Loading learning content...
Port scanning tells us what services run on individual hosts. But effective reconnaissance requires understanding the bigger picture—how many hosts exist, how they connect to each other, what roles they serve, and how the network is architecturally organized.
Network mapping is the practice of discovering and documenting network infrastructure. It answers critical questions:
A comprehensive network map transforms a vague target into a detailed understanding that guides subsequent attack planning—or, from a defensive perspective, reveals the attacker's view of your infrastructure.
By mastering this page, you will: (1) Understand host discovery techniques from ICMP to TCP/UDP probes, (2) Map network topology using traceroute and path analysis, (3) Fingerprint operating systems from network behavior, (4) Discover network relationships and trust boundaries, and (5) Apply these techniques for both offensive and defensive purposes.
Before scanning ports or probing services, we must determine which IP addresses have live hosts. Scanning every port on every possible IP would be prohibitively slow—host discovery narrows the target list to actual systems.
The challenge:
Discovery techniques range from simple to sophisticated, each with different detection characteristics and reliability.
| Method | Protocol | Reliability | Stealth | Firewall Evasion |
|---|---|---|---|---|
| ICMP Echo (Ping) | ICMP Type 8 | Medium | Low | Low |
| ICMP Timestamp | ICMP Type 13 | Medium | Medium | Medium |
| ICMP Address Mask | ICMP Type 17 | Low | Medium | Low |
| TCP SYN Ping | TCP | High | Medium | High |
| TCP ACK Ping | TCP | Medium | Medium | Medium |
| UDP Ping | UDP | Low | Medium | Medium |
| ARP Ping | ARP | Very High | N/A (local) | N/A (local) |
ICMP Echo Request (Traditional Ping):
The classic ping sends an ICMP Echo Request and waits for an ICMP Echo Reply:
ping 192.168.1.1
# PING 192.168.1.1: 56 data bytes
# 64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.5ms
Advantages:
Disadvantages:
nmap combines multiple discovery methods by default: nmap -sn 192.168.1.0/24 sends ICMP echo, TCP SYN to port 443, TCP ACK to port 80, and ICMP timestamp. This increases reliability when some methods are blocked.
When ICMP is blocked, TCP and UDP probes offer alternatives. These leverage the fact that most firewalls must allow some TCP/UDP traffic—otherwise the network would be non-functional.
TCP SYN Ping:
Send a SYN packet to a commonly open port (80, 443, 22). A live host responds with either:
Either response confirms the host exists—only silence or ICMP unreachable indicates no host.
TCP ACK Ping:
Send an ACK packet to a target port. Per TCP specification:
UDP Ping:
Send UDP packets to commonly closed ports:
UDP discovery is less reliable but may succeed when TCP is blocked.
1234567891011121314151617
# ICMP echo onlynmap -sn -PE 192.168.1.0/24 # TCP SYN ping to ports 22, 80, 443nmap -sn -PS22,80,443 192.168.1.0/24 # TCP ACK ping to port 80nmap -sn -PA80 192.168.1.0/24 # UDP ping to common portsnmap -sn -PU53,161 192.168.1.0/24 # Combined approach (most reliable)nmap -sn -PE -PS80,443 -PA3389 -PU40125 192.168.1.0/24 # Aggressive: assume all hosts are up, scan anywaynmap -Pn 192.168.1.0/24Select commonly allowed ports: 80/443 (HTTP/HTTPS) for web traffic, 22 (SSH) for admin access, 25 (SMTP) for email servers, 3389 (RDP) for Windows environments. The goal is finding ports firewalls must allow for business operations.
When scanning on the local network segment (same broadcast domain), ARP discovery is the most reliable technique. ARP operates at Layer 2, below IP—hosts cannot avoid responding without breaking fundamental network functionality.
How ARP discovery works:
Why ARP is impossible to block:
| Benefit | Explanation |
|---|---|
| 100% reliable | Hosts cannot block ARP and still function on the network |
| Reveals MAC address | MAC vendor prefixes identify device manufacturers |
| Fast | No timeout delays—immediate responses |
| Bypasses host firewalls | ARP handled by NIC/driver before firewall sees it |
| Works for all protocols | Discovers hosts regardless of what services they run |
123456789101112
# nmap ARP scan (automatic on local subnets when run as root)sudo nmap -sn -PR 192.168.1.0/24 # arp-scan - dedicated ARP scannersudo arp-scan --interface=eth0 --localnet # arping - ping using ARParping -c 3 192.168.1.1 # View ARP cache (recently discovered hosts)arp -a # Windows/BSDip neigh show # LinuxMAC address analysis:
ARP reveals MAC addresses, which contain valuable information:
MAC: 00:50:56:XX:XX:XX → VMware virtual machine
MAC: 08:00:27:XX:XX:XX → VirtualBox virtual machine
MAC: B8:27:EB:XX:XX:XX → Raspberry Pi
MAC: 00:0C:29:XX:XX:XX → VMware virtual machine
MAC: DC:A6:32:XX:XX:XX → Raspberry Pi (newer)
The first 3 bytes (OUI - Organizationally Unique Identifier) identify the manufacturer. This helps classify devices:
ARP only works within the same broadcast domain. It cannot cross routers. For remote networks, TCP/UDP/ICMP discovery is required. However, once you have access to a local segment (via VPN, compromised host, etc.), ARP is the go-to discovery method.
Understanding the path between you and the target reveals network topology—routers, firewalls, ISP boundaries, and geographic distribution. Traceroute is the fundamental tool for path discovery.
How traceroute works:
Traceroute exploits the TTL (Time To Live) field in IP headers:
Windows default: Uses ICMP Echo Request
C:\> tracert google.com
Tracing route to google.com [142.250.185.46]
over a maximum of 30 hops:
1 1 ms 1 ms 1 ms 192.168.1.1
2 10 ms 11 ms 9 ms 10.0.0.1
3 15 ms 14 ms 15 ms 172.16.0.1
4 * * * Request timed out.
5 25 ms 24 ms 25 ms 142.250.185.46
Trace complete.
Asterisks (*) indicate:
Interpreting traceroute results:
| Pattern | Interpretation |
|---|---|
| Consistent low latency | Direct, uncongested path |
| Sudden latency jump | Geographic distance or congested link |
| Multiple timeouts then responses | Routers configured to not respond but forward |
| All timeouts after a point | Firewall blocking probes |
| Same hop appearing twice | Load balancer or asymmetric routing |
| Private IPs (10.x, 172.16-31.x, 192.168.x) | Internal network hops |
Determining the operating system on remote hosts is crucial—exploit compatibility, vulnerability databases, and attack strategies all depend on accurate OS identification.
The principle:
Different operating systems implement TCP/IP standards slightly differently. While packets are interoperable, subtle implementation details create unique "fingerprints":
| Characteristic | Windows | Linux | macOS/BSD |
|---|---|---|---|
| Default TTL | 128 | 64 | 64 |
| Initial Window Size | Varies (often 65535) | 5840 or 14600 | 65535 |
| Don't Fragment bit | Usually set | Usually set | Usually set |
| TCP Options Order | MSS, NOP, WScale, NOP, NOP, SACK | MSS, SACK, Timestamp, NOP, WScale | MSS, NOP, WScale, NOP, NOP, Timestamp, SACK |
| Response to FIN on closed port | RST | RST | RST |
| Response to NULL packet | RST (all ports) | RST only if closed | RST only if closed |
nmap OS detection:
nmap maintains a database of over 5,000 OS fingerprints:
# OS detection (requires root)
sudo nmap -O target.com
# Aggressive OS detection
sudo nmap -O --osscan-guess target.com
# Combine with version detection
sudo nmap -O -sV target.com
Sample output:
Running: Microsoft Windows 10
OS CPE: cpe:/o:microsoft:windows_10
OS details: Microsoft Windows 10 1709 - 1909
Network Distance: 2 hops
p0f sits on a network segment and fingerprints every host that communicates through it—without sending any packets. Perfect for defensive monitoring: p0f -i eth0 -p shows OS information for all observed hosts, completely silently.
Combining host discovery, path analysis, and service detection creates a comprehensive network map. This map reveals the architecture an attacker will exploit—or a defender should secure.
Key topology elements to identify:
Building the map programmatically:
# Discover live hosts
nmap -sn 192.168.1.0/24 -oG live_hosts.txt
# For each host, identify services
for ip in $(grep "Up" live_hosts.txt | cut -d" " -f2); do
nmap -sV -O $ip -oX scan_$ip.xml
done
# Traceroute to multiple targets
for ip in $(cat key_targets.txt); do
traceroute $ip >> topology.txt
done
Visualization:
Once data is collected, map it visually:
Tools like Zenmap (nmap GUI), Maltego (intelligence gathering), and Spiderfoot automate much of this process, correlating discoveries into visual maps. For enterprise use, commercial platforms like Tenable.io and Qualys provide ongoing asset discovery and mapping.
DNS is a goldmine for reconnaissance. Organizations often leave DNS records that reveal internal structure, naming conventions, and relationships—all accessible without touching the target directly.
DNS enumeration techniques:
| Record Type | Purpose | Reconnaissance Value |
|---|---|---|
| A/AAAA | Maps hostname to IP | Identifies hosts and IP allocation |
| MX | Mail server | Identifies email infrastructure |
| NS | Nameservers | Identifies DNS infrastructure |
| TXT | Arbitrary text | Often contains SPF, DKIM—reveals email infrastructure |
| CNAME | Alias | Reveals relationships, CDN usage |
| SOA | Start of Authority | Admin contact, zone serial |
| SRV | Service location | Reveals services like LDAP, Kerberos, SIP |
| PTR | Reverse lookup | Maps IPs back to hostnames |
12345678910111213141516171819202122
# Basic lookupsdig example.com ANYnslookup -type=any example.com # Enumerate common subdomainsfor sub in www mail ftp vpn remote admin; do dig +short $sub.example.comdone # Zone transfer attempt (usually blocked)dig axfr @ns1.example.com example.com # Reverse DNS for discovered IPsfor ip in $(cat ip_list.txt); do dig +short -x $ipdone # Find nameserversdig +short NS example.com # Certificate transparency logs (public)curl "https://crt.sh/?q=%.example.com&output=json" | jq -r '.[].name_value' | sort -uSubdomain enumeration:
Finding subdomains reveals additional attack surface. Techniques include:
Tools for subdomain enumeration:
Misconfigured DNS servers may allow zone transfers (AXFR) to any requester. This dumps the entire DNS zone—every hostname and IP. While rare on public servers today, internal DNS servers are often misconfigured. Always try zone transfers during authorized assessments.
While determined attackers will eventually map your network, effective defenses increase the time, effort, and detection risk for reconnaissance activities.
Defense layers:
Detection priorities:
| Activity | Detection Method | Response |
|---|---|---|
| ICMP sweep | IDS signature, firewall logs | Log source IP, potentially block |
| TCP/UDP sweep | Connection rate monitoring | Throttle, alert SOC |
| Sequential port scanning | Port sequence detection | Block source, investigate |
| Zone transfer attempt | DNS query logs | Block source, audit DNS config |
| ARP discovery | Host-based detection on high-value assets | Investigate immediately (attacker on local network) |
The best defense is knowing your network better than attackers. Conduct regular authorized mapping exercises—you'll not only improve your own security awareness but also verify that your detection systems actually work.
Network mapping transforms a target address into a comprehensive understanding of infrastructure. Let's consolidate the key concepts:
What's next:
With hosts discovered and mapped, the next reconnaissance phase is Vulnerability Scanning—systematically probing discovered services for known weaknesses that can be exploited.
You now understand the full spectrum of network mapping techniques—from ICMP ping sweeps to DNS enumeration. You can discover hosts, trace paths, fingerprint operating systems, and defend against these activities. Next, we'll examine how discovered services are probed for vulnerabilities.