Powershell: How to perform Ping Sweep and Reverse-Lookup on a private network

There is no such thing as the myth of a “perfect” green-field deployment. But in real life most of the times there is a just room/resources (e.g. time and money) for patches of green on a big brown-field.

What I really mean.. is that we can’t always keep up with the pace of new technologies and just re-design things from ground up following new trends without understanding or maintaining the legacy design or more importantly meeting the business needs.

Starting from the network and I like to create a basic network diagram will outline at glance things that could potentially limit infrastructure growth or expose it to potential risk that we need to mitigate. Designing , re-designing things well or better is based on getting the requirements right and verify that desired targets are met. To speed up this discovery process we use tools to gather the information we need.

Network Engineers and Powershell

For me, a good metaphor for a network engineer is always been like an expert traveler that enjoys adventures and face it with a very light luggage (without depending on third party tools), studies the itinerary well (network protocols), can speak other languages and is open to different cultures (OS internals and has a basic knowledge of scripting  languages) and most important is well prepared for unplanned detours or unpredictable new routes.

Experience and training work better than equipment.

I like to think that I have some of that mindset and culture as well. 

Network tools available on a Windows OS

Diving in the network side of things. The tools that we find on a  Windows OS and are included :

from windows 10 1803 (ssh, curl).

What we tend to do is to carry some swiss-army knife with us, a third party tool in general that with a CLI or UI will extend some of these commands and helps us to gather the information that we are looking for.

Well, after this article probably you don’t need that tool anymore. Because there is swiss-army-chainsaw called Powershell just waiting for you!

My common network investigations

What steps I follow

Starting from a cmd-prompt a general network configuration of my machine.

Important information are Network Mask (that can shows the capacity of that subnet). Gateway an DNS IPs.

A similar result with powershell will be from this cmd-let:

The next steps if I want to know more about the network and AD domain is to search for domain controller  (from cmd prompt)

and fsmo roles:

same again with powershell:

and fsmo roles:

Following steps are taking notes of all DHCP Servers with Powershell:

DHCP Ranges

Now lets start with some custom-built tools.

Ping Sweep

Query the domain controller for Get-AdComputer with powershell is a possible solution, but  there can be stale objects in AD. So using the Ping sweep technique is a pinging a pre-define subnet. Third party tools like fping or similar are a providing a lot of functionality, but ideally this oneliner is what you need.

Getting a hostname (cn/fqdn) from an IP.

Reverse Lookup

A reverse lookup in general is performed with nslookup or third party tools but to have it for a list of IP, again, powershell is handy:

Let’s join the forces

And is possible to join them together this way:

Listing these IP and name can suggest according to the naming convention if computers are on the right place (subnet), if they are configured with a static IP or dynamic (DHCP) and so on.

There are other useful resources that will be published in the next few weeks about (host based) firewalls and powershell.

Advance investigation required proper tools (you can find some articles here on scriptinglibrary):

  • NMAP
  • NETCAT
  • WIRESHARK

I hope that you see the benefits of using powershell next time for your network discovery task and you’ll find these examples useful,  as usual you can find these scripts on my github repository.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.