Subnetting & CIDR
Subnetting is the practice of dividing a network into smaller, manageable pieces. Understanding it is critical for scoping targets and pivoting through networks.
Why Pentesters Need This
IP Address Structure
Every IP address has two parts: the Network ID (which network it belongs to) and the Host ID (which specific device).
CIDR Notation
Classless Inter-Domain Routing (CIDR) uses a suffix like /24 to indicate how many bits are used for the network portion.
The remaining bits define how many hosts can exist in that network.
| CIDR | Subnet Mask | Network Bits | Host Bits | Usable Hosts | Common Use |
|---|---|---|---|---|---|
| /32 | 255.255.255.255 | 32 | 0 | 1 | Single host |
| /30 | 255.255.255.252 | 30 | 2 | 2 | Point-to-point links |
| /28 | 255.255.255.240 | 28 | 4 | 14 | Small network segment |
| /24 | 255.255.255.0 | 24 | 8 | 254 | Most common (Class C) |
| /20 | 255.255.240.0 | 20 | 12 | 4,094 | Medium enterprise |
| /16 | 255.255.0.0 | 16 | 16 | 65,534 | Large enterprise (Class B) |
| /8 | 255.0.0.0 | 8 | 24 | 16,777,214 | Massive network (Class A) |
๐ The Formula
We subtract 2 because the first IP is the Network ID and the last is the Broadcast address.
๐ง The Magic Number Method
Forget memorizing tables. This 4-step method lets you calculate any subnet in your head in seconds.
The Core Concept: 256 Minus the "Interesting" Octet
The Magic Number = 256 - (subnet mask value in the interesting octet)
The "interesting octet" is where the subnet mask changes from 255 to something less. This magic number tells you the size of each subnet block.
Step 1: Find the Interesting Octet
| CIDR Range | Interesting Octet | Subnet Mask Pattern |
|---|---|---|
| /1 - /8 | 1st octet | X.0.0.0 |
| /9 - /16 | 2nd octet | 255.X.0.0 |
| /17 - /24 | 3rd octet | 255.255.X.0 |
| /25 - /32 | 4th octet | 255.255.255.X |
Step 2: Know Your Magic Numbers
Memorize this pattern โ it's the same for every octet. The magic number is always 256 - mask value.
| Bits in Octet | Mask Value | Magic Number | CIDR Examples |
|---|---|---|---|
| 1 bit | 128 | 128 | /1, /9, /17, /25 |
| 2 bits | 192 | 64 | /2, /10, /18, /26 |
| 3 bits | 224 | 32 | /3, /11, /19, /27 |
| 4 bits | 240 | 16 | /4, /12, /20, /28 |
| 5 bits | 248 | 8 | /5, /13, /21, /29 |
| 6 bits | 252 | 4 | /6, /14, /22, /30 |
| 7 bits | 254 | 2 | /7, /15, /23, /31 |
| 8 bits | 255 | 1 | /8, /16, /24, /32 |
Memory Trick
Step 3: Find the Network ID
Take the interesting octet value from your IP. Find the largest multiple of the magic number that is โค that value.
Step 4: Find the Broadcast
The broadcast address is one less than the next network's start.
๐ Complete Walkthrough: 172.16.57.200/22
Step 1: Which octet is interesting?
/22 falls in range /17-24 โ 3rd octet is interesting
Subnet mask pattern: 255.255.X.0
Step 2: What's the magic number?
/22 means 22 bits for network. In the 3rd octet, that's 22 - 16 = 6 bits.
6 bits โ mask value 252 โ magic number = 256 - 252 = 4
Step 3: Find the Network ID
The 3rd octet value is 57. What's the largest multiple of 4 that's โค 57?
4 ร 14 = 56 โ (4 ร 15 = 60, too big)
Network ID: 172.16.56.0
Step 4: Find the Broadcast
Network ID (56) + Magic (4) - 1 = 59 in the 3rd octet
4th octet maxes out at 255
Broadcast: 172.16.59.255
โ Final Answer
๐ฏ Practice Problems
Try these yourself before revealing the answers. Use the Magic Number Method!
Problem 1: 192.168.45.130/26
Interesting octet: 4th (/25-32 range)
Bits in octet: 26-24 = 2 bits โ Magic = 64
130 รท 64 = 2.03 โ floor to 2 โ 2 ร 64 = 128
Network: 192.168.45.128
Broadcast: 192.168.45.191 (128 + 64 - 1)
Host Range: .129 - .190 (62 hosts)
Problem 2: 10.200.100.50/19
Interesting octet: 3rd (/17-24 range)
Bits in octet: 19-16 = 3 bits โ Magic = 32
100 รท 32 = 3.125 โ floor to 3 โ 3 ร 32 = 96
Network: 10.200.96.0
Broadcast: 10.200.127.255 (96 + 32 - 1 = 127)
Host Range: 10.200.96.1 - 10.200.127.254 (8,190 hosts)
Problem 3: 172.31.200.1/13
Interesting octet: 2nd (/9-16 range)
Bits in octet: 13-8 = 5 bits โ Magic = 8
31 รท 8 = 3.875 โ floor to 3 โ 3 ร 8 = 24
Network: 172.24.0.0
Broadcast: 172.31.255.255 (24 + 8 - 1 = 31)
Host Range: 172.24.0.1 - 172.31.255.254 (524,286 hosts)
Problem 4: 192.168.1.67/29
Interesting octet: 4th (/25-32 range)
Bits in octet: 29-24 = 5 bits โ Magic = 8
67 รท 8 = 8.375 โ floor to 8 โ 8 ร 8 = 64
Network: 192.168.1.64
Broadcast: 192.168.1.71 (64 + 8 - 1)
Host Range: .65 - .70 (6 hosts)
Real-World Tip
Special Addresses in Every Subnet
Network ID
First address - identifies the network
192.168.1.0 Gateway (usually)
Often .1 or .254
192.168.1.1 Broadcast
Last address - reaches all hosts
192.168.1.255 Worked Example
Given: 10.50.25.67/20
Pentest Scenario
10.50.25.67/20. Now you know there are ~4,000 potential hosts from 10.50.16.1 to 10.50.31.254. Time to scan: nmap -sn 10.50.16.0/20 โก Quick Mental Math Cheat Sheet
For the most common subnets in the 4th octet, memorize these block sizes:
๐ฏ The One-Liner Method
For any IP/CIDR, ask yourself these 3 questions:
- 1. Which octet changes? (CIDR รท 8, round up)
- 2. What's the block size? (256 รท 2^(bits in that octet))
- 3. Which block am I in? (round down to nearest multiple)
Useful Commands
ip addr show
ip routeipconfig /all
route printipcalc 192.168.1.100/24
sipcalc 10.50.25.67/20nmap -sn 192.168.1.0/24
fping -a -g 192.168.1.0/24 2>/dev/nullInteractive Tool
Mental math is great for quick estimates, but use our calculator for accuracy.
๐งฎ Open Subnet Calculator
Calculate Network ID, Broadcast, Host Range, and more instantly.