Penetration Testing mailing list archives
Re: internal IP address revealed by e-mail
From: "Chris McNab" <chris.mcnab () trustmatta com>
Date: Tue, 29 Apr 2003 20:00:00 +0100
Hey, There aren't any situations I can think of where you can run firewalk against non-routable private addresses from the Internet. Your best bets at network level are the following: 1) Abuse a stateful inspection problems (see Lopatic, Song & McDonald's Blackhat 2000 presentation about this): - using malformed FTP PORT or PASV commands against accessible FTP servers to punch holes through the firewall to other addresses and hosts - using FWZ encapsulation against older Checkpoint devices 2) Use malformed IP source routing options in your packets to try and route packets to internal addresses, although this requires some investigation & testing.. a good tool is Todd MacDermid's lsrscan (www.synacklabs.net). Standard application level stuff includes exploiting a known vulnerability to gain internal network access. There are many different ways to do this, depending on which vulnerable services or applications you find, my favorites are: - FTP PORT bouncing - finger redirection & bouncing If the addresses are private, it's always going to be a pain talking to them across the Internet, even more so if firewalls and proxies are in place. I'm putting together a lengthy paper about these kinds of advanced techniques, and will let the list know in due course. Regards, Chris Chris McNab Technical Director Matta Security Limited 18 Noel Street London W1F 8GN Tel: 0870 077 1100 Mob: 0788 626 0878 This e-mail was sent from Matta Security Limited. The information contained in this message is confidential, may be privileged, and is intended for the addressee(s) only. If you have received this message in error please notify the originator immediately. The unauthorised use, disclosure, copying or alteration of this message is strictly forbidden. Matta Security Limited does not warrant that any attachments are free from viruses or other defects. Matta Security Limited will not be liable for direct, special, indirect or consequential damages arising from alteration of the contents of this message by a third party or as a result of any virus being passed on. --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
Current thread:
- RE: internal IP address revealed by e-mail Yonatan Bokovza (Apr 30)
- <Possible follow-ups>
- Re: internal IP address revealed by e-mail Chris McNab (Apr 30)