Re: Ideas on identifying gateways

[lists () notatla demon co uk]

From: Jeff Boles <bolesjb () yahoo com>

> Currently struggling with needing to go into an
> environment completely blind except for IP space and
> physical access, and identifying/auditing potential
> gateways / circuits to other networks.  ...
>
> Although I'm just getting started really thinking
> about this, my current approach will consist mostly of
> sniffing traffic for oddities and router behavior,

One crude measure you could take would be to run netstat or ifconfig
or something that shows how many packets have traversed an interface
since it was brought up.  Running this again at a later time gets you
new results and subtraction shows the amount of traffic in that interval.
Then you can look for statistical correlations between different interfaces;
possibly chaining them together into candidate routes.

Nearly 2 years ago I read a paper on "stepping stones", I think by
Vern Paxson, and that tool performed traffic analysis that enabled him (among
other things) to give tickets for "useless use of ssh" to people who reach
their ssh client with a telnet session.

Getting as many as possible of the routers to keep logs would help - not
every packet but something representative.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards