marcinantkiewicz/arp scan in bash (8e529d216b4252a866882c0c77c945f9)

## arp scan in bash (8e529d216b4252a866882c0c77c945f9)
function msa_scan_arp () {
## Discover hosts on a /24 that respond to arp requests.
#  Write information about hosts that responded to a file.
#
# ex: msa_resolve_arp 192.168.1 arp-scan.txt
# yep, this is an ugly hack
# arping -w should provide a qicker timeout for IPs that do not respond, but it works in a way I do not seem to understand.

  NET=$1; shift;
  FILENAME=$1; shift

  if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
    echo "Error: first argument should only list first 3 octets of a /24. Ex: 10.10.10, without the dot or any other characer"
  else
    IFACE="$(ip route get $NET.1 | cut -d ' ' -f 3)"
    for i in $(seq 1 254); do            \
      arp="$(arping -c 1 -I $IFACE $NET.$i)";
      if [[ "$?" -eq 0 ]]; then
        # different platforms have different arpscan utilities and output formats.
        # the silly grep below helps get the right line
        echo "$arp" | grep ':' | grep $NET | cut -d ' ' -f 4,5 | tee -a "$FILENAME";
      fi
    done
fi
}

## enumerate dns (42058a61b0cc1a9c5f208d11e95d2224)
function msa_scan_dns () {
## enumerate IPs in the /24 listed as the first parameter
#  perform lookup using resolver specified as the 2nd parameter
#  and write results to a file specified as the 3rd parameter.
# ex: msa_resolve_net 192.168.1 8.8.8.8 dns-lookups.txt
  NET=$1; shift;
  RESOLVER=$1; shift;
  FILENAME=$1; shift
  for i in $(seq 1 254); do            \
    a="$(host $NET.$i $RESOLVER)";
    test "$?" -eq 0 && echo "$a" |     \
    grep 'domain name pointer'   |     \
    tee -a "$FILENAME";                \
  done
}

## oscp helpers
	function msa_scan_arp () {
	## Discover hosts on a /24 that respond to arp requests.
	# Write information about hosts that responded to a file.
	#
	# ex: msa_resolve_arp 192.168.1 arp-scan.txt
	# yep, this is an ugly hack
	# arping -w should provide a qicker timeout for IPs that do not respond, but it works in a way I do not seem to understand.

	NET=$1; shift;
	FILENAME=$1; shift

	if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.[0-9]{1,3}$ ]]; then
	echo "Error: first argument should only list first 3 octets of a /24. Ex: 10.10.10, without the dot or any other characer"
	else
	IFACE="$(ip route get $NET.1 \| cut -d ' ' -f 3)"
	for i in $(seq 1 254); do \
	arp="$(arping -c 1 -I $IFACE $NET.$i)";
	if [[ "$?" -eq 0 ]]; then
	# different platforms have different arpscan utilities and output formats.
	# the silly grep below helps get the right line
	echo "$arp" \| grep ':' \| grep $NET \| cut -d ' ' -f 4,5 \| tee -a "$FILENAME";
	fi
	done
	fi
	}
	function msa_scan_dns () {
	## enumerate IPs in the /24 listed as the first parameter
	# perform lookup using resolver specified as the 2nd parameter
	# and write results to a file specified as the 3rd parameter.
	# ex: msa_resolve_net 192.168.1 8.8.8.8 dns-lookups.txt
	NET=$1; shift;
	RESOLVER=$1; shift;
	FILENAME=$1; shift
	for i in $(seq 1 254); do \
	a="$(host $NET.$i $RESOLVER)";
	test "$?" -eq 0 && echo "$a" \| \
	grep 'domain name pointer' \| \
	tee -a "$FILENAME"; \
	done
	}