Network Reconnaissance
Network Reconnaissance: passive mapping without noise
Quiet discovery techniques for large campuses, including IPv6 shadow interfaces and service graphing that stays inside policy-approved scopes.
Description
Participants build a phased map that blends public metadata with controlled internal scans granted by the lab sponsor. The storyline follows a fictional logistics company expanding into new warehouses, so every command maps to a plausible operational question.
Features
- Packet capture hygiene checklist used by our lab environment engineers
- BGP visibility segment with scripted assets only—no live carrier probing
- Activity log correlation exercise tying DHCP leases to asset owners
- Kanban-style triage board for turning noisy scans into human-readable next steps
- Cloud cost ops appendix for correlating forgotten endpoints to idle spend tiers
Outcomes
- Deliver a scope-safe reconnaissance memo with assumptions clearly labeled
- Demonstrate IPv6 neighbor discovery inside the sandbox VLAN
- Run a tabletop on escalation when a shadow resolver appears
FAQ
Will we touch production routers?
Never. All exercises occur on VLANs that mimic topology but contain no customer payload.
Can MSP teams attend?
Yes. Managed service providers often send pairs so one person narrates while another runs tooling.
Limitations?
We do not cover satellite backhaul quirks; bring those questions to a private bootcamp if needed.
Participant notes
The passive mapping sprint forced us to reconcile DNS logs with the activity log exercise—something we now reuse in client onboarding.
— Rina Cho · Harborline MSP · 4/5 · Google
IPv6 segment was dense; I appreciated the printed quick-reference matrix for neighbor discovery flags.
— Theo Marin , Network engineer