In an earlier article I talked about how to set up a batch script to loop through a range of IP addresses and attempt to resolve active machines within that range. In this article I will follow up on my earlier examples to help make the results of the scan more accurate.
The code that I put together in my earlier post ended up relying on using the Ping command to identify active machines and then the nbtstat command to derive the machine name. Using these two commands is great in theory, but it is easily possible to miss machines since a ping response can be considered a vulnerability that some machine admins lock down. The question then is how to find hidden machines on your network that don’t answer ping requests?
A simple but effective way to identify machines that have been hardened against responding to ping requests is to do a port scan on them. The only issue with this is finding a good port scanning tool since the Windows command shell does not have a built in port scanning utility. However, Microsoft offers a great free option called PortQry, which is available for download at: http://www.microsoft.com/en-ca/download/details.aspx?id=17148 .
A Blurb About PortQry
Once you have downloaded and extracted portqry.exe into the folder with your batch script you can play around with its various functions. It is quite powerful in what it can do, especially when combined with other tools in a script.
For the purpose of using portqry in the machine detection batch script, I decided to use its basic functionality using the following discovery syntax:
portqry -n 192.168.1.1
The result of running this command is a set of information that includes the discovered machine name. I am interested in this for two reasons:
- A positive result of the portqry command means that a machine exists at that particular IP address. This can be more reliable than counting on a ping response.
- Also, a positive result means that we can stop using the slow and unreliable nbtstat command to identify the human-friendly machine names.
A Code Example of Using a Batch Script with Ping and PortQry
Below is a working batch script example of the concepts that I’ve been talking about in this post. If you want to run this on your machine, you’ll need to paste the code into a batch file along with the freely downloadable portqry.exe file. You can then run the script from a DOS command prompt.
This example builds directly on the code I describe in a prior article… have a look if you have any questions about the syntax.
This script differs from my prior script examples in the command line that uses portqry to identify active machines on a network. You can see in the example portqry command that we set the batch FIND command to look for a line in the results that contains the text “resolved to“. If the portqry command can successfully resolve the machine name, then the line identifying the machine name will be logged in the results file.
Be prepared to wait a while when you run this script. The portqry command takes a good amount of time to run for each IP address being checked.
In this example I’ve set the IP addresses to be scanned to be a small range on an imaginary network (192.168.1.0 to 192.168.2.1). You will need to change these ranges to suit your own needs before you can properly run the script
@ECHO Off set startTime=%time% ECHO Starting the IP Scan FOR /L %%i IN (1,1,2) DO @( ECHO Pinging IP Range: 192.168.%%i._ FOR /L %%z IN (0,1,1) DO @( echo Pinging IP: 192.168.%%i.%%z echo **** Pinging IP: 192.168.%%i.%%z ****>>IPScanResults.txt ping -n 1 -w 500 192.168.%%i.%%z | FIND /i "Reply">>IPScanResults.txt portqry -n 192.168.%%i.%%z | FIND /i "resolved to">>IPScanResults.txt echo ++ End ++ >>IPScanResults.txt echo.>>IPScanResults.txt ) ) ECHO Run Time = %startTime% to %time%>>IPScanResults.txt ECHO *** IP Scan Complete. *** ECHO Check the file called IPScanResults.txt to see the results ECHO Run Time = %startTime% to %time%