eol=C tokens=1,2,3,4,5,6,* delims=. " %%a in ('find "Status: Up" %dirmask%\Network_Discovery_%curdate%_AllInternal.gnmap') do echo %%b.%%c.%%d.0/24 >> %dirmask%\NetworkInternalNets_%curdate%.txt

	REM Process results from listscans
	REM If we got DNS results, we're going to add the network we got them from to
	REM NetworkInternalNets_date.txt
	for /f "eol=# tokens=1,2,3,4,5,6,* delims=. " %%a in (Network_ListScan_%curdate%_AllInternalExceptClassA.gnmap) do if NOT "()"=="%%f" echo %%b.%%c.%%d.0/24 >> %dirmask%\NetworkInternalNets_%curdate%.txt

	notepad.exe %dirmask%\NetworkInternalNets_%curdate%.txt
	echo Finished!