PC name discovery on a local network

Here’s a fun one for you.  I had a situation recently where the customer had some of his windows PCs properly being populated in his reverse DNS zone (in an AD-controlled environment), and some that were not.  He asked me to quickly scan the network and figure out which were which (before we started to look into the “why” part).  Note that for the examples that follow, the customer’s fictitious network address is good ol’, and the commands were tested with the default packages on Opensuse 11.1 and 11.2.

So first, I had to find those that are in the reverse DNS zone… So I simply made sure my PC points to the correct internal DNS server that is authoritative for the forward and reverse DNS zones, and then ran a sweep with some filtering:

nmap -sP |grep -v "^Host 192\.168\.1"|grep "^Host"|awk '{ print $2,$3 }'

Then, in order to get the local netbios name for Windows computers that aren’t in reverse dns , I came up with this:

for item in `nmap -sP|awk '{ print $2 }'|grep "^192\.168\.1"`;do thingy=`nmblookup -A $item|grep "<20>"|awk '{ print $1 }'`;echo $thingy \($item\);done

…of course, non-Windows computers and devices without netbios will simply not respond to the query. It might be neater to dump the output to file and such if you wish, but I didn’t bother. I’m just keeping it simple here.

Note that the above does not take in to account if there are multiple reverse DNS entries per PC. If you need to know that, you could do something like this:

for item in `nmap -sP |grep -v "^Host 192\.168\.1" |grep "^Host"|awk '{ print $3 }'|sed s/[\(,\)]//g`; do nslookup $item|grep "name =";echo "";done

…and so on.  You could really go crazy with this sort of thing… It can also be handy if you are in an environment where you don’t have access to the DNS/DHCP administration tools, but want to see what’s out there…. Now wasn’t that fun?


Leave a Comment

Your email address will not be published. Required fields are marked *