前言¶

for /l %i in (1,1,255) do @ping 192.168.7.%i -w 1 -n 1|find /i "ttl="

C:\Users\daniel10>for /l %i in (1,1,255) do @ping 192.168.7.%i -w 1 -n 1|find /i "ttl="
来自 192.168.7.7 的回复: 字节=32 时间<1ms TTL=128
来自 192.168.7.107 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.7.110 的回复: 字节=32 时间<1ms TTL=128

for k in $( seq 1 255);do ping -c 1 192.168.7.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done

teamssix@localhost:~#  for k in $( seq 1 255);do ping -c 1 192.168.7.$k|grep "ttl"|awk -F "[ :]+" '{print $4}'; done
192.168.7.7
192.168.7.107
192.168.7.110

strSubNet = "192.168.7."  
Set objFSO= CreateObject("Scripting.FileSystemObject")  
Set objTS = objfso.CreateTextFile("C:\Result.txt")   
For i = 1 To 254  
strComputer = strSubNet & i  
blnResult = Ping(strComputer)  
If blnResult = True Then  
objTS.WriteLine strComputer & " is alived ! :) "  
End If  
Next   
objTS.Close  
WScript.Echo "All Ping Scan , All Done ! :) "    
Function Ping(strComputer)  
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") 
Set colItems = objWMIService.ExecQuery("Select * From Win32_PingStatus Where Address='" & strComputer & "'") 
For Each objItem In colItems  
Select case objItem.StatusCode  
Case 0  
Ping = True  
Case Else  
Ping = False  
End select  
Exit For  
Next  
End Function

powershell.exe -exec bypass -Command "Import-Module ./Invoke-TSPingSweep.ps1; Invoke-TSPingSweep -StartAddress 192.168.7.1 -EndAddress 192.168.7.254 -ResolveHost -ScanPort -Port 445,135"

C:\Users\daniel10>powershell.exe -exec bypass -Command "Import-Module ./Invoke-TSPingSweep.ps1; Invoke-TSPingSweep -StartAddress 192.168.7.1 -EndAddress 192.168.7.254 -ResolveHost -ScanPort -Port 445,135"
IPAddress     HostName             Ports
---------     --------             -----
192.168.7.7   dc.teamssix.com      {445, 135}
192.168.7.107 DANIEL7.teamssix.com {445, 135}
192.168.7.110 daniel10.teamssix... {445, 135}

powershell.exe -exec bypass -Command "Import-Module ./Invoke-ARPScan.ps1; Invoke-ARPScan -CIDR 192.168.7.0/24"

C:\Users\daniel10>powershell.exe -exec bypass -Command "Import-Module ./Invoke-ARPScan.ps1; Invoke-ARPScan -CIDR 192.168.7.0/24"
MAC               Address
---               -------
16:7D:DA:D7:8F:64 192.168.7.1
00:0C:29:1D:82:CF 192.168.7.7
00:0C:29:A9:62:98 192.168.7.107
00:0C:29:DC:01:0D 192.168.7.110
00:0C:29:DC:01:0D 192.168.7.255

C:\Users\daniel10>arp-scan.exe -t 192.168.7.0/24
Reply that 16:7D:DA:D7:8F:64 is 192.168.7.1 in 11.278300
Reply that 00:0C:29:1D:82:CF is 192.168.7.7 in 16.140500
Reply that 00:0C:29:A9:62:98 is 192.168.7.107 in 15.233500
Reply that 00:0C:29:DC:01:0D is 192.168.7.110 in 0.080700
Reply that 00:0C:29:DC:01:0D is 192.168.7.255 in 0.071500

for /l %i in (1,1,255) do @arp-ping.exe 192.168.7.%i -w 1 -n 1|find /i "Reply"

C:\Users\daniel10>for /l %i in (1,1,255) do @arp-ping.exe 192.168.7.%i -w 1 -n 1|find /i "Reply"
Reply that 16:7D:DA:D7:8F:64 is 192.168.7.1 in 2.233ms
Reply that 00:0C:29:A9:62:98 is 192.168.7.107 in 16.857ms
Reply that 00:0C:29:DC:01:0D is 192.168.7.110 in 0.205ms
Reply that 00:0C:29:DC:01:0D is 192.168.7.255 in 0.200ms

(Empire: listeners) > agents
[*] Active agents:
 Name     La Internal IP     Machine Name      Username                Process            PID    Delay    Last Seen
 ----     -- -----------     ------------      --------                -------            ---    -----    ---------
 APDGSW9X ps 192.168.7.7     DC                *TEAMSSIX\administrator powershell         3648   5/0.0    2021-02-23 20:43:27
(Empire: agents) > usemodule powershell/situational_awareness/network/arpscan
(Empire: powershell/situational_awareness/network/arpscan) > set Agent APDGSW9X
(Empire: powershell/situational_awareness/network/arpscan) > set CIDR 192.168.7.0/24
(Empire: powershell/situational_awareness/network/arpscan) > execute
MAC               Address      
---               -------      
16:7D:DA:D7:8F:64 192.168.7.1  
00:0C:29:1D:82:CF 192.168.7.7  
00:0C:29:A9:62:98 192.168.7.107
00:0C:29:DC:01:0D 192.168.7.110
00:0C:29:1D:82:CF 192.168.7.255

C:\Users\daniel10>nbtscan.exe 192.168.7.0/24
192.168.7.1     \DP
192.168.7.7     TEAMSSIX\DC                     SHARING DC
192.168.7.107   TEAMSSIX\DANIEL7                SHARING
*timeout (normal end of scan)

teamssix@localhost:~# unicornscan -mU 192.168.7.7
UDP open              domain[   53]     from 192.168.7.7  ttl 127

teamssix@localhost:~# for k in $( seq 1 255);do unicornscan -mU 192.168.7.$k|grep "open"|awk -F "[ :]+" '{print $5}'; done
192.168.7.1
192.168.7.7
192.168.7.107

C:\Users\daniel10>scanline.exe -n 192.168.7.0-255
ScanLine (TM) 1.01
Copyright (c) Foundstone, Inc. 2002
http://www.foundstone.com
Scan of 256 IPs started at Tue Feb 23 22:07:40 2021
-------------------------------------------------------------------------------
192.168.7.7
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
-------------------------------------------------------------------------------
192.168.7.107
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
-------------------------------------------------------------------------------
192.168.7.110
Responded in 0 ms.
0 hops away
Responds with ICMP unreachable: No
-------------------------------------------------------------------------------
Scan finished at Tue Feb 23 22:07:49 2021
3 IPs and 0 ports scanned in 0 hours 0 mins 9.16 secs

for /l %a in (1,1,254) do start /min /low telnet 192.168.7.%a 445

C:\Users\daniel10>tcping.exe -n 1 192.168.7.7 445

Probing 192.168.7.7:445/tcp - Port is open - time=1.719ms
Ping statistics for 192.168.7.7:445
     1 probes sent.
     1 successful, 0 failed.  (0.00% fail)
Approximate trip times in milli-seconds:
     Minimum = 1.719ms, Maximum = 1.719ms, Average = 1.719ms

XP/2003(已淘汰,用户少,使用的大部分也会装.net,因为好多app需要连驱动都要.net,具体看安装版本一般2.0)

Vista       2.0(基本上也没多少用户)
Win7/2008   2.0 3.0 3.5
Win8/2012   4.0
Win8.1      4.0 4.5
Win10/2016  4.0 4.6 (4.5未测应该也行)

C:\Users\daniel10>cping40.exe scan osver 192.168.7.1 192.168.7.255
Scan OS version
192.168.7.1---192.168.7.255

Segment: 192.168.7.0
=============================================
IP              MAC               HostName        OSver
192.168.7.7     00-0C-29-1D-82-CF dc.teamssix.com [Win 2008 R2 Datacenter 7601 SP 1]
192.168.7.110   00-0C-29-DC-01-0D daniel10.teamssix.com []
192.168.7.107   00-0C-29-A9-62-98 daniel7.teamssix.com [Win 7 Professional 7601 SP 1]
=============================================
Count:3

C:\Users\daniel10>fscan.exe -h 192.168.7.1-255 -p 22,445
   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.5.1
scan start
(icmp) Target '192.168.7.7' is alive
(icmp) Target '192.168.7.110' is alive
(icmp) Target '192.168.7.107' is alive
icmp alive hosts len is: 3
192.168.7.110:445 open
192.168.7.7:445 open
192.168.7.107:445 open
192.168.7.110 CVE-2020-0796 SmbGhost Vulnerable
192.168.7.110  (Windows 10 Pro 18363)
[+] 192.168.7.7 MS17-010        (Windows Server 2008 R2 Datacenter 7601 Service Pack 1)
[+] 192.168.7.107       MS17-010        (Windows 7 Professional 7601 Service Pack 1)
scan end

ARP 扫描：         nmap -PR -sn 192.168.7.0/24
ICMP 扫描：        nmap ‐sP ‐PI 192.168.7.0/24 ‐T4
ICMP 扫描：        nmap ‐sn ‐PE ‐T4 192.168.7.0/24
SNMP 扫描：        nmap -sU --script snmp-brute 192.168.7.0/24 -T4
UDP 扫描：         nmap -sU -T5 -sV --max-retries 1 192.168.7.7 -p 500
NetBIOS 扫描： nmap --script nbstat.nse -sU -p137 192.168.7.0/24 -T4
SMB 扫描：         nmap ‐sU ‐sS ‐‐script smb‐enum‐shares.nse ‐p 445 192.168.7.0/24
……

auxiliary/scanner/discovery/udp_probe
auxiliary/scanner/discovery/udp_sweep
auxiliary/scanner/discovery/arp_sweep
auxiliary/scanner/netbios/nbname
auxiliary/scanner/snmp/snmp_enum
auxiliary/scanner/smb/smb_version
……