You may not know it, but the IPv4 address of your computer contains tons of useful information about whatever Wi-Fi network you're on. By knowing what your IPv4 address and subnet mask are telling you, you can easily scan the whole network range, locate the router, and discover other devices on the same network.
While IP addresses like 192.168.0.5/24 may look familiar to you, the IP address assigned to your computer by the router is actually telling you a lot about the network itself. If we didn't know anything at all about which network we were on, we might have a hard time running a scanning tool that asks us to provide a range of IP addresses to scan. We could panic and scan every IPv4 address in existence by just scanning 0.0.0.0/0, but at 42,94,967,294 possible IP addresses, this would take a very long time.
Instead, we can be smart about how we scan a network by learning a little about how IPv4 works. You don't need to be a network engineer to be smart about your scanning and to quickly calculate a network range, and learning to quickly find the router on a network can save you from needing to reveal your presence with a scan.
In order for any device to connect to a Wi-Fi or Ethernet network, two pieces of information are needed to successfully transmit and receive information. The first is a MAC address, which is like the electronic serial number of a device which doesn't change as it joins different networks. The MAC address is used to identify the device physically on the network and uses a format like below.
40:70:09:7a:64:97 - ARRIS Group, Inc.
MAC addresses are useful because the first half of them are assigned to a manufacturer to program into the devices they sell. That means that we can use the MAC address of a device to see who makes it, which is in many cases enough to identify what it is. For example, identifying a "nestcam" device almost certainly means a "Nest" brand security camera.
The other piece of information needed to join a network is an IP address. Unlike the MAC address of a device which doesn't change, your IP address is like a parking space on the network that may change depending on what network you're connected to and how many other spaces are occupied by other devices. When a network creates a link between the physical MAC address of a device and the IP address assigned by the router to a device joining the network, the combination allows a successful connection to the network.
You can find your IP address by running ifconfig or ip a in a terminal window.
ifconfig | grep inet
inet 192.168.0.24 netmask 255.255.255.0 broadcast 192.168.0.255
In practice, an example would be your smartphone connecting to the Wi-Fi network at a coffee shop. Your device has the same MAC address at home as it does at the coffee shop, but the router at the coffee shop would assign you a potentially different IP address every time you joined.
Once you've connected to the network, the router and nearby devices store the relationship between your device's MAC address and the IP address it's been assigned in a table that allows easy delivery of information. You can see this table by typing arp -a into a terminal window.
? (192.168.0.11) at 3c:dc:bc:05:77:d4 [ether] on wlan0 _gateway (192.168.0.1) at 40:70:09:7a:64:97 [ether] on wlan0
In this example, my computer has stored the IP and MAC address of the router (gateway) and another computer on the network, allowing packets to be sent to either.
IPv4 is the most widespread and easy to understand IP addressing system but is gradually being replaced by the more complicated but scaleable IPv6. In spite of this, most networks will still assign you an IPv4 address, making it easy to find your way around the network. The most important thing to know about IP addresses is that they are just a long, unique number assigned to a device on a network. That's all.
To learn how IP addresses work, you'll need a connection to a router that assigns you an IPv4 address. Many of the calculations to find the network range can be done on paper on in your head, but I find it useful to use a calculator in many cases.
You can use tools like ipcalc to make it easier to quickly calculate IP ranges, but it won't help you much unless you know what it's telling you. In this guide, we'll use ipcalc a few times, so you can install it by typing apt install ipcalc in a terminal window or installing it from its GitHub page.
The format of an IPv4 address can look intimidating, but the average IPv4 address isn't conveying an overwhelming amount of information. To start, you should know that an IP address is a number in binary, the language computers speak, which we write as digits so that humans don't accidentally mess it up.
- Don't Miss: Abusing DNS for Reconnaissance
To understand an IP address, we need to do some very simple math. As humans, we have ten fingers, so we count in base 10. That means, after we get to 9, we add another digit. Binary uses base 2 instead of base 10, so to count to 2 in binary, we would write "10."
The way it works is as follows:
1 = 1 2 = 10 3 = 11 4 = 100 5 = 101 6 = 110 7 = 111 8 = 1000 9 = 1001 10 = 1010
When dealing with an IP address, each number divided by a dot represents an eight-digit binary number. For the IP address of 192.168.0.2, we can convert the IP address into an eight-digit binary number by following this process:
IP address: 192.168.0.2 First number: 192 Binary number positions: 128 64 32 16 8 4 2 1 0 0 0 0 0 0 0 0
To convert our first number, we start on the left side of the binary number with the first value of 128. From left to right, first check to see if you subtract 128 from our number (192). We can, so the first number is 1.
After subtracting 128 from 192, we have 64 remaining. The value of the next digit is 64. Can we subtract 64 from our remaining number (64)? Yes, so the next number is 1 as well.
That leaves us with zero, so we fill in all zeros, leaving the resulting number 11000000 in binary. To a computer, this is identical to the number 192.
With the first number converted, we do the same with the second.
Second number: 168 Binary number positions: 128 64 32 16 8 4 2 1 0 0 0 0 0 0 0 0
First, we try to subtract 128 from our number (168). We can, so the first number is 1.
Next, we try to subtract 64 from our remaining number, which is 40. We can't, so the next number is 0.
Now, we try subtracting 32 from our remaining number of 40. We can, so the next number is 1.
The next number to try subtracting is 16 from our remaining amount of 8. We can't, so we add another 0 to the binary number.
It's pretty obvious that 8 can be subtracted from our remaining number of 8, so we add another 1 and fill in the rest with zeros to get our number.
Next, we convert the third number, which is just 0. We can represent this using all zeros as 00000000, leaving only the last number to convert.
We obviously can't subtract any of the numbers before 2 from our number of 2 for the last number, so we'll add all zeros up until the 2 digit, then add another zero at the end. This leaves us with 00000010 as the binary number representing 2.
After converting to binary, the IP address 192.168.0.2 becomes the following number, which is the big long number your computer uses to identify itself to devices on your local network.
IP addresses contain two pieces of information for a router. The first half tells the router which network that the IP address is a part of, while the second half indicates which available parking space a particular device is using. Both are important for a router to know. If you try to connect to a device on a different network, your IP address will tell the router it needs to forward your connection on to another router that knows where that network is located.
You can think of the network part of an IP address like the city you're sending a package to, and the host portion like the address within that city you're delivering it to. This allows for routers to quickly decide if they need to route traffic to a device on a local network or send the traffic elsewhere.
So in our previous example IP address of 192.168.0.2, what part is talking about the network, and what part is talking about the host?
To figure this out, we'll need to use a subnet mask. A subnet mask is like a highlighter made out of 1's that shows the router which part of the IP address is talking about a network. For our example of 192.168.0.2, we can show the network mask in three ways:
255.255.255.0 192.168.0.2/24 11111111.11111111.11111111.00000000
The first example is the way you'll see the subnet mask written pretty often, converted into digits to be easier to write. The last example shows what it really looks like and gives a clue for why we add the /24 to indicate this submask: it has twenty-four 1's in a row!
So would a /8 subnet have a string of eight 1's in a row? Yep, that would be 255.0.0.0, or 11111111.00000000.00000000.00000000 in binary.
So what would a 11111111.11110000.00000000.00000000 be? Well, it's got twelve 1's in a row, so it would be a /12 network, or 255.240.0.0.
Subnet masks will always be a continuous group of 1's on the left side. Any part of your IP address that has a 1 in the subnet mask is talking about the network you're a part of. Everything with a zero is talking about a host address on the network.
In our example of 192.168.0.2/24, the first part, 192.168.0, is referring to the network we are on. That means only the last part of the address is available for devices to "park" on the network. This is important to know because it tells us there are a total of 254 available IP addresses on the network.
Now that we know how subnet masks work, let's take a look at our current IP address. In this example, we can run ifconfig in a terminal window to get our current IP address.
eth0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 ether 50:7b:9d:7a:c8:8a txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 65413 bytes 14922237 (14.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 65413 bytes 14922237 (14.2 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.0.24 netmask 255.255.255.0 broadcast 192.168.0.255 inet6 2606:6000:66d0:a000:41b9:777e:5263:3b59 prefixlen 64 scopeid 0x0<global> inet6 fe80::b567:3ec1:3f0b:39bc prefixlen 64 scopeid 0x20<link> ether 00:c0:ca:95:6e:74 txqueuelen 1000 (Ethernet) RX packets 47663 bytes 37596073 (35.8 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 227500 bytes 22477997 (21.4 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
From this output, we can see out IPv4 address on our Wi-Fi interface wlan0 is 192.168.0.24, with a subnet mask of 255.255.255.0.
From what we learned before, we immediately know the subnet mask looks like 11111111.11111111.11111111.00000000, meaning the fourth number in the IP address is the only one that's referring to individual host devices.
Because we're counting in binary, this means there are a total of 256 possible IP addresses (from 0 to 255) on this network! If we're doing a scan, we know two things for crafting it:
- The first three numbers will always be the same while scanning devices on this network.
- The last number can only be a number between 0 and 255. Anything else can't exist on this network.
However, we can narrow this down further. There are three addresses already guaranteed to be in use on this and every network. This is because of the way IPv4 is designed and means that there are really only 254 addresses available for devices on the network.
So what are these reserved IP addresses, and how do we find them? The first is the broadcast address, the second is the network address, and the final will be the one at which the router is located, also called the default gateway.
Finding the default gateway is easy. As mentioned before, you can type arp -a to show the current route to your gateway, which is where your computer is sending network traffic.
_gateway (192.168.0.1) at 40:70:09:7a:64:97 [ether] on wlan0
So how do we find the broadcast and network addresses?
The broadcast network will always be the last IP address available on a network. In our IP range that starts at 0, this means that 192.168.0.255 will be the reserved broadcast address. Anything sent to this address is sent to every device on the network.
The network address is the lowest possible IP address. In this case, that would be 192.168.0.0, meaning we shouldn't scan this address either. Doing so wouldn't yield any useful results.
With these two possible IP addresses off the table, the router is usually assigned the first usable IP address. After removing our reserved address, this matches up with the IP address in our ARP cache, 192.168.0.1.
Now that we know this, we can avoid scanning the broadcast and network address and focus on the range starting with the router's IP address.
Nmap is a perfect example of a tool that requires you to know an IP address to use it. Let's consider an example where a hacker might find themselves on an unfamiliar network, and let's work through how they'd run Nmap on the network.
On a penetration test, a hacker manages to access a poorly secured Wi-Fi network connected to a credit card system, allowing them to join a company Wi-Fi network. After running ifconfig, they see the following output.
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.5.29 netmask 255.255.240.0 broadcast 192.168.15.255
Woah! This looks different. How can we make sense of what we're seeing? First, we can convert the subnet mask to binary to see how this network is different from the last one we looked at.
Okay, now we're getting somewhere. We could also show this subnet mask by writing it like 192.168.5.29/20 because it has twenty 1's in a row. That means the first 20 binary digits of the address are reserved for the address, meaning we have more possible IP addresses than our last example.
So how many IP addresses are there? Well, we have a major clue to start. We have the broadcast address, which we know from before is the highest possible IP address in the range. If we convert it to binary, we can see that it's just the whole host area of the address full of ones.
Broadcast: 192.168.15.255 11000000.10101000.0000 1111.11111111
This means the network address, which we need to scan the whole network, just has zeros filled in the same spot. Let's add zeros where the ones are to give us the lowest address in the range, and the one we can use to scan the whole network.
Network: 192.168.0.0/20 11000000.10101000.0000 0000.00000000
That means that this network has 4,094 possible IP addresses, and we can scan all of them by running nmap 192.168.0.0/20.
If we didn't have the broadcast IP, we can still calculate it by turning the IP address into binary and then filling in the host section with all zeros. Based on what we learned before, the most likely IP address of the router would then be the first available IP address, which in this network would be 192.168.0.1.
Knowing how to calculate the network IP of an IPv4 network will allow you to scope out other devices on the network without wasting time scanning nonexistent IPs. With a glance at your own IP, you can even reliably access the router of a network on the first try without needing to run a scan.
Even the most basic hacking tools will often require you to enter an IP address or a range of IP addresses in order to function. By calculating the network address and adding a subnet mask, it's easy to abbreviate an entire network with a number like "192.168.0.0/24" to scan all possible hosts on the network like a pro.
If all else fails, you can always just plug the IP address into ipcalc to calculate everything in a hurry. Even if you don't find yourself calculating IP addressed by hand, you'll still be able to make better use of all the information ipcalc has to offer by understanding what each of the values mean and what to do with them.
I hope you enjoyed this guide to calculating IPv4 network ranges! If you have any questions about this tutorial on IPv4 networking or you have a comment, do so below, and feel free to reach me on Twitter @KodyKinzie.