Powershell NSLookup Brute Force

Stealing two other commands from Mr. Skoudis we can do an nslookup of each host in a range.

for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"
10.10.10.1
10.10.10.2
10.10.10.3
Name:    server.blah.com
10.10.10.4

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
Name:    server.blah.com
10.10.10.3

The first command shows each IP as it is looked up. The second only shows those that successfully resolve.

Here is the powershell version and it's output:

1..255 | % { [System.Net.Dns]::GetHostByAddress("10.10.10.$_") } 2> Out-Null | Format-List
HostName    : server.blah.com
Aliases     : {loadbalancer.blah.com, service.blah.com, service2.blah.com, service3.blah.com}
AddressList : {10.10.10.3}

You'll notice a big difference from the first output. The standard nslookup just returns one result, while the powershell version gets all the aliases. We may not have ever known about those other DNS entries otherwise.

Using the [System.Net.Dns]::GetHostByAddress() method gives us more power, plus we can send the objects we want down the pipeline for further actions. We use the 2> Out-Null so that the error messages for the unresolvable IP addresses aren't shown.

 del.icio.us  Stumbleupon  Technorati  Digg 

Posted by Tim Medin at 9/23/2009 6:36 PM
Categories: uncategorized
Tags: NSLookup Sweep Powershell Kung Fu
 

What did you think of this article?




Trackbacks
Trackback specific URL for this entry
  • No trackbacks exist for this entry.
Comments
  • No comments exist for this entry.
Leave a comment

Submitted comments will be subject to moderation before being displayed.

 Enter the above security code (required)

 Name

 Email (will not be published)

 Website

Your comment is 0 characters limited to 3000 characters.