. _
[Cool shit i made]

Network Scan - script

in my path of replacing my life with terminal tools so i can make sure my bloodline ends with me, i realized i only use Angry IP Scanner to find open ports and IPs on my default internal network.
so naturally i decided to waste my time and write a minimal, simple tool that does exactly that.

my single ass previously wrote a tool called Negah that does some of this and a lot more, but it was built on top of nmap and a bunch of other stuff.
this time i needed something extremely minimal that doesn’t depend on anything that isn’t already installed by default on mac and linux systems.

ouput example:

      

        bash
        
      
bash network-scan.sh
Subnet: 192.168.0.0/24

[INFO] discovering hosts...

Hosts found:
192.168.0.1
192.168.0.104
192.168.0.231

Host 192.168.0.1
  scanning [####################] 20/20
  53  (dns)
  80  (http web)
  443  (https web)
Host 192.168.0.104
  scanning [####################] 20/20
  8080  (http proxy)
Host 192.168.0.231
  scanning [####################] 20/20
  22  (ssh)
  80  (http web)
  443  (https web)

[DONE]

help:

      

        bash
        
      
networkscan --help
network-scan - simple bash network scanner

Usage:
  script.sh [options]

Options:
  --level basic|medium|full     Port scan level (default: basic)
  --range START-END             Port range for full scan
  --discover-only               Only find devices
  --iface IFACE                 Network interface (default: en0)
  -h, --help                    Show help

use this so you can call it anywhere:

      

        bash
        
      
chmod +x network-scan.sh
sudo ln -s /Users/danial/codes/network-scan/network-scan.sh /usr/local/bin/networkscan

network-scan.sh:

      

        bash
        
      
#!/bin/bash

TMP="/tmp/net_scan_hosts.txt"
LOG="/tmp/net_scan_debug.log"

> "$TMP"
> "$LOG"

INTERFACE="en0"
LEVEL="basic"
DISCOVERY_ONLY=0
RANGE_START=1
RANGE_END=65535


print_help() {
cat <<EOF
network-scan - simple bash network scanner

Usage:
  script.sh [options]

Options:
  --level basic|medium|full     Port scan level (default: basic)
  --range START-END             Port range for full scan
  --discover-only               Only find devices
  --iface IFACE                 Network interface (default: en0)
  -h, --help                    Show help
EOF
}


port_info() {
case "$1" in
20) echo "ftp-data" ;;
21) echo "ftp" ;;
22) echo "ssh" ;;
23) echo "telnet" ;;
25) echo "smtp mail" ;;
53) echo "dns" ;;
67|68) echo "dhcp" ;;
69) echo "tftp" ;;
80) echo "http web" ;;
81|82|83) echo "alt http" ;;
88) echo "kerberos auth" ;;
110) echo "pop3 mail" ;;
119) echo "nntp news" ;;
123) echo "ntp time" ;;
135) echo "rpc windows" ;;
137|138) echo "netbios" ;;
139) echo "windows share" ;;
143) echo "imap mail" ;;
179) echo "bgp routing" ;;
389) echo "ldap directory" ;;
443) echo "https web" ;;
445) echo "windows smb" ;;
465) echo "smtps mail" ;;
500) echo "ipsec vpn" ;;
512|513|514) echo "r services" ;;
520) echo "rip routing" ;;
540) echo "uucp" ;;
548) echo "afp apple" ;;
554) echo "rtsp stream" ;;
563) echo "nntps news" ;;
587) echo "smtp submit" ;;
631) echo "ipp printing" ;;
636) echo "ldaps secure" ;;
646) echo "ldp mpls" ;;
666|667) echo "irc chat" ;;
700) echo "epp domain" ;;
705) echo "agent service" ;;
711) echo "cisco tftp" ;;
714) echo "iris" ;;
720) echo "isis routing" ;;
722) echo "netview" ;;
726) echo "l2tp vpn" ;;
749) echo "kerberos admin" ;;
765) echo "webster" ;;
777) echo "multimedia" ;;
783) echo "spamassassin" ;;
800) echo "mdbs" ;;
801) echo "device control" ;;
808) echo "ccproxy" ;;
843) echo "flash policy" ;;
873) echo "rsync" ;;
880) echo "http alt" ;;
888) echo "access builder" ;;
898) echo "sun web" ;;
900) echo "sonarqube" ;;
901) echo "tor service" ;;
902) echo "vmware auth" ;;
903) echo "vmware web" ;;
911|912) echo "network agent" ;;
981) echo "samba web" ;;
987) echo "netmanage" ;;
990) echo "ftps" ;;
992) echo "telnet ssl" ;;
993) echo "imap ssl" ;;
995) echo "pop3 ssl" ;;
999) echo "garcon" ;;
1000) echo "webmin" ;;
1080) echo "socks proxy" ;;
1194) echo "openvpn" ;;
1433) echo "mssql db" ;;
1521) echo "oracle db" ;;
1723) echo "pptp vpn" ;;
1883) echo "mqtt broker" ;;
2049) echo "nfs share" ;;
2082|2083) echo "cpanel" ;;
2095|2096) echo "webmail" ;;
2181) echo "zookeeper" ;;
2222) echo "ssh alt" ;;
2375|2376) echo "docker api" ;;
2483|2484) echo "oracle ssl" ;;
3000|3001) echo "dev web" ;;
3128) echo "squid proxy" ;;
3306) echo "mysql db" ;;
3389) echo "rdp remote" ;;
3690) echo "svn repo" ;;
4000) echo "dev server" ;;
4444) echo "metasploit" ;;
4567) echo "ruby web" ;;
4664) echo "google desktop" ;;
4899) echo "radmin remote" ;;
5000|5001|5002) echo "dev api" ;;
5060|5061) echo "sip voip" ;;
5432) echo "postgres db" ;;
5555) echo "adb debug" ;;
5601) echo "kibana web" ;;
5666) echo "nagios agent" ;;
5800) echo "vnc web" ;;
5900) echo "vnc remote" ;;
5985|5986) echo "winrm remote" ;;
6000) echo "x11 display" ;;
6379) echo "redis db" ;;
6666|6667) echo "irc chat" ;;
7000|7001) echo "weblogic" ;;
7070|7071) echo "http admin" ;;
7080) echo "http alt" ;;
7443) echo "https alt" ;;
7474) echo "neo4j web" ;;
7777) echo "game server" ;;
8000|8008|8009) echo "dev http" ;;
8080|8081|8088) echo "http proxy" ;;
8090|8091) echo "admin http" ;;
8443) echo "https alt" ;;
8888) echo "dev web" ;;
9000) echo "sonar web" ;;
9042) echo "cassandra db" ;;
9090|9091) echo "metrics web" ;;
9200) echo "elasticsearch" ;;
9418) echo "git server" ;;
9999) echo "dev service" ;;
10000) echo "webmin admin" ;;
11211) echo "memcached" ;;
27017) echo "mongodb db" ;;
*) echo "unknown" ;;
esac
}


while [[ $# -gt 0 ]]; do
    case "$1" in
        --level) LEVEL="$2"; shift 2 ;;
        --range)
            RANGE=$(echo "$2" | tr '-' ' ')
            RANGE_START=$(echo $RANGE | awk '{print $1}')
            RANGE_END=$(echo $RANGE | awk '{print $2}')
            shift 2 ;;
        --discover-only) DISCOVERY_ONLY=1; shift ;;
        --iface) INTERFACE="$2"; shift 2 ;;
        -h|--help) print_help; exit 0 ;;
        *) echo "Unknown option $1"; exit 1 ;;
    esac
done


IP=$(ipconfig getifaddr "$INTERFACE")
SUBNET=$(echo "$IP" | awk -F. '{print $1"."$2"."$3}')

echo "Subnet: $SUBNET.0/24"
echo


echo "[INFO] discovering hosts..."

for i in {1..254}; do
(
TARGET="$SUBNET.$i"

if ping -c 1 -t 1 "$TARGET" >/dev/null 2>>"$LOG"; then
echo "$TARGET" >> "$TMP"
fi

) &
done

wait


echo
echo "Hosts found:"
cat "$TMP"
echo


if [ "$DISCOVERY_ONLY" -eq 1 ]; then
rm -f "$TMP"
exit 0
fi


PORTS_BASIC=(21 22 23 25 53 80 110 139 143 443 445 3389 5900 8080 8443 3000 5000 6379 3306 5432)


if [ "$LEVEL" == "basic" ]; then
PORTS=("${PORTS_BASIC[@]}")
elif [ "$LEVEL" == "full" ]; then
PORTS=()
for ((p=$RANGE_START;p<=$RANGE_END;p++)); do
PORTS+=("$p")
done
else
PORTS=("${PORTS_BASIC[@]}")
fi


TOTAL_PORTS=${#PORTS[@]}


while IFS= read -r HOST; do

echo "Host $HOST"

OPEN=()
COUNT=0

for PORT in "${PORTS[@]}"; do

COUNT=$((COUNT+1))
PROGRESS=$((COUNT*20/TOTAL_PORTS))

BAR="["
for ((i=0;i<20;i++)); do
if [ $i -lt $PROGRESS ]; then BAR+="#"; else BAR+="."; fi
done
BAR+="]"

printf "\r  scanning %s %d/%d" "$BAR" "$COUNT" "$TOTAL_PORTS"

if nc -z -G 1 "$HOST" "$PORT" >/dev/null 2>>"$LOG"; then
DESC=$(port_info "$PORT")
OPEN+=("$PORT:$DESC")
fi

done

echo

if [ ${#OPEN[@]} -eq 0 ]; then
echo "  no open ports"
else
for ENTRY in "${OPEN[@]}"; do
PORT=$(echo $ENTRY | cut -d: -f1)
DESC=$(echo $ENTRY | cut -d: -f2)
echo "  $PORT  ($DESC)"
done
fi

done < "$TMP"


rm -f "$TMP"

echo
echo "[DONE]"
0%