Subnetting & CIDR
Subnetting is the practice of dividing a network into smaller, manageable pieces. Understanding it is critical for scoping targets and pivoting through networks.
Why Pentesters Need This
IP Address Structure
Every IP address has two parts: the Network ID (which network it belongs to) and the Host ID (which specific device).
CIDR Notation
Classless Inter-Domain Routing (CIDR) uses a suffix like /24 to indicate how many bits are used for the network portion.
The remaining bits define how many hosts can exist in that network.
| CIDR | Subnet Mask | Network Bits | Host Bits | Usable Hosts | Common Use |
|---|---|---|---|---|---|
| /32 | 255.255.255.255 | 32 | 0 | 1 | Single host |
| /30 | 255.255.255.252 | 30 | 2 | 2 | Point-to-point links |
| /28 | 255.255.255.240 | 28 | 4 | 14 | Small network segment |
| /24 | 255.255.255.0 | 24 | 8 | 254 | Most common (Class C) |
| /20 | 255.255.240.0 | 20 | 12 | 4,094 | Medium enterprise |
| /16 | 255.255.0.0 | 16 | 16 | 65,534 | Large enterprise (Class B) |
| /8 | 255.0.0.0 | 8 | 24 | 16,777,214 | Massive network (Class A) |
📐 The Formula
We subtract 2 because the first IP is the Network ID and the last is the Broadcast address.
Special Addresses in Every Subnet
Network ID
First address - identifies the network
192.168.1.0 Gateway (usually)
Often .1 or .254
192.168.1.1 Broadcast
Last address - reaches all hosts
192.168.1.255 Worked Example
Given: 10.50.25.67/20
Pentest Scenario
10.50.25.67/20. Now you know there are ~4,000 potential hosts from 10.50.16.1 to 10.50.31.254. Time to scan: nmap -sn 10.50.16.0/20 Quick Mental Math
For common subnets, memorize these "magic numbers":
Useful Commands
ip addr show
ip routeipconfig /all
route printipcalc 192.168.1.100/24
sipcalc 10.50.25.67/20nmap -sn 192.168.1.0/24
fping -a -g 192.168.1.0/24 2>/dev/nullInteractive Tool
Mental math is great for quick estimates, but use our calculator for accuracy.
🧮 Open Subnet Calculator
Calculate Network ID, Broadcast, Host Range, and more instantly.