Open in app

Sign up

Sign in

Write

Sign up

Sign in

Route Analysis (Information Gathering)

Yashwant Singh 🐧
System Weakness
Published in
5 min readDec 2, 2022

--

A Routing Analysis is a type of network analysis that determines the optimal path or route, from one network location to another or multiple locations.

The main mission of routing analysis is to listen to protocol exchanges between routers for the purposes of network discovery, mapping, real-time monitoring and routing diagnostics.

There are 3 types of routing:

  1. Static routing — Is the process in which a user manually add routes in routing table.
  2. Default routing — Is the method where the router is configured to send all packets towards a single router.
  3. Dynamic routing — Is the automatic adjustment of the routes according to the current state of the route in the routing table.

We have already been through DNS Analysis, IDS/IPS Identification, Live Host Identification, Network & Port Scanners, OSINT Analysis. There are basically two tools listed in Route Analysis. You can see them in the image.

Let’s discuss them in detail and try to understand how they will help us.

1. Netdiscover

Netdiscover

Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks.

Built on top of libnet and libpcap, it can passively detect online hosts, or search for them, by actively sending ARP requests. Netdiscover can also be used to inspect your network ARP traffic, or find network addresses using auto scan mode, which will scan for common local networks. Netdiscover uses the OUI table to show the vendor of the each MAC address discovered and is very useful for security checks or in pentests.

$ netdiscover -h
Netdiscover 0.10 [Active/passive ARP reconnaissance tool]
Written by: Jaime Penalba <jpenalbae@gmail.com>

Usage: netdiscover [-i device] [-r range | -l file | -p] [-m file] [-F filter] [-s time] [-c count] [-n node] [-dfPLNS]
  -i device: your network device
  -r range: scan a given range instead of auto scan. 192.168.6.0/24,/16,/8
  -l file: scan the list of ranges contained into the given file
  -p passive mode: do not send anything, only sniff
  -m file: scan a list of known MACs and host names
  -F filter: customize pcap filter expression (default: "arp")
  -s time: time to sleep between each ARP request (milliseconds)
  -c count: number of times to send each ARP request (for nets with packet loss)
  -n node: last source IP octet used for scanning (from 2 to 253)
  -d ignore home config files for autoscan and fast mode
  -f enable fastmode scan, saves a lot of time, recommended for auto
  -P print results in a format suitable for parsing by another program and stop after active scan
  -L similar to -P but continue listening after the active scan is completed
  -N Do not print header. Only valid when -P or -L is enabled.
  -S enable sleep time suppression between each request (hardcore mode)

If -r, -l or -p are not enabled, netdiscover will scan for common LAN addresses.

I tried to scan my network with netdiscover and I got the following result, If you are already into a huge network with a lot of devices routers and switches, you can use this to map your network and understand your position.

In the image above, I’ve had to hide my IPs and the mac address, so that you guys don’t get evil ideas.

2. Netmask

Netmask

Netmask is another simple tool which does one thing and that is, makes a ICMP netmask request. By determining the netmasks of various computers on a network, you can better map your subnet structure.

This is a tiny program handy if you work with firewalls or routers occasionally (possibly using this as a helper for shell scripts). It can determine the smallest set of network masks to specify a range of hosts. It can also convert between common IP netmask and address formats

┌──(scott㉿notebook)-[~]
└─$ netmask -h    
This is netmask, an address netmask generation utility
Usage: netmask spec [spec ...]
  -h, --help   Print a summary of the options
  -v, --version   Print the version number
  -d, --debug   Print status/progress information
  -s, --standard  Output address/netmask pairs
  -c, --cidr   Output CIDR format address lists
  -i, --cisco   Output Cisco style address lists
  -r, --range   Output ip address ranges
  -x, --hex   Output address/netmask pairs in hex
  -o, --octal   Output address/netmask pairs in octal
  -b, --binary   Output address/netmask pairs in binary
  -n, --nodns   Disable DNS lookups for addresses
  -f, --files   Treat arguments as input files
Definitions:
  a spec can be any of:
    address
    address:address
    address:+address
    address/mask
  an address can be any of:
    N  decimal number
    0N  octal number
    0xN  hex number
    N.N.N.N dotted quad
    hostname dns domain name
  a mask is the number of bits set to one from the left
  1. Searching for domains/IP
netmask <domain>

2. Output address in netmask pairs

netmask -s <domain/IP>

3. Output address/netmask pairs in binary

netmask -b <domain/IP>

4. Output IP address ranges

netmask -r <domain/IP>

Finally, we have finished the Route analysis section of Information gathering tab of Kali Linux pre-installed tool sequence. In my upcoming article we will discuss about ‘SMB & SMTP Analysis’.

Be safe, be secure and happy hacking :)

Cybersecurity
Route Analysis
Information Technology
Osint
Hacking

--

--

Yashwant Singh 🐧
System Weakness
Follow

Written by Yashwant Singh 🐧

2.1K Followers

Cybersecurity analyst with humor.

Follow

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams