Network Reconnaissance

Identify Private IP addresses

• Reserved ranges are defined in RFC 1918 for use in private networks.

• These addresses are not routable on the public internet.

• A quick way to recognize private IPv4 addresses is to just look at the first octets:

10.x.x.x	Large private networks
172.16 – 172.31.x.x	Medium-sized networks
192.168.x.x	Home/small office networks

Calculate target ranges

Common subnet sizes

• /24 → Last octet changes x.x.x.1-254

• /16 → Last two octets change x.x.0-255.1-254

• /8 → Last three octets change x.0-255.0-255.1-254

Calculate network range

ipcalc 192.168.1.0/24

TTL Values and OS Fingerprinting

The TTL value in the ping response is a starting value decremented by one for each hop the packet takes; Values differ between operating systems:

• Linux/Unix -> 64

• Windows -> 128

• Cisco -> 255

ping -c 4 example.com

• It sends ICMP Echo Request packets to a target and waits for ICMP Echo Reply packets in return.

Output Example

PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.123 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.120 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.122 ms

• TTL (Time to Live): The maximum number of hops a packet can traverse before being discarded.

• Time: The round-trip time (RTT) for the packet to reach the destination and return.

Map the network path to a target

traceroute example.com