Enumeration – Windows
Network Interfaces & Routes
ipconfig
netstat -r
netstat -antb | findstr 1080
ipconfig– interface configuration.netstat -r– routing table.netstat -antb– active TCP connections with owning process (Windows); filter withfindstr 1080to find SOCKS/proxy listeners.
Internal Ping Sweeps (IPv4)
CMD For Loop
for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PowerShell – Basic Sweep
1..254 | % { ping -n 1 -w 300 172.16.6.$_ | findstr "TTL=" }
PowerShell – Test-Connection-Based
1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}
# Output to file
1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.16.6.$($_) -quiet)"} | findstr "True" >> hosts.txt
Adjust the subnets (
172.16.5.x,172.16.6.x, etc.) to match the internal ranges discovered fromipconfig/route print.
Note: It is possible that a ping sweep may not result in successful replies on the first attempt, especially when communicating across networks. This can be caused by the time it takes for a host to build its arp cache. In these cases, it is good to attempt our ping sweep at least twice to ensure the arp cache gets built.
IPv6
Ping Sweep
netsh interface ipv6 show interfaces
ping -6 ff02::1%<InterfaceIndex> # e.g. IDX=16
# Make sure to check neighbors immediately now!
Neighbor Table
netsh interface ipv6 show neighbors
# View All Neighbor Cache Entries (IPv4 + IPv6
Get-NetNeighbor
# Filter by protocol
Get-NetNeighbor -AddressFamily IPv6
Get-NetNeighbor -AddressFamily IPv6 | Select-Object IPAddress, LinkLayerAddress, State, InterfaceAlias