1

my question is how can I determine all the private IP addresses being used in my company's network environment?

I am an Internal Auditor validating my firm's device inventory. The firm uses a tool which is configured by the network administrators to scan across very specific private IP address ranges in our production networks. I need to verify that no other devices are on the network outside of those scanned ranges. When asked the administrators reply is along the lines of, "because we just don't use addresses outside of those ranges." Which is fine, I am sure they do not. However, I am seeking a way to see which IP addresses are really in use so I can assess the completeness of the device inventory I am reviewing.

(I know I could ask them to scan the entire 10.0.0.0/8 subnet with the tool but that seems to be a non-starter with them for some reason so I am searching for alternatives)

Thank you all for the assistance.

user4755220
  • 111
  • 1
  • Can you briefly describe the network structure? How many subnet? Vlan? Router? How many host (50; 100; 1000; more?). Assessing a 100-host single network Is VERY different than assesing a 10.000 host, multi site, LAN/WAN. – Damiano Verzulli Aug 01 '19 at 18:33

2 Answers2

1

You need to scan all ranges in use to see what "really" is there. That's the whole point of an audit, isn't it?

If you have access to routers and their routing tables, you can reduce the size of your scanning, or at least verify that certain ranges are not in use. Core router(s) routing table should be adequate.

For example, if the range 10.100.0.0/16 is the only one supposedly in use, then if you inspect the routers' routing table, you should not see routes outside of that. If you saw a route to 10.150.5.0/24, that would tell you that an undocumented network exists, and it should be scanned for devices.

BTW, if they really only use certain ranges, then scanning outside those ranges should have no affect on the network. If they have intrusion detection systems, scanning might set that off (actually, it should), but since you're a known source, that shouldn't be a problem either.

Ron Trunk
  • 2,149
  • 1
  • 10
  • 19
-1

An option is querying the ARP cache of a commonly-used machine.

ARP is a bit of software that converts IP addresses to MAC addresses. If 2 machines have communicated in the (recent) past, both will have an ARP entry for each other. On Linux, the command 'arp' will display the arp cache.

That said, if the 2 machines have never had reason to contact each other, the entries won't be present. So perform this on, say, a file server or gateway.

This method is not as comprehensive as the scan mentioned by Ron, but is simpler.

Austin Dixon
  • 39
  • 3
  • 1
    There won't be any ARP entries for hosts that are not on the local subnet. An undocumented network would not show up. – Ron Trunk Aug 01 '19 at 18:18