Chapter 9: The Network Map
Arc 2: Operating the Company

"The Network Map" — Windows Networking & Remote Access

Floor 2 has lost network connectivity and users are calling the help desk. While diagnosing the outage, you'll map Meridian's entire network — and discover an unauthorized device.

TCP/IP Fundamentals: IP Addressing & Subnets

Every device on a TCP/IP network needs a unique IP address to communicate. An IPv4 address is a 32-bit number, typically written in dotted-decimal notation — four octets separated by dots, like 10.10.30.104.

An IP address has two parts: the network portion (which network the device belongs to) and the host portion (which specific device on that network). The subnet mask tells the system where the dividing line is.

Reading a Subnet Mask:

A subnet mask of 255.255.255.0 (or /24 in CIDR notation) means the first 24 bits identify the network and the last 8 bits identify hosts. On a /24 subnet, you can have up to 254 usable host addresses (256 total minus the network address and broadcast address).

10.10.30.0/24 means: network = 10.10.30.0, hosts range from 10.10.30.1 to 10.10.30.254, broadcast = 10.10.30.255.

The default gateway is the router interface that connects your subnet to other networks. When a device wants to talk to an IP address outside its own subnet, it sends the packet to its default gateway, which routes it onward. At Meridian Dynamics, each VLAN has its own gateway (e.g., 10.10.30.1 for IT-ADMIN, 10.10.40.1 for CORP-WIFI).

DNS: The Domain Name System

DNS translates human-friendly names (like md-fs01.meridian.local) into IP addresses (like 10.10.10.12). Without DNS, you'd have to memorize IP addresses for every server you need to reach.

DNS resolution follows a hierarchy. When your workstation needs to resolve a name, it first checks its local DNS cache. If the name isn't cached, it sends a query to the configured DNS server (at Meridian, that's MD-DC01 at 10.10.10.10). If the DNS server doesn't have the answer, it queries upstream — root nameservers, TLD nameservers, and finally the authoritative nameserver for the target domain.

Record TypePurposeExample
A Maps a hostname to an IPv4 address (forward lookup) md-fs01.meridian.local → 10.10.10.12
AAAA Maps a hostname to an IPv6 address www.example.com → 2001:db8::1
CNAME Alias — points one name to another name fileserver → md-fs01.meridian.local
MX Mail exchanger — where to deliver email for a domain meridian.local → mail.meridian.local (priority 10)
PTR Reverse lookup — maps IP address back to a hostname 10.10.10.12 → md-fs01.meridian.local
SRV Service locator — identifies servers for specific services _ldap._tcp.meridian.local → md-dc01.meridian.local:389
DNS in Active Directory: SRV records are critical for AD. When a workstation joins the domain or a user logs in, the machine queries DNS for SRV records like _ldap._tcp.dc._msdcs.meridian.local to discover domain controllers. If DNS is down, domain authentication breaks — users can't log in, Group Policy won't apply, and Kerberos tickets can't be issued.

DHCP: Dynamic Host Configuration Protocol

DHCP automatically assigns IP addresses and network configuration to devices when they connect. Without DHCP, every device would need to be configured manually — a nightmare in an organization with hundreds of machines.

The DHCP process follows four steps, known as DORA:

StepMessageDirectionWhat Happens
D Discover Client → Broadcast Client shouts "I need an IP address!" to the entire network (broadcast to 255.255.255.255)
O Offer Server → Client DHCP server responds: "Here's 10.10.40.107, with gateway 10.10.40.1, DNS 10.10.10.10, lease time 8 hours"
R Request Client → Broadcast Client broadcasts: "I'll take that offer from server X" (broadcast so other DHCP servers know)
A Acknowledge Server → Client Server confirms: "10.10.40.107 is yours for 8 hours. Here's all the config."

Lease time determines how long a device keeps its IP address before it must renew. Short leases (e.g., 1 hour) are good for guest networks where devices come and go. Longer leases (e.g., 8+ hours) reduce DHCP traffic on stable networks.

DHCP reservations let you "pre-assign" a specific IP to a specific MAC address. The device still uses DHCP (gets its config automatically), but always receives the same IP. Servers and printers often use reservations so they have predictable addresses.

VLANs: Virtual LAN Segmentation

A VLAN (Virtual LAN) logically divides a physical switch into separate broadcast domains. Devices on different VLANs cannot communicate with each other directly — they need a router (or Layer 3 switch) to route traffic between them. This is called inter-VLAN routing.

VLANs provide security through segmentation. By isolating traffic, a compromised device on the Guest Wi-Fi VLAN cannot directly access the Server VLAN. At Meridian Dynamics, the network is divided into 7 VLANs:

VLAN IDNameSubnetPurposeGateway
10 SERVER 10.10.10.0/24 Domain controllers, file servers, web servers, DHCP/DNS 10.10.10.1
20 DMZ 10.10.20.0/24 Public-facing services, isolated from internal network 10.10.20.1
30 IT-ADMIN 10.10.30.0/24 IT department workstations, admin tools, management 10.10.30.1
40 CORP-WIFI 10.10.40.0/24 Corporate wireless for employees (laptops, phones) 10.10.40.1
50 GUEST 10.10.50.0/24 Guest Wi-Fi, internet-only access, no internal access 10.10.50.1
60 IOT-LAB 10.10.60.0/24 IoT devices, lab equipment, isolated sensors 10.10.60.1
70 VOICE 10.10.70.0/24 VoIP phones, quality-of-service prioritized 10.10.70.1
Segmentation Is Not Isolation: VLANs segment traffic at Layer 2, but inter-VLAN routing allows controlled communication between VLANs. Access Control Lists (ACLs) on the core switch or firewall determine which VLANs can talk to each other and on which ports. If ACLs are misconfigured, VLANs that should be isolated may have unintended access paths.

Windows Networking Stack: NDIS, Winsock, WFP

The Windows networking stack is a layered architecture that processes network traffic from application requests down to raw packets on the wire:

  • Winsock (Windows Sockets) — The user-mode API that applications use to send and receive network data. When an application calls connect() or send(), it goes through Winsock. This is the Windows implementation of the Berkeley sockets API.
  • AFD (Ancillary Function Driver) — The kernel-mode driver that implements the actual socket operations. It sits between Winsock in user mode and the transport layer (TCP/IP) in kernel mode.
  • TCP/IP Stack (tcpip.sys) — The kernel-mode driver that implements TCP, UDP, IP, ICMP, and other protocols. Handles packet construction, routing decisions, and fragmentation.
  • WFP (Windows Filtering Platform) — A framework built into the TCP/IP stack that provides packet filtering and inspection. Windows Firewall, third-party firewalls, and VPN clients all plug into WFP. It operates at multiple layers, from the application layer down to the network layer.
  • NDIS (Network Driver Interface Specification) — The interface between the protocol stack and the network adapter driver. NDIS allows multiple protocols to share a single network adapter and multiple adapters to serve a single protocol. Miniport drivers (for NICs) register with NDIS.

Understanding this stack helps you diagnose where a network problem occurs. If ping works but a specific application fails, the problem is likely above the TCP/IP layer (Winsock, application config, or WFP filtering). If ping fails, the problem is at the TCP/IP layer or below (routing, NDIS, hardware).

Name Resolution Order & Security Implications

When Windows needs to resolve a hostname, it doesn't just use DNS. It follows a specific name resolution order:

  1. Local Hosts file (C:\Windows\System32\drivers\etc\hosts) — A static text file mapping names to IPs. Checked first.
  2. DNS Cache — Previously resolved names cached in memory. View with ipconfig /displaydns.
  3. DNS Server Query — The configured DNS server (10.10.10.10 at Meridian).
  4. LLMNR (Link-Local Multicast Name Resolution) — If DNS fails, Windows broadcasts an LLMNR query to the local subnet (multicast to 224.0.0.252).
  5. NetBIOS Name Service (NBT-NS) — Legacy broadcast name resolution on UDP port 137.
  6. mDNS (Multicast DNS) — Used on newer systems, multicast to 224.0.0.251.
LLMNR/NBT-NS Poisoning (Responder Attacks): LLMNR and NBT-NS are broadcast/multicast protocols with no authentication. An attacker on the same subnet can respond to these queries pretending to be the requested host. When the victim connects, the attacker captures the user's NTLMv2 hash — which can be cracked offline or relayed. This is one of the most common and effective attacks on Windows networks. Tools like Responder automate this entirely. Best practice: Disable LLMNR and NBT-NS via Group Policy and rely solely on DNS.

SMB Protocol: File & Print Sharing

SMB (Server Message Block) is the protocol Windows uses for file sharing, printer sharing, and inter-process communication. It operates over TCP port 445.

VersionIntroducedKey FeaturesStatus
SMBv1 Windows 2000 Original protocol, no encryption, many vulnerabilities Disabled by default (Win 10+)
SMBv2 Windows Vista / 2008 Reduced chattiness, larger reads/writes, improved performance Supported
SMBv3 Windows 8 / 2012 End-to-end encryption (SMB 3.0), signing improvements, multichannel Recommended (current)
Why SMBv1 Is Dangerous: SMBv1 has critical vulnerabilities including EternalBlue (MS17-010), the exploit used by WannaCry ransomware in 2017 that infected over 200,000 systems worldwide. EternalBlue allows remote code execution with SYSTEM privileges — an attacker sends a specially crafted packet to TCP 445 and gains complete control of the machine. This is why SMBv1 is disabled by default on modern Windows and should never be re-enabled.

Remote Access: RDP, WinRM, SSH

Windows provides multiple remote access technologies for managing systems without physical access:

TechnologyPort(s)ProtocolUse Case
RDP 3389 (TCP/UDP) Remote Desktop Protocol Full graphical desktop session. Most common for server/workstation management. Supports NLA (Network Level Authentication).
WinRM 5985 (HTTP) / 5986 (HTTPS) Windows Remote Management Command-line remote management. Built on WS-Management. Used by PowerShell Remoting.
PS Remoting 5985 / 5986 PowerShell over WinRM Enter-PSSession for interactive shells, Invoke-Command for running scripts on remote machines.
SSH 22 (TCP) Secure Shell OpenSSH is now a Windows optional feature (since Win 10 1809). Used for cross-platform remote access.
Security Note: RDP on port 3389 is one of the most targeted ports on the internet. Brute-force attacks against RDP are extremely common. Best practices: enable NLA (Network Level Authentication), use strong passwords, restrict RDP access via firewall rules, and never expose RDP directly to the internet without a VPN.

Windows Network Diagnostic Tools

These are the essential command-line tools every IT professional needs for diagnosing network problems on Windows:

CommandPurposeCommon FlagsExample
ipconfig Display and manage IP configuration /all (full detail), /release (release DHCP), /renew (renew DHCP), /flushdns (clear DNS cache) ipconfig /all
ping Test connectivity using ICMP echo -t (continuous), -n 10 (send 10 packets), -l 1500 (set packet size) ping 10.10.10.10
tracert Trace the route packets take to a destination (hop by hop) -d (no DNS lookup, faster), -h 30 (max hops) tracert 10.10.10.12
nslookup Query DNS servers for name resolution Interactive mode: set type=SRV, set type=MX nslookup md-fs01.meridian.local
netstat Display active connections, listening ports, routing table -ano (all connections + PID), -b (show process name), -r (routing table) netstat -ano | findstr 445
arp View/manage the ARP cache (IP-to-MAC mappings) -a (show all entries), -d (delete entry) arp -a
pathping Combines tracert + ping: traces the route AND measures packet loss per hop -n (no DNS), -q 50 (queries per hop) pathping 10.10.10.12
nbtstat Display NetBIOS over TCP/IP statistics and name tables -A <IP> (remote name table), -n (local names), -c (cache) nbtstat -A 10.10.40.203

Meridian Dynamics Network Topology

Interactive network map showing all VLANs, devices, and connections. Click any device to see its details. Look for the rogue device on CORP-WIFI.

DNS Resolution Sequence

How a DNS query travels from your workstation through the DNS hierarchy to resolve a hostname into an IP address.

DNS Resolution Sequence
MD-WS-IT0410.10.30.104
Local Cache
MD-DC01 DNS10.10.10.10
Root NS(.)
TLD NS(.com)
Auth NSexample.com
1
Query: www.example.com? →
2
← Cache MISS
3
Recursive Query →
4
Iterative: www.example.com? →
5
← Referral: Try .com TLD
6
Iterative: www.example.com? →
7
← Referral: Try ns1.example.com
8
Iterative: www.example.com? →
9
← Answer: 93.184.216.34 (TTL:3600)
10
← Answer: 93.184.216.34
Result cached locally for future lookups (respects TTL)

DHCP DORA Process

The four-step handshake that automatically assigns an IP address to a new device on the network.

DHCP DORA Process
New Device(No IP yet)
MD-DC01 DHCP10.10.10.10
Device connects to CORP-WIFI VLAN 40
1. DISCOVER (broadcast)
"I need an IP address!"
Src: 0.0.0.0 → Dst: 255.255.255.255 (UDP 68→67)
2. OFFER
"How about 10.10.40.107?"
IP: 10.10.40.107 / Mask: 255.255.255.0
GW: 10.10.40.1 / DNS: 10.10.10.10 / Lease: 8h
3. REQUEST (broadcast)
"I'll take 10.10.40.107!"
Broadcast so other DHCP servers know
4. ACK
"10.10.40.107 is yours!"
Client configured: IP 10.10.40.107 / Mask 255.255.255.0 / GW 10.10.40.1 / DNS 10.10.10.10

Network Diagnostic X-Ray: Floor 2 Outage

Walk through the step-by-step process of diagnosing a network connectivity issue. The X-Ray mode shows exactly what each command reveals and how to interpret the results.

Press Play to begin the X-Ray diagnostic walkthrough...
MD-WS-WIFI07
10.10.40.107
Floor 2 User
VLAN 40
→→→
CORP-WIFI
Core Switch
10.10.40.1
Gateway
Inter-VLAN
→→→
Routing
Server GW
10.10.10.1
MD-DC01
10.10.10.10
DNS/DHCP
MD-FS01
10.10.10.12
File Server

Investigation Lab: Floor 2 Outage & Unauthorized Device

Scenario: Help desk has received multiple calls from Floor 2 users on the corporate Wi-Fi (CORP-WIFI VLAN). They can't access the file server or any internal resources. You're working from your IT workstation MD-WS-IT04 on the IT-ADMIN VLAN. Diagnose the issue, check connectivity across VLANs, and use network discovery tools to identify everything on the CORP-WIFI subnet. You might find something unexpected.
1
Run ipconfig /all to check your own network configuration. Confirm your IP, subnet, gateway, and DNS server.
Hint: You should be on the IT-ADMIN VLAN (10.10.30.0/24)
2
Run ping 10.10.40.1 to test connectivity to the CORP-WIFI gateway. Can you reach their network from IT-ADMIN?
Hint: If this fails, inter-VLAN routing between IT and CORP-WIFI is broken
3
Run ping 10.10.10.12 to test cross-VLAN connectivity to the file server MD-FS01.
4
Run nslookup md-fs01.meridian.local to verify DNS resolution is working for internal names.
5
Run tracert 10.10.10.12 to trace the route from your workstation to the file server. Identify each hop.
6
Run netstat -ano to see your active network connections. Look for established SMB (445) and RDP (3389) sessions.
7
Run arp -a to view the ARP table. Look for any unknown devices on the CORP-WIFI subnet. Can you spot the unauthorized device at 10.10.40.203?
Hint: MAC address AA-BB-CC-DD-EE-FF does not match any known Meridian hardware
8
Run nbtstat -A 10.10.40.203 to query the NetBIOS name of the unknown device. Who does it belong to?
Hint: The NetBIOS name reveals the computer name — personal devices violate company policy

Terminal — MD-WS-IT04