Here’s the best Windows command-line one-liner I’ve seen in a very long time: a ping sweep from Windows. Ping sweeps, also known as ping scans, are something every sysadmin and security analyst is likely to need at one point or another. You don’t need a special tool either. It can be as simple as a one-line batch file. Ping sweep scripts for Unix are common, but you won’t always have a Unix box available. You can almost always find a Windows box anywhere you go. That makes a Windows ping sweep useful.
If you’re not familiar with a ping sweep, read on. If you need to quickly scan your network to see if anyone’s added any new systems without telling you–something that only ever happens to me, right?–this tool will help you detect that, then head off those questions about why you haven’t patched and installed antivirus on that new server yet. Sometimes I run this on my home network too, to help me jog my memory.
Ping sweep from Windows in one line
This one-liner uses a lot of cool Windows scripting tricks.
FOR /L %%i in (1,1,254) do @ping -n 1 -w 200 192.168.1.%%i | find "TTL" >> C:\Ping_Sweep_Results.txt
How the ping sweep from Windows works
I think it’s useful to know how simple scripts like this Windows ping sweep work, because then you can adapt them to your own needs.
The FOR statement is the key here, sequencing the following command through the values 1-254. I wish I’d known that trick 12 years ago. That’s what the /L parameter and the list in parenthesis permit.
The -n and -w switches on the ping command just tell it to take one response and wait longer than usual for it. The defaults don’t always give a busy system enough time to respond, and on a workplace network, you can rest assured some of the systems will be busy.
Replace 192.168.1 with the network you want to scan.
The pipe redirection through the find command filters out any machines that don’t reply, and then the >> directs the output to a file.
A ping sweep from Windows that doesn’t redirect to a file
You can also omit the redirection from the Windows ping sweep if you want.
FOR /L %%i in (1,1,254) do @ping -n 1 -w 200 192.168.1.%%i | find "TTL" | more
This version simply sends the output to the screen, paginating it with the more command.
A better version
If you’re willing to make the batch file longer, you can make it even more useful.
For /F "tokens=1,2,3 delims=/ " %%A in ('Date /t') do (
FOR /L %%i in (1,1,255) do ping -n 1 -w 200 192.168.1.%%i | find "TTL" >> c:\pingsweep_results_%all%.txt
The extra lines allow it to append the date to the filename. Then you can run the command on a regular basis and compare against recent results. On recent versions of Windows, when you open the text file in Notepad, hit Ctrl-End to go to the end of the file, then hit Ctrl-G, you’ll get a line count. If the line count changes, then the number of machines on the network has changed.
This isn’t as good as having a system inventory, but it’s more than some large companies have.
Dealing with firewalls
Some systems are configured not to respond to a ping. But you can still find them. After running the ping sweep, follow up with this one-liner.
This dumps the ARP cache, which gives you the IP address and MAC address of any live system on the network, even if you didn’t get an ICMP response from them. Even when a system doesn’t respond to ping, it may very well be running services on other ports that are open. Or maybe it’s a workstation. In some companies, workstations aren’t allowed to talk to each other and are only allowed to talk to certain servers. I worked in a company like that for a short while.
If it’s more useful, dump the arp cache to a file:
arp -a >>arpcache.txt
This dumps the ARP cache to a file named arpcache.txt. You can use whatever filename you wish.
A ping sweep for larger networks
What if you need to ping a large RFC1918 network? You can do that too; you just need to next multiple loops. Just be aware that a ping sweep against a /8 may take a while.
FOR /L %%i in (0,1,255) do
FOR /L %%j in (0,1,255) do
FOR /L %%k in (1,1,254) do ping -n 1 -w 200 10.%%i.%%j.%%k | find "TTL" >> c:\pingsweep_results_%all%.txt
More useful tricks for the sysadmin or security analyst
I have the opposite of a ping sweep, converting a list of hostnames to IP addresses, if you need that too. If you find stuff like this useful, I’ve collected most of my scripting resources in a single post about scripting Windows sysadmin tasks.