Batch script port scanner

Sometimes you're on a network, on a machine with no tools and you need to scan the network.

If I truely have no access to tools such as nmap, I'll open up the command prompt and type in this little script to scan the network for live machines:
for /L %i in (1,1,254) do @ping -n1 -w1 192.168.0.%i |find "time="
(Where 192 168 and 0 are the first 3 octets of the local /24 IP address.)

This is a very simple ping-sweet script which will ping every host in the 192.168.0.0/24 (192.168.0.1-192.168.0.254) range and display replies.

So one day I was a little frustrated how long this script takes to scan 254 hosts, so I decided to create a multithreaded version, also in batch script. Because I'm cool like that.

Hold onto your socks...


@echo off

:: Number of scanning threads
set NUMTH=8

set ipfile=t%random%m%random%p
set scanfx=s%random%c%random%n
set /A thinc=256/%NUMTH% >nul

ping -4 -n 1 -w 1 %computername% |find "statistics" >%ipfile%
for /F "tokens=4,5,6,7 delims=:. " %%i in (%ipfile%) do (
  if not "%%i"=="" (
    echo Local IP address: %%i.%%j.%%k.%%l
    echo Scanning range  : %%i.%%j.%%k.0/24

    echo for /L %%%%a in ^(1,1,32^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%1.bat
    echo for /L %%%%a in ^(33,1,64^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%2.bat
    echo for /L %%%%a in ^(65,1,96^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%3.bat
    echo for /L %%%%a in ^(97,1,128^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%4.bat
    echo for /L %%%%a in ^(129,1,160^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%5.bat
    echo for /L %%%%a in ^(161,1,192^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%6.bat
    echo for /L %%%%a in ^(193,1,224^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%7.bat
    echo for /L %%%%a in ^(225,1,254^) do @ping -n 1 -w 1  %%i.%%j.%%k.%%%%a ^|find "time=" ^>^>%%0.log >%scanfx%8.bat


  )
)

for /L %%i in (1,1,%NUMTH%) do echo @echo 1 ^>%%0.txt ^&exit >>%scanfx%%%i.bat

for /L %%i in (1,1,%NUMTH%) do start /MIN %scanfx%%%i.bat
echo Scanning...

:: Wait for all threads to finish
:waitthread
ping -n 2 127.0.0.1 >nul
for /L %%i in (1,1,%NUMTH%) do if not exist %scanfx%%%i.bat.txt goto waitthread

:: Copy the scan logs to a single file
copy %scanfx%*.bat.log %scanfx%.scan.log >nul

:: Clean up, delete temp files
del /F /Q %ipfile%
for /L %%i in (1,1,%NUMTH%) do @del /F /Q %scanfx%%%i.bat
for /L %%i in (1,1,%NUMTH%) do @del /F /Q %scanfx%%%i.bat.txt
for /L %%i in (1,1,%NUMTH%) do @del /F /Q %scanfx%%%i.bat.log

start "" %windir%\notepad.exe %scanfx%.scan.log
::type %scanfx%.scan.log |more

:: Wait for notepad to open before killing the file
:waitnotepad
ping -n 2 127.0.0.1 >nul
tasklist /FI "WINDOWTITLE eq %scanfx%.scan.log*" |find "notepad.exe" >nul
if not "%errorlevel%"=="0" goto waitnotepad

del /F /Q %scanfx%.scan.log

Oh shit, he didn't. Oh yes I did.

That right there is a multithreaded BATCH ping scanner. Not only that but it automatically detects the local IP address and uses that to determine the scan range.

Everything happens automatically, you just run it and it'll ping 254 addresses, and show you the results in a notepad window.

Save the code as a .bat file, and run!

Now, to figure out how to probe ports using batch script...

3 comments:

  1. Hi, awesome :) I'll have to give that a go!

    Don't hate me for nit-picking, but your FIND won't work properly, though. If you have a Host unreachable, you get a response that says 'Reply from [YOUR IP]' so you'll get some false positives. I've found 'bytes=', 'time=', or 'TTL=' are unique to a positive response.

    ReplyDelete
    Replies
    1. Not at all! That's a good point, thanks for the tip!

      Delete