Ping sweep from Windows

Here’s the best Windows command-line one-liner I’ve seen in a very long time: a ping sweep from Windows. Ping sweeps, also known as ping scans, are something every sysadmin and security analyst is likely to need at one point or another. You don’t need a special tool either. It can be as simple as a one-line batch file. Ping sweep scripts for Unix are common, but you won’t always have a Unix box available. You can almost always find a Windows box anywhere you go. That makes a Windows ping sweep useful.

If you’re not familiar with a ping sweep, read on. If you need to quickly scan your network to see if anyone’s added any new systems without telling you–something that only ever happens to me, right?–this tool will help you detect that, then head off those questions about why you haven’t patched and installed antivirus on that new server yet. Sometimes I run this on my home network too, to help me jog my memory.

Ping sweep from Windows in one line

This one-liner uses a lot of cool Windows scripting tricks.

FOR /L %%i in (1,1,254) do @ping -n 1 -w 200 192.168.1.%%i | find "TTL" >> C:\Ping_Sweep_Results.txt

How the ping sweep from Windows works

ping sweep from Windows
You can make a nice inventory of live IPs with a one-line Windows ping sweep.

I think it’s useful to know how simple scripts like this Windows ping sweep work, because then you can adapt them to your own needs.

The FOR statement is the key here, sequencing the following command through the values 1-254. I wish I’d known that trick 12 years ago. That’s what the /L parameter and the list in parenthesis permit.

The -n and -w switches on the ping command just tell it to take one response and wait longer than usual for it. The defaults don’t always give a busy system enough time to respond, and on a workplace network, you can rest assured some of the systems will be busy.

Replace 192.168.1 with the network you want to scan.

The pipe redirection through the find command filters out any machines that don’t reply, and then the >> directs the output to a file.

A ping sweep from Windows that doesn’t redirect to a file

You can also omit the redirection from the Windows ping sweep if you want.

FOR /L %%i in (1,1,254) do @ping -n 1 -w 200 192.168.1.%%i | find "TTL" | more

This version simply sends the output to the screen, paginating it with the more command.

A better version

If you’re willing to make the batch file longer, you can make it even more useful.

For /F "tokens=1,2,3 delims=/ " %%A in ('Date /t') do (
Set Day=%%A
Set Month=%%B
Set Year=%%C
Set All=%%A-%%B-%%C
)
FOR /L %%i in (1,1,255) do ping -n 1 -w 200 192.168.1.%%i | find "TTL" >> c:\pingsweep_results_%all%.txt

The extra lines allow it to append the date to the filename. Then you can run the command on a regular basis and compare against recent results. On recent versions of Windows, when you open the text file in Notepad, hit Ctrl-End to go to the end of the file, then hit Ctrl-G, you’ll get a line count. If the line count changes, then the number of machines on the network has changed.

This isn’t as good as having a system inventory, but it’s more than some large companies have.

Dealing with firewalls

Some systems are configured not to respond to a ping. But you can still find them. After running the ping sweep, follow up with this one-liner.

arp -a

This dumps the ARP cache, which gives you the IP address and MAC address of any live system on the network, even if you didn’t get an ICMP response from them. Even when a system doesn’t respond to ping, it may very well be running services on other ports that are open. Or maybe it’s a workstation. In some companies, workstations aren’t allowed to talk to each other and are only allowed to talk to certain servers. I worked in a company like that for a short while.

If it’s more useful, dump the arp cache to a file:

arp -a >>arpcache.txt

This dumps the ARP cache to a file named arpcache.txt. You can use whatever filename you wish.

A ping sweep for larger networks

What if you need to ping a large RFC1918 network? You can do that too; you just need to next multiple loops. Just be aware that a ping sweep against a /8 may take a while.

FOR /L %%i in (0,1,255) do
FOR /L %%j in (0,1,255) do

FOR /L %%k in (1,1,254) do ping -n 1 -w 200 10.%%i.%%j.%%k | find "TTL" >> c:\pingsweep_results_%all%.txt

More useful tricks for the sysadmin or security analyst

I have the opposite of a ping sweep, converting a list of hostnames to IP addresses, if you need that too. If you find stuff like this useful, I’ve collected most of my scripting resources in a single post about scripting Windows sysadmin tasks.

One thought on “Ping sweep from Windows

  • July 15, 2012 at 6:57 pm
    Permalink

    Oh, man, you just made my month… ;-D

Comments are closed.

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux