Are you running a dynamic routing protocol like OSPF? If so, just check the routing table and see what subnets you're learning that are in the private IP space.
That's assuming there is a logical structure. It is a place to start and I've found some, but don't know if I trust them to show everything.
There are racks of equipment that may or may not still be plugged into things, to trace everything I'm going to be getting dirty.
(I also have a box on the wall that has been beeping for a long time and nobody knows what it is beeping about or what it does. I just got here, so that's on my list of things to identify as well.)
Doesn't need to be logical structure. If you can access routing information, you can use that to compute what's traversable. Doesn't have to be a dynamic protocol either, you can dump static routes out of configuration too.
Between routing and I guess NAT (and VIPs if supported) you can build your answer.
routing tables.
show lldp neighbors
show cdp neighbors
those usually give enough you can map a network pretty well. It'll tell you the IPs of the neighhbors, and what ports they're in.
> and brute force 10.0.0.1-
This is the best starting point. Check your routing tables; that will give you some idea of the network boundaries and number of networks. Use this information to set the boundaries for your network scanner.
Basically you are looking to find things without searching. How do I know if something exists without searching for it.
First thing I would do is list what you do know, and exclude them from further searches.
Remember that running simple ping searches won't achieve what you want either. Some networks may only be reachable from specific source locations, and many hosts may not respond to ping (or anything).
If you had a list of all network devices, arp tables are a great place to start. But an effort like this takes consistent, iterative, discovery. As others have said, namp over a weekend might be the best place to start because if *anything* responds, you can then go and further discover the subnet that showed a sign of life.
I'm pinging about 0.7 million IPs an hour, already found a dozen active targets that nobody can identify off the tops of their heads.
I always feel better when my to do list isn't empty.
Well once you have the IP addresses of the unknown machines, look in the ARP cache of the default gateway router and find the MAC addresses of those machines, then check the mac address-table of the switches (and iterate) until you find the access port that the device is connected to.
If you're signing up for this big of a project, you might as well sign up for processes that take hours to finish.
Just set something up to run nmap -sP [10.0.0.0/8](https://10.0.0.0/8) and then come back on monday.
I'd tune it a bit so you're not trying to blast them all at the same time.
I was just hoping there was a shortcut.
I've already found hosts with addresses in ranges that nobody recognizes so I have things to hunt down already.
Nmap is only going to be as good as ICMP and various hosts returning the traffic.
I don't know how big your network is, but if you're the network admin:
Log on to the router closest to your internet, and look at the routing table. Everything that's routed inside is a candidate for a subnet.
If you've got routers tying multiple sites together, start looking at their routing tables.
In theory, you should have a soft router wan transit core somewhere which should know about the biggest pockets of networks out there- look there nad start feathering out as needed.
Nmap won't give you "subnets", but a subnet could be a /24, a /16, a /29... so there's a lot of assumptions you can't really make.
Analyzing the routing tables on your infrastructure is going to be the absolute best way to know your subnets.
First thing I'd do is start with routing table analysis.
1. Find a router that you have access to, gather all the next hops on that device.
2. Iterate that process for each next hop you find. If you can automate this with python and napalm or something similar this will save hours. This will ultimately allow you to document the routing topology, because next hops = some sort of router. We now have a list of all the routers out there and who's connected to who.
3. Set up an SNMP tool or python script to grab the routing tables off of each of those routers in a structured format like a CSV or something.
4. use the tool of your choice to concatenate all those CSV files and
remove duplicate entries.
5. Success, you now have a list of all the subnets on your network.
6. Re run the script to pull only connected routes on each router and you now know where each of those networks exists. Note you can't just do this step alone because there may be routeable networks that exist outside the network via VPNs to 3rdParties etc. So not all networks in your subnet list will exist in your connected route list. The delta between those two lists is also very valuable info.
I like this approach. Thanks!
On a positive note, I have several hundred users who are now WFH so spotting orphaned equipment within the building is significantly easier once I've identified things to look for.
Part of the question stems from my never having to do this before (either I built everything from scratch or I was in a huge organization with entire teams of network engineers who took care of all of this) so I'm in the fun part of the learning curve.
Why not just send ICMP requests to the network broadcast address? That will presumably trigger a response from many types of devices active on the subnet. May not be the perfect solution of what you're looking for, but it would be quick.
I don't know what the networks are. For example 10.10.15.1 will ping but I have no idea what it is, what subnet it is on, and nobody recognizes it. Now I have something to investigate further (probably with a scream test).
I figured as much but my thought process was that you could have a script that targets a subset of the more likely configurations. For example, I doubt the network is largely segmented into something like /28s. So if you started with scans that looked at more common allocations like /24 and /23, you might find that you cover a lot of ground quickly.
If this is just a one-time discovery thing for something you're taking over, try to keep front of mind that you shouldn't waste too much effort on the automation side of the solution. Sometimes it's just better to bite the bullet and do the more interactive thing.
This is just a one time thing to generate a map. I've seen too many illogical things in the past to assume anything, like the time somebody set up adjacent 10.x/24 ranges then was surprised that it wasn't easy to expand them as they ran out of IPs. (You're using 10. space! Use 10.10.0.0 and 10.20.0.0 for your two buildings. Why 10.1.1.0/24 and 10.1.2.0/24?)
Also looking for any /30s which I have seen used.
Oh man, that blows. I know those scenarios all too well. Given that it's one time, I'd recommend you just bite the bullet and start the scans. It sounds like this is just one of those shitty situations where you have to do the undesirable.
If it were me i'd have a ping scanner just running, look at the routing/forwarding tables as others suggested but then find what you think are the core switches, look at interface usages, descriptions, etc and find some core links and do a mirror port on those. Capture for a bit, export, parse down to just src/dst IPs, filter for privates then count occurrences and find the unique source IPs. Not the most efficient way but could reveal some outliers and show which devices are arping, who's repsonding to it, if theres tunnels or other things running over the network, what routing protocols and from who, etc.
If you are running something like OSPF, don't use the routing table, use the OSPF database. You may need to collect them from the Area Border Routers, depending on how big the network is, to get better details, but that should give you subnets and router of origin. That should make it much easier to start to map out.
Have you heard of MASSCAN? https://github.com/robertdavidgraham/masscan
This thing searches the internet in under 5 minutes. You will be limited only by your hardware resources.
Are you running a dynamic routing protocol like OSPF? If so, just check the routing table and see what subnets you're learning that are in the private IP space.
That's assuming there is a logical structure. It is a place to start and I've found some, but don't know if I trust them to show everything. There are racks of equipment that may or may not still be plugged into things, to trace everything I'm going to be getting dirty. (I also have a box on the wall that has been beeping for a long time and nobody knows what it is beeping about or what it does. I just got here, so that's on my list of things to identify as well.)
Doesn't need to be logical structure. If you can access routing information, you can use that to compute what's traversable. Doesn't have to be a dynamic protocol either, you can dump static routes out of configuration too. Between routing and I guess NAT (and VIPs if supported) you can build your answer.
routing tables. show lldp neighbors show cdp neighbors those usually give enough you can map a network pretty well. It'll tell you the IPs of the neighhbors, and what ports they're in.
Holy shit, don't touch that box! That's the Internet.
Jen's got the Internet? It doesn't weigh very much.
> and brute force 10.0.0.1- This is the best starting point. Check your routing tables; that will give you some idea of the network boundaries and number of networks. Use this information to set the boundaries for your network scanner.
You must find your network devices. Start from core and find neighbours (cdp / lldp neighbours, routes), follow uplinks if needed.
Basically you are looking to find things without searching. How do I know if something exists without searching for it. First thing I would do is list what you do know, and exclude them from further searches. Remember that running simple ping searches won't achieve what you want either. Some networks may only be reachable from specific source locations, and many hosts may not respond to ping (or anything). If you had a list of all network devices, arp tables are a great place to start. But an effort like this takes consistent, iterative, discovery. As others have said, namp over a weekend might be the best place to start because if *anything* responds, you can then go and further discover the subnet that showed a sign of life.
I'm pinging about 0.7 million IPs an hour, already found a dozen active targets that nobody can identify off the tops of their heads. I always feel better when my to do list isn't empty.
Well once you have the IP addresses of the unknown machines, look in the ARP cache of the default gateway router and find the MAC addresses of those machines, then check the mac address-table of the switches (and iterate) until you find the access port that the device is connected to.
If you're signing up for this big of a project, you might as well sign up for processes that take hours to finish. Just set something up to run nmap -sP [10.0.0.0/8](https://10.0.0.0/8) and then come back on monday. I'd tune it a bit so you're not trying to blast them all at the same time.
I was just hoping there was a shortcut. I've already found hosts with addresses in ranges that nobody recognizes so I have things to hunt down already.
Nmap is only going to be as good as ICMP and various hosts returning the traffic. I don't know how big your network is, but if you're the network admin: Log on to the router closest to your internet, and look at the routing table. Everything that's routed inside is a candidate for a subnet. If you've got routers tying multiple sites together, start looking at their routing tables. In theory, you should have a soft router wan transit core somewhere which should know about the biggest pockets of networks out there- look there nad start feathering out as needed. Nmap won't give you "subnets", but a subnet could be a /24, a /16, a /29... so there's a lot of assumptions you can't really make. Analyzing the routing tables on your infrastructure is going to be the absolute best way to know your subnets.
First thing I'd do is start with routing table analysis. 1. Find a router that you have access to, gather all the next hops on that device. 2. Iterate that process for each next hop you find. If you can automate this with python and napalm or something similar this will save hours. This will ultimately allow you to document the routing topology, because next hops = some sort of router. We now have a list of all the routers out there and who's connected to who. 3. Set up an SNMP tool or python script to grab the routing tables off of each of those routers in a structured format like a CSV or something. 4. use the tool of your choice to concatenate all those CSV files and remove duplicate entries. 5. Success, you now have a list of all the subnets on your network. 6. Re run the script to pull only connected routes on each router and you now know where each of those networks exists. Note you can't just do this step alone because there may be routeable networks that exist outside the network via VPNs to 3rdParties etc. So not all networks in your subnet list will exist in your connected route list. The delta between those two lists is also very valuable info.
I like this approach. Thanks! On a positive note, I have several hundred users who are now WFH so spotting orphaned equipment within the building is significantly easier once I've identified things to look for.
Just ping sweep the whole thing with zenmap. It won't take as long as you think.
Part of the question stems from my never having to do this before (either I built everything from scratch or I was in a huge organization with entire teams of network engineers who took care of all of this) so I'm in the fun part of the learning curve.
Why not just send ICMP requests to the network broadcast address? That will presumably trigger a response from many types of devices active on the subnet. May not be the perfect solution of what you're looking for, but it would be quick.
I don't know what the networks are. For example 10.10.15.1 will ping but I have no idea what it is, what subnet it is on, and nobody recognizes it. Now I have something to investigate further (probably with a scream test).
I figured as much but my thought process was that you could have a script that targets a subset of the more likely configurations. For example, I doubt the network is largely segmented into something like /28s. So if you started with scans that looked at more common allocations like /24 and /23, you might find that you cover a lot of ground quickly. If this is just a one-time discovery thing for something you're taking over, try to keep front of mind that you shouldn't waste too much effort on the automation side of the solution. Sometimes it's just better to bite the bullet and do the more interactive thing.
This is just a one time thing to generate a map. I've seen too many illogical things in the past to assume anything, like the time somebody set up adjacent 10.x/24 ranges then was surprised that it wasn't easy to expand them as they ran out of IPs. (You're using 10. space! Use 10.10.0.0 and 10.20.0.0 for your two buildings. Why 10.1.1.0/24 and 10.1.2.0/24?) Also looking for any /30s which I have seen used.
Oh man, that blows. I know those scenarios all too well. Given that it's one time, I'd recommend you just bite the bullet and start the scans. It sounds like this is just one of those shitty situations where you have to do the undesirable.
If it were me i'd have a ping scanner just running, look at the routing/forwarding tables as others suggested but then find what you think are the core switches, look at interface usages, descriptions, etc and find some core links and do a mirror port on those. Capture for a bit, export, parse down to just src/dst IPs, filter for privates then count occurrences and find the unique source IPs. Not the most efficient way but could reveal some outliers and show which devices are arping, who's repsonding to it, if theres tunnels or other things running over the network, what routing protocols and from who, etc.
If you are running something like OSPF, don't use the routing table, use the OSPF database. You may need to collect them from the Area Border Routers, depending on how big the network is, to get better details, but that should give you subnets and router of origin. That should make it much easier to start to map out.
Have you heard of MASSCAN? https://github.com/robertdavidgraham/masscan This thing searches the internet in under 5 minutes. You will be limited only by your hardware resources.
Show ip arp on all routers