Skip to content

01. Mapping a Network

Purpose

Mapping a network involves discovering and documenting all devices, their connections, and the associated services on a network.

  • Purpose:
    • Identify active hosts and devices.
    • Detect vulnerabilities and misconfigurations.
    • Aid in troubleshooting and planning for network security.

Scope

  • Define the boundaries of the network to be mapped (e.g., IP range, specific subnets).
  • Ensure legal and authorized access before performing network mapping.

Discovery

Network discovery involves identifying all devices, services, and connections within the defined scope.

Process

1. Physical Access

  • Gaining access to the physical infrastructure of the network.
  • Methods:
    • Physical Security: Access routers, switches, or access points.
    • OSINT (Open Source Intelligence): Gather public information about the target organization.
    • Social Engineering: Trick personnel to gain access or gather information.

2. Sniffing

  • Monitoring network traffic to collect data about connected devices and services.
  • Types:
    • Passive Reconnaissance: Collect data without interacting with the network.
    • Watch Network Traffic: Use tools like Wireshark to monitor data packets.

Tool:
Wireshark

  • Graphical tool to capture and analyze network traffic.

  • Command to Start:

    sudo wireshark

3. ARP (Address Resolution Protocol)

  • Arp-Scan maps IP addresses to MAC addresses on a local network.

  • Command:

    sudo arp-scan -l

    Explanation: - -l: Scans the local network.

Example:

sudo arp-scan -I eth0 -g 192.168.0.1/24
  • -I eth0: Specifies the network interface.
  • -g 192.168.0.1/24: Specifies the subnet.

Output:
Lists all devices on the subnet with their IP and MAC addresses.

4. ICMP (Internet Control Message Protocol)

  • Used to check connectivity and trace paths between devices.

Commands:

  1. Ping:
    Sends ICMP echo requests to check if a device is active.

    ping 192.168.0.1

    Output:

    • Replies from the target indicate it's reachable.
    • Trace Route:
      Tracks the path packets take to reach a target.
    traceroute 192.168.0.1

  2. Fping:
    Efficiently scans multiple IPs in a subnet.

    fping -I eth0 -g 192.168.0.1/24 -a

    Explanation:

    • -g: Scans the subnet range.
    • -a: Displays only reachable hosts.

Example (Silent Output):

fping -I eth0 -g 192.168.0.1/24 -a 2>/dev/null

Redirects errors to /dev/null to suppress unnecessary output.

Tools and Commands

1. Nmap for Discovery

Command:

nmap -sn 192.168.0.1/24

Explanation:

  • -sn: Ping scan to discover active hosts without scanning ports.

Example:

nmap -sn 10.0.0.1/24

Output:
Lists all reachable devices in the specified subnet.

Practical Workflow Example

  1. Identify Active Hosts:

    nmap -sn 192.168.1.0/24

    Result: Lists IPs of live devices.

  2. Map IP to MAC Addresses:

    sudo arp-scan -l

    Result: Displays MAC addresses of devices on the network.

  3. Verify Device Connectivity:

    fping -I eth0 -g 192.168.0.1/24 -a

    Result: Identifies reachable devices silently.

  4. Capture Network Traffic:
    Start Wireshark to analyze network packets:

    sudo wireshark

  5. Monitor Specific Device Traffic:
    Use a filter in Wireshark (e.g., ip.addr == 192.168.0.5).

Key Points

  • ARP: Resolves IP to MAC, crucial for local network mapping.
  • ICMP: Detects active hosts and provides route information.
  • Tools: Combine tools like Wireshark, Nmap, ARP-Scan, and Fping for efficient discovery.
  • Ethical Usage: Always perform network mapping with proper authorization.

These steps and tools ensure efficient network mapping for security analysis, troubleshooting, and documentation.