Network Mapping

Network Mapping is the technique through which you map the architecture of a network. It works simply that means after getting information from Whois database and Domain Name system, Its time when you know the ranges of IP addresses and confirming the “Live” targets. We find live targets with the help of ICMP port probes and ping sweeps.

Actual Stuff we have to map out is ->

1. IP Ranges

2. router

3. Gateways

4. Firewalls

5. IDS- (Intrusion Detection System)

Why do we need to map out the above mentioned things and not to map just IP addresses of the system?

The Answer to this is simple i.e. the above mentioned things  helps us identifying and proceeds to the vulnerable targets of the network.

So lets talk about tools and why we use these tools during network mapping->

ICMP(Internet control  Message Protocol) : This is the utility which is already made for such kinds of troubleshooting so we’re gonna stick to it. Now you might ask me what is ping?Now ping is just a program which makes use of this utility provided by TCP/IP networking, ICMP. ICMP works with Echo request in order to find problems within a network and helps us troubleshooting. ICMP works on Transport Layer of OSI model or we can also say Host-to Host layer.


NOTE: Ping(Packet Internet Groper) doesn’t work on any port number.It just makes use of ICMP utitlity which uses Echo request respond which in-turn uses port number 7. Here’s a Reference series which can get you through stuff -> WP_Mays_Ping


Let’s carry on:

ICMP message types such as

  • echo reply (0)
  • destination unreachable (3)
  • redirect (5)
  • time exceeded (11)

provide a great deal of information to hackers about host connectivity and the hop count to a particular system.

ICMP mapping is usually done via ping sweep with the use of IP network information using ARIN or any other network registrar(There are total 5 if you don’t know. Search for those before proceeding forward). Now ping sweep is one of the most important thing you should know about. Ping sweep is checking the IP ranges of the existing networks using ARIN or some other registrar, if the hosts are dead or alive.Ping sweep can be done with the help of many software you can find online, or you can find in kali or backtrack or you can simply make it using an iterable script.

file_hosts = hosts
for host in $(cat $file_hosts)
ping $host -n 1 | grep -q ‘1 packets received’
if [ $? = 0 ]
echo “$host: live”
echo “$host: down”


Tools that can help:

  •  Fping (Thomas Dzubin)
  • Hping (Salvatore Sanfilippo)
  • ICMPEnum (Simple Nomad)
  • Nmap (Fyodor)
  • Pinger (Rhino9)






ICMP packets don’t work every time. Sometimes they are dropped by a firewall or intrusion prevention systems, In that case we don’t really know if the host is actually alive. For such a drag, we gotta find some other way We use TCP ping sweep.We can use TCP and UDP ports in order to check whether the target is alive or not. For TCP services, a positive “SYN-ACK” response to an initial “SYN” connection request on a specific port verifies the presence of a system listening on the specified port and may be easier to force through a firewall system than an ICMP request.We can also fragment the packet that can go by undetected by any firewall.(next article about Nmap) –>It can be done using Nmap, Nessus or Hping.


Traceroute: It provides the route information.It helps us find out how the packets are mapped and routed to the destination. Simply provide a trace on the route the packet takes while travelling across the network.

How Traceroute works:

Traceroute manipulates
the IP time-to-live (TTL) option in ICMP or UDP packets (depending
on the version of traceroute) to obtain an ICMP_TIME_EXCEEDED message from each hop or router on the path to a destination host. By default, each IP router in the path to a specific destination inspects the IP header in incoming packets, decrements the TTL value in the IP header by one, and then forwards the packet to its destination. Using this mechanism ensures that a finite “hop count” can be imposed on IP packets; if and when a packet reaches a TTL value of 30,11 the final router in the route  path decrements the TTL to 0 and responds to the originating host with an ICMP_TIME_EXCEEDED message.  Traceroute manipulates this facility by forwarding packets from the source host with the TTL deliberately set to a specific value; for the first packet generated, traceroute would generate a packet with a TTL value of “1” (as opposed to 30). This ensures that the “end” host (the first and final host in the route path) responds with an ICMP_TIME_EXCEEDED. The next packet is then generated with a TTL of “2” to pick up the next router in the path, and this process is repeated until it delivers information about all routers on the path to the destination.

[ I took the above source from wiki because the stuff                                                                                                   is all clean and easy.]

Tools For Traceroute:

1. Tracert is windows command tool that will do the job.

2. Traceroute in linux


Other Automated tools that can do the job for you(If you still don’t get the entire article):

1. Cheops

2. Solarwind




Stay Anonymous 🙂


Leave a Reply