Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Generating an IP list of targets - see if you can help!

  1. #1
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default Generating an IP list of targets - see if you can help!

    Here's what I've been doing to generate a target list. Please review my method and let me know if you can streamline this.

    Windows

    net view /domain:domainname > company_ip_list

    At this point, I open the list in a text editing tool and remove the \\ from the beginning of each line by doing a replace.

    Then I open the target list in Excel and use a delimeter to remove any descriptions of the targets. This leaves me a clean hostname on each line.

    Finally, I run a host2ip bat file to convert hostname to IP address, for easy input to Nmap.

    Code:
     @ECHO OFF
    REM This script will ping each hostname to determine the IP address of the host
    REM Two output files will be created one with both the hostname and the IP address (HOST2IP_filename.txt)
    REM the other only containing IP addresses (HOST2IP_filename.ips)
    REM The scripts take file containing hostnames as input.
    
    REM This script requires unix tools for windows - cut, grep
    
    SET targetfile=%1
    SET targetname=%targetfile:~0,-4%
    
    FOR /F "tokens=1" %%i IN ( %targetfile% ) DO (
        SETLOCAL ENABLEDELAYEDEXPANSION
        set TARGETHOST=%%i
        For /F %%k in ('ping -w 500 -n 1 !TARGETHOST! ^|grep Pinging ^| cut -d "[" -f 2 ^|cut -d "]" -f 1') Do SET TARGETIP=%%k
        ECHO !TARGETIP!  !TARGETHOST!
        ECHO !TARGETIP!  !TARGETHOST!>> HOST2IP_%targetname%.txt
        ECHO !TARGETIP!>> HOST2IP_%targetname%.ips
        ENDLOCAL
    )
    Now, my question to you all is, how can this be condensed into one or two steps? Anyone have some nice scripts or batch files to make life easier? Thanks.

    William

  2. #2

    Default

    This is done with 1 line of code in unix.

    Your cut is wrong. Just grep once more after your cut, and cut the second grep, and you're done. Try it

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    I don't have a suggestion for automating the process, but I do have something for you to think about.

    The default setting for WinXPsp2 and the addition of the software firewall is that ICMP requests are turned off. As long as no one changed that setting, in an XP environment, you won't get many things responding.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    1) As alerady pointed out if ICMP is disabled (or blocked by a FW at some point) you're SOL.
    2) If NetBIOS is disabled (or blocked by a FW at some point) you're SOL.
    3) What if there are non-windows systems on their network, you'll miss them. (Your net view won't show them).

    Alternative solutions:
    1) Try a DNS zone transfer to get a list of systems.
    2) Use nslookup on the list of names from your net view. (grep/cut the address out of the nslookup results)
    3) Get someone to login to their DHCP server and give you a list of current leases/assignments.
    4) Pull the info from the AD computer accounts info. (Though this might not be up-to-date if they don't babysit it and keepa good inventory)

    Supplemental solutions:
    1) Do a quick nmap (pick a set of predictable/usual ports 21,22,23,25,53,80,137,138,139,389,443,445,1433,1434,1521,1645,3306,5432), parse the results.
    2) Do a Timestamp request.
    3) Do a netmask request.
    4) Check hosts with ikescan (for VPN devices).
    5) Assume a range (or multiple ranges) of IPs and do DNS lookups.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  5. #5
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by thorin View Post
    Supplemental solutions:
    1) Do a quick nmap (pick a set of predictable/usual ports 21,22,25,80,376,138,139,389,443,445), parse the results.
    2) Do a Timestamp request.
    3) Do a netmask request.
    4) Check hosts with ikescan (for VPN devices).
    5) Assume a range (or multiple ranges) of IPs and do DNS lookups.
    Added one for you, LDAP.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  6. #6
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Hmmmm I've re-edited the list but where did 376 come from? 376 is some Amiga thing.
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  7. #7
    Senior Member shamanvirtuel's Avatar
    Join Date
    Mar 2010
    Location
    Somewhere in the "Ex" human right country
    Posts
    2,988

    Default

    a "lazy boy" way to do it is to use Joshua Abraham 's GENLIST

    genlist -s 192.68.1.\*

    UDP port 376 uses the Datagram Protocol, a communications protocol for the Internet network layer, transport layer, and session layer. This protocol when used over PORT 376 makes possible the transmission of a datagram message from one computer to an application running in another computer.
    Watch your back, your packetz will belong to me soon... xD

    BackTrack :
    Giving Machine Guns to Monkeys since 2006

  8. #8
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010
    Posts
    2,629

    Default

    Hmmmm everywhere I looked (IANA, wikipedia, SANS ISC) I came up with:
    Code:
    nip             376/tcp    Amiga Envoy Network Inquiry Proto   
    nip             376/udp    Amiga Envoy Network Inquiry Proto
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

  9. #9
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    LDAP is 389. However, I may just add the 376 just in the off chance someone is running an Amiga. That would be quite a find!

    Thanks for the feedback, this gives me some additional approaches!

    William

  10. #10
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Well, I'm onsite following this guide. I performed my step of a net view, and converted the hostnames to IP addresses. This gave me a couple of ranges to work with.

    1) I tried the genlist, but it doesnt appear to work on anything larger than a class C. ( genlist --scan 10.\* ) I'm working on a class B network.
    2) Zone transfers are disabled
    3) DHCP didnt give many results. They have the network segmented into class C's but DHCP isnt running on any of the ranges.
    4) I cant run any port scans until the client reviews the ranges, so only nmap -sP, which came back with only a handful of hosts responding in the class B.
    5) nslookup on the domains gave me some IP's within the discovered ranges, but nothing new.

    I was about to give the client the ranges I discovered, amounting to four Class C ranges, when I stumbled upon an admin share with network spreadsheets. It appears they are using the entire class B, but only have a few hosts in each one. Unfortunately,the individual live IP's arent listed, only the ranges and locations. This presents a problem, as I'd have to run nmap -sS on the entire class b taking way too long. Suggestions?

    so far:
    Code:
    net view /domain:companyname > hosts.txt
    Host2Ip.bat hosts.txt  #creates iplist.txt
    cat iplist.txt | sort | uniq > new_iplist.txt
    cat new_iplist.txt | gawk -F. '{print $1"."$2"."$3}' | sort | uniq > ranges.txt
    cat ranges.txt |sed 's/$/.0/'
    William

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •