RE: Multiple IP on the same server howo to idenfity

["Yonatan Bokovza" <Yonatan () xpert com>]

> -----Original Message-----
> From: NetExpress [mailto:NetExpress () infogroup it]
> Sent: Thursday, June 10, 2004 13:13 
> To: pen-test () securityfocus org
> Subject: Multiple IP on the same server howo to idenfity
>
>
> Hi, the problem is, if I am doing a penetration test from internte to 
> many servers, probably there should be some IP ont the same server o 
> network adapter like load balancer.
> In a report, and to avoid false positive, should be usefull 
> to identify 
> which IPs are on the same server, but how?
> If I should be in the internal network I am testing I'll use 
> arp to find 
> the MAC address of each IP and I should have solved, but from 
> Internet I 
> cannot use arp.
>
>  From Internet I could use the banner, but this is not sure, I could 
> have more then one application server on the same server with n-IP on 
> application server A and m-IP on the application server B getting the 
> banner should not be the right choise especialy with proxy.
>
> Any idea?

You could use the TCP Timestamp option to see the uptime of both
servers. If it is similar enough, there is a good chance it is the same
server. (unless the loadbalancer changes the Timestamp...)
See section 3.2 here:
http://www.faqs.org/rfcs/rfc1323.html

Regards,
Yonatan Bokovza
IT Security Consultant
Xpert Systems