There is no such thing as the myth of a “perfect” green-field deployment. But in real life most of the times there is a just room/resources (e.g. time and money) for patches of green on a big brown-field.
What I really mean.. is that we can’t always keep up with the pace of new technologies and just re-design things from ground up following new trends without understanding or maintaining the legacy design or more importantly meeting the business needs.
Starting from the network and I like to create a basic network diagram will outline at glance things that could potentially limit infrastructure growth or expose it to potential risk that we need to mitigate. Designing , re-designing things well or better is based on getting the requirements right and verify that desired targets are met. To speed up this discovery process we use tools to gather the information we need.
Network Engineers and Powershell
For me, a good metaphor for a network engineer is always been like an expert traveler that enjoys adventures and face it with a very light luggage (without depending on third party tools), studies the itinerary well (network protocols), can speak other languages and is open to different cultures (OS internals and has a basic knowledge of scripting languages) and most important is well prepared for unplanned detours or unpredictable new routes.
Experience and training work better than equipment.
I like to think that I have some of that mindset and culture as well.
Network tools available on a Windows OS
Diving in the network side of things. The tools that we find on a Windows OS and are included :
- arp
- ipconfig
- netstat
- netdom (if it is joined to a domain)
- netsh
- nbtstat
- nslookup
- ping
- systeminfo
- route
- tracert
from windows 10 1803 (ssh, curl).
What we tend to do is to carry some swiss-army knife with us, a third party tool in general that with a CLI or UI will extend some of these commands and helps us to gather the information that we are looking for.
Well, after this article probably you don’t need that tool anymore. Because there is swiss-army-chainsaw called Powershell just waiting for you!
My common network investigations
What steps I follow
Starting from a cmd-prompt a general network configuration of my machine.
1 |
ipconfig /all |
Important information are Network Mask (that can shows the capacity of that subnet). Gateway an DNS IPs.
A similar result with powershell will be from this cmd-let:
1 |
Get-NetIPConfiguration |
The next steps if I want to know more about the network and AD domain is to search for domain controller (from cmd prompt)
1 2 3 4 5 6 |
netdom /query dc List of domain controllers with accounts in the domain: myDC01 myDC02 The command completed successfully. |
and fsmo roles:
1 2 3 4 5 6 |
netdom /query fsmo Schema master myDC01.contoso.com Domain naming master myDC01.contoso.com PDC myDC01.contoso.com RID pool manager myDC01.contoso.com Infrastructure master myDC01.contoso.com |
same again with powershell:
1 |
Get-ADDomainController |
and fsmo roles:
1 2 3 4 5 6 7 8 |
# From Scripting Guys Blog # https://blogs.technet.microsoft.com/heyscriptingguy/2014/11/28/powertip-use-powershell-to-get-list-of-fsmo-role-holders/ Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles} | Format-Table -AutoSize |
Following steps are taking notes of all DHCP Servers with Powershell:
1 2 3 4 5 6 |
PS C:\WINDOWS\system32> Get-DhcpServerInDC IPAddress DnsName --------- ------- 10.10.40.8 myDC01.contoso.com 10.10.40.9 myDC02.contoso.com |
DHCP Ranges
1 2 3 4 5 6 7 8 9 10 11 |
#Get DHCP scope, range and lease PS D:\Git\HSDSYS\Operations\OnBoarding> Get-DhcpServerv4Scope -ComputerName myDC01 ScopeId SubnetMask Name State StartRange EndRange LeaseDuration ------- ---------- ---- ----- ---------- -------- ------------- 10.0.10.0 255.255.255.0 VOIP Active 10.0.10.100 10.0.10.200 1.00:00:00 10.0.20.0 255.255.255.0 WIFI Active 10.0.20.128 10.0.20.192 02:00:00 10.0.30.0 255.255.255.0 LAB Active 10.0.30.32 10.0.30.254 8.00:00:00 10.0.40.0 255.255.255.0 SERVICES Active 10.0.40.1 10.0.40.254 1.00:00:00 10.0.50.0 255.255.255.0 CORE Active 10.0.50.1 10.0.50.254 1.00:00:00 10.0.60.0 255.255.255.0 MGMT Active 10.0.60.1 10.0.60.254 1.00:00:00 |
Now lets start with some custom-built tools.
Ping Sweep
Query the domain controller for Get-AdComputer with powershell is a possible solution, but there can be stale objects in AD. So using the Ping sweep technique is a pinging a pre-define subnet. Third party tools like fping or similar are a providing a lot of functionality, but ideally this oneliner is what you need.
1 2 3 4 5 6 7 8 |
#Paolo Frigo, scriptinglibrary.com #Ping Sweep (1..254) | % {$ip="10.0.40.$_"; Write-output "$IP $(test-connection -computername "$ip" -quiet -count 1)"} 10.0.40.1 True 10.0.40.2 False 10.0.40.3 True 10.0.40.4 True ... and so on until 10.0.40.254 |
Getting a hostname (cn/fqdn) from an IP.
Reverse Lookup
A reverse lookup in general is performed with nslookup or third party tools but to have it for a list of IP, again, powershell is handy:
1 2 3 4 5 6 7 8 |
#Paolo Frigo, ScriptingLibrary.com #Reverse Lookup (1..254) | % {$ip="10.0.40.$_"; Write-output "$IP $( Resolve-DnsName $ip -ErrorAction Ignore |select -exp NameHost ) "} 10.0.0.1 gw01.contoso.com 10.0.0.2 10.0.0.3 as01.contoso.com 10.0.0.4 as02.contoso.com ..and so on until 10.0.40.254 |
Let’s join the forces
And is possible to join them together this way:
1 2 3 4 5 6 7 8 |
#Paolo Frigo, ScriptingLibrary.com #Ping sweep and reverse lookup together (1..254) | % {$ip="10.0.40.$_"; Write-output "$IP $(test-connection -computername "$ip" -quiet -count 1) $( Resolve-DnsName $ip -ErrorAction Ignore |select -exp NameHost ) "} 10.0.40.1 True gw.contoso.com 10.0.40.2 False 10.0.40.3 True as01.contoso.com 10.0.40.4 True as02.contoso.com ..and so on until 10.0.40.254 |
Listing these IP and name can suggest according to the naming convention if computers are on the right place (subnet), if they are configured with a static IP or dynamic (DHCP) and so on.
There are other useful resources that will be published in the next few weeks about (host based) firewalls and powershell.
Advance investigation required proper tools (you can find some articles here on scriptinglibrary):
- NMAP
- NETCAT
- WIRESHARK
I hope that you see the benefits of using powershell next time for your network discovery task and you’ll find these examples useful, as usual you can find these scripts on my github repository.