Weaponizing cmd.exe – DNS Reverse Lookup

Here is a nice way to perform a reverse lookup of all the hosts on your network. It uses the nslookup <ip> command to do it.

Find the entire post on the new blog site!

DNS Reverse Lookup

for /L %i in (1,1,255) do @nslookup x.x.x.%i 2> nul | find "Name" && @echo x.x.x.%i
How it works
  • Do a for loop, using an integer that will be initialized to 1, and iterate by 1 until it equals 255

for /L %i in (1,1,255)
  • for each iteration do a dns reverse lookup for the next address on the subnet

do @nslookup x.x.x.%i
  • If I get an error, discard the results

2> nul
  • With all other results, output the line containing “Name”

| find "Name"
  • If and only if the lookup returns without errors, print the ip of the machine

&& @echo x.x.x.%i

Its pretty nice for enumeration. Have fun!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: