IP Discovery: How to Create a Full IP Map of Your Organization

Note: The audio version doesn't include code or commands. Those parts of the post can be seen in the text version. IP intelligence involves information gathering on the IP addresses used to provide access to web applications and web services within an organization. It provides a modern perspective for securing one's virtual organization, in the same way that an organization's physical office and assets are secured. And with the increasing frequency and sophistication of internet attacks, the need to secure one's organization becomes more important every day. With the rise of IPv6 and the shortage of IPv4, newly deployed services are often seen running dual-stack with both IPv4 and IPv6. However, IPv4 is usually accounted for and firewalled while IPv6 isn't. This leads to your services being protected over IPv4 but accessible over the public internet for IPv6. Thus, information gathering leads to asset discovery, which includes various software stacks including web servers, web applications, databases and even physical devices such as IoT devices and much more. Why IP discovery is important for organizations With organizations running multiple software stacks and internal teams running different versions of the very same software, it's important to understand and track what runs where. Consider the following: often, software is tested on legacy platforms to ensure compatibility for long term support (LT-S) software versions. In this scenario it's imperative to know whether the test platform itself is secure or not, as vulnerabilities can enter into the test platform itself, opening the software being tested to the threat of malicious code injections. Maintenance is another important aspect to consider. Public internet-facing web applications are frequently set up and left running without maintenance, meaning components of the web application (such as the web server or database) can become out of date, left to run with vulnerabilities present. And these vulnerabilities can be further exploited by attackers to enter your organization's network. Simply put, IP reconnaissance is key-to know what service runs under your organization, for maintenance purposes and for security purposes. IP discovery using Nmap Nmap is a handy network-mapping tool which can be used from any Linux- or Windows-powered system to map one's organization. When it comes to mapping larger organizations, however, Nmap does have certain speed and time-related disadvantages. Within each of your organization's IP addresses, Nmap has to "ping" or "probe" each port available to determine whether it is OPEN, FILTERED or CLOSED to access. Multiply this process by 100 or even 1,000 IP addresses, and such a task becomes tedious and time-consuming. And with the rise of IPv6, wherein an organization can easily have 1,000 or 10,000s of IP addresses (with one or more IP addresses allocated to each of the organization's devices or servers), the effort grows even more daunting. Nmap is already shipped in most modern Linux distributions, but if you haven't installed it, check out our Nmap Tutorial Guide, which covers the installation process. Next, run Nmap to scan a range of IPs, 192.168.0.1 to 192.168.0.100, with the following command. The ultimate "catch" in using Nmap remains that you should already know all of your organization's IP address assets before starting. Only when all of your organization's IP addresses have been scanned can you get complete coverage when searching for out-of-date software, misconfigured private services via public networks, and the like. What about fping? fping is another handy tool for discovering active hosts within your organization's IP address space. Consider the following example: With the above command, fping sends 1 ping request to each IP address within the subnet 192.168.0.0/24 (that is, from 192.168.0.1 to 192.168.0.254). All active hosts that reply to the ping request get listed on your terminal. The catch with using fping is sim...