WMI Network Scanning

# Usage:
# 1. Edit script, change $ip, $mask, $outpitFile, and $rewriteFile parameters 
# 2. Start script
# 3. Check the output file

$ip = "192.168.1.1"
$mask = "255.255.255.0"
$outputFile = "C:\wmi\computers.txt"
$rewriteFile = 1

#----------------------------------------------------------------------
#--------- Function for print messages to $LogFile and screen ---------
#----------------------------------------------------------------------

function print_message($File, [string]$Text)
{
Write-Host $Text
Add-Content $File $Text
} 

#----------------------------------------------------------------------
Function ConvertTo-DecimalIP {
<#
.Synopsis
Converts a Decimal IP address into a 32-bit unsigned integer.
.Description
ConvertTo-DecimalIP takes a decimal IP, uses a shift-like operation on each octet and returns a single UInt32 value.
.Parameter IPAddress

An IP Address to convert.
#> 
[CmdLetBinding()]
Param(
[Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True)]
[Net.IPAddress]$IPAddress
) 

Process {
$i = 3; $DecimalIP = 0;
$IPAddress.GetAddressBytes() | ForEach-Object { $DecimalIP += $_ * [Math]::Pow(256, $i); $i-- }

Return [UInt32]$DecimalIP
}
}

Function ConvertTo-DottedDecimalIP {
<#
.Synopsis
Returns a dotted decimal IP address from either an unsigned 32-bit integer or a dotted binary string.
.Description
ConvertTo-DottedDecimalIP uses a regular expression match on the input string to convert to an IP address.
.Parameter IPAddress
A string representation of an IP address from either UInt32 or dotted binary.
#> 
[CmdLetBinding()]
Param(
[Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True)]
[String]$IPAddress
) 
Process {
Switch -RegEx ($IPAddress) {
"([01]{8}\.){3}[01]{8}" {
Return [String]::Join('.', $( $IPAddress.Split('.') | ForEach-Object { [Convert]::ToUInt32($_, 2) } ))
}
"\d" {
$IPAddress = [UInt32]$IPAddress
$DottedIP = $( For ($i = 3; $i -gt -1; $i--) {
$Remainder = $IPAddress % [Math]::Pow(256, $i)
($IPAddress - $Remainder) / [Math]::Pow(256, $i)
$IPAddress = $Remainder
} ) 
Return [String]::Join('.', $DottedIP)
}
default {
Write-Error "Cannot convert this format"
}
}
}
}

Function Get-NetworkAddress {
<#
.Synopsis
Takes an IP address and subnet mask then calculates the network address for the range.
.Description
Get-NetworkAddress returns the network address for a subnet by performing a bitwise AND
operation against the decimal forms of the IP address and subnet mask. Get-NetworkAddress
expects both the IP address and subnet mask in dotted decimal format.
.Parameter IPAddress
Any IP address within the network range.
.Parameter SubnetMask
The subnet mask for the network.
#> 
[CmdLetBinding()]
Param(
[Parameter(Mandatory = $True, Position = 0, ValueFromPipeline = $True)]
[Net.IPAddress]$IPAddress,

[Parameter(Mandatory = $True, Position = 1)]
[Alias("Mask")]
[Net.IPAddress]$SubnetMask
)
Process {
Return ConvertTo-DottedDecimalIP ((ConvertTo-DecimalIP $IPAddress) -BAnd (ConvertTo-DecimalIP $SubnetMask))
}
}

function check_open_port($ip, $port, $con_timeout)
{
$tcpclient = new-object Net.Sockets.TcpClient
$Connection = $tcpclient.BeginConnect($ip, $port, $null, $null)
$TimeOut = $Connection.AsyncWaitHandle.WaitOne($con_timeout,$false)
if(!$TimeOut) {
$TCPclient.Close()
return 0
} else {
try {
$TCPclient.EndConnect($Connection) | out-Null
$TCPclient.Close()
return 1
} catch {
## Machine actively refused the connection. The port is not open but $TimeOut was still true
return 0
}
}
} 

if ($rewriteFile) {
Remove-Item $outputFile
}

$mm = "255.255.255.255"
$dmm = ConvertTo-DecimalIP $mm
$first = Get-NetworkAddress $ip $mask
$dmask = ConvertTo-DecimalIP $mask
$dfirst = [long](ConvertTo-DecimalIP $first) + 1
$n = [long]$dmm - [long]$dmask

for ($i=0; $i -le ($n - 2); $i++) {
$new = ConvertTo-DottedDecimalIP $dfirst
$Port135Open = check_open_port $new "135" "1000"
if ($Port135Open) {print_message $outputFile $new}
$dfirst ++
}