local network enumeration

UPDATED: 11/19/2009

little script i threw together for local network enumeration – uses arp-scan, propecia, and nmap. was going to use it to dynamically generate my subnet (hence the IP parsing), but got lazy at the last minute.

##jcran – 2009

## Gather user options
## ——————–
if [ $# -lt 1 ]; then
echo “Usage: $0 [projectname] [scan? (0/1) ] ”
exit -1

PROJECT=$1    ## name of the project
SCAN=$2        ## whether to scan with propecia / nmap

echo “creating project $PROJECT”

if [ -d $PROJECT ]; then
echo “project exists”
mkdir $PROJECT

IP=`ifconfig eth0 | grep “inet addr:” | ips |cut -d “:” -f 2 | cut -d ” ” -f 1`
SUBNET=`ifconfig eth0 | grep “inet addr:” | ips |cut -d “:” -f 3 | cut -d ” ” -f 1`
RANGE=`ipcalc $IP/$SUBNET | grep “Network:” | cut -d ‘ ‘ -f 4`

echo $RANGE

if [ $SCAN -eq 1 ]; then

echo arp scanning “$RANGE”
sudo arp-scan “$RANGE” –interface eth0 > $PROJECT/arp.targets.txt

echo local segment targets
cat $PROJECT/arp.targets.txt | ips > $PROJECT/ip.targets.txt

echo “scanning for web servers – :80, :443”
propecia $RANGE 80 > $PROJECT/80.targets.txt
propecia $RANGE 443 > $PROJECT/443.targets.txt

echo “scanning for basics – :21 :22 :23 :111”
propecia $RANGE 21 > $PROJECT/21.target.txt
propecia $RANGE 22 > $PROJECT/22.targets.txt
propecia $RANGE 23 > $PROJECT/23.targets.txt
propecia $RANGE 111 > $PROJECT/111.targets.txt

echo “scanning for windows boxes – :445”
propecia $RANGE 445 > $PROJECT/445.targets.txt

echo “scanning for sql server tds – :1433”
propecia $RANGE 1433 > $PROJECT/1433.targets.txt

echo “scanning for oracle tns – :1521”
propecia $RANGE 1521 > $PROJECT/1521.targets.txt

echo nmap-scanning local ips
nmap -iL $PROJECT/ip.targets.txt -oA $PROJECT/local-attack





  1. aaron says:

    Came across your blog today, and just wanted to mention that I have a tool that could be used to replace propecia, called ppscan. Not only can it scan arbitrary class subnet (using cidr notation), but it supports range of ports, tunneling through http/ftp and tcp-syn. example, your command for scanning for basics could become:

    ppscan -q -t $SUBNET.0/24 -r 21-23,111 -T 256 > $PROJECT/basic-telnet-ssh-ftp-rpc-$SUBNET.txt

    where -T indicates how many threads you want, -r specifies the portrange, -t indicates target, and -q is quiet.

    Anyway, thanks for the script, it is very nice.

    1. jcran says:

      aaron, cool, i’ll definitely give that a shot — have been looking for a replacement for a while. here’s an updated version of the script: http://pastebin.com/f6685092b

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s