I own most, if not all, of the Hak5 gear because I like to see how each product works and possibly come up with a way to prevent the attack. 

The other day I received an email from them, went to their website, and was reminded of Bash Bunny.  I then wondered what it would take to make a Bash Bunny script to ping scan the network.  Then I wondered what it would take to do that in PowerShell, eliminating the Bunny from the equstion.  And that's where this post is headed.

In Linux, I might not necessarily know the exact syntax for what I want to do but I probably have a good idea as to which commands I can use to do it.  I know that from ifconfig, I can get the IP address.  And with various other commands like sed, awk, cut, head, and tail, I can isolate to what I want exactly. 

The following one-liner parses ifconfig for the subnet:

ifconfig | grep inet | head -1 | awk '{print $2}' | awk 'BEGIN{FS="."}{print $1"."$2"."$3"."}'





To perform this same task in PowerShell was a total mystery.  That's sort of the point though.  The idea is not to become a wizard in PowerShell but to learn commands I wouldn't normally learn.  With Linux, I just know these commands and if ever there comes a time when I actually need to do something, I at least know some commands to use.

Without first feeding it any portion of the IP address, I want to retrieve the IP address, parse it for the first three octets, then ping the network while ignoring the errors:

$snet = Get-WmiObject -Class Win32_IP4RouteTable |
    where { $_.destination -eq '0.0.0.0' -and $_.mask -eq '0.0.0.0'} |
    Sort-Object metric1 | select nexthop, metric1, interfaceindex
$line = $snet -split "nexthop="
$ip = $line -split ";"
$netw = $ip[1]
$ipoct = $netw.split(".")
$value = ($ipoct[0]+"."+$ipoct[1]+"."+$ipoct[2])
$start = 1
$end = 254
while ($start -le $end) {
    Test-connection "$value.$start" -count 1 2> $null
    $start++
}

It's pretty slow in the actual process of pinging but aside from that, it works like I wanted:

You might be asking why I didn't comment my code.  That's a good question.  The answer is this -- the point here is not to make a PowerShell script for pinging, the point is to take an idea, make it happen, and learn some methods for accomplishing specific tasks. 

If I find myself on a Linux machine without Python, without Perl, without ???, I can live off the land quite well with Bash.  Oddly, having spent a numerous years in Windows environments, I can't say the same.  That's not to say that I can't execute commands, THAT I can do!  I'm well versed in Windows commands.  But to automate would be more difficult -- mostly because Windows is heavily based on the GUI and Linux not so much.  

If my goal was to scan the network for IP's, I'd use Nmap.  But again, if I were without Nmap, I could drop to a command line and something like this:

for /l %i in (1,1,254) do (ping -n 1 192.168.86.%i)

The output is messy.  PowerShell gives us a clean output.  When we look at our script, it's not complicated.  It starts with this:

The output:

From there, it's a matter of parsing the output and getting to what we want.

Bottom line -- I think I want to learn to live off the land more in Windows than relying on packaged tools.  That's not to say that I want to learn how to hammer nails with a rock but if ever I should only have a rock, I can accomplish the task.