Re: Multiple IP on the same server howo to idenfity

["Andrew A. Vladimirov" <mlists () arhont com>]

Yonatan Bokovza wrote:
> > -----Original Message-----
> > From: NetExpress [mailto:NetExpress () infogroup it]
> > Sent: Thursday, June 10, 2004 13:13 
> > To: pen-test () securityfocus org
> > Subject: Multiple IP on the same server howo to idenfity
> >
> >
> > Hi, the problem is, if I am doing a penetration test from internte to 
> > many servers, probably there should be some IP ont the same server o 
> > network adapter like load balancer.
> > In a report, and to avoid false positive, should be usefull 
> > to identify 
> > which IPs are on the same server, but how?
> > If I should be in the internal network I am testing I'll use 
> > arp to find 
> > the MAC address of each IP and I should have solved, but from 
> > Internet I 
> > cannot use arp.
> >
> > From Internet I could use the banner, but this is not sure, I could 
> > have more then one application server on the same server with n-IP on 
> > application server A and m-IP on the application server B getting the 
> > banner should not be the right choise especialy with proxy.
> >
> > Any idea?
>
>
> You could use the TCP Timestamp option to see the uptime of both
> servers. If it is similar enough, there is a good chance it is the same
> server. (unless the loadbalancer changes the Timestamp...)
> See section 3.2 here:
> http://www.faqs.org/rfcs/rfc1323.html
>
> Regards,
> Yonatan Bokovza
> IT Security Consultant
> Xpert Systems

Yep, TCP timestamps, TCP sequence numbers and IP ID's. Plus, of course, 
OS fingerprinting and banner grabbing. ISNprober, hping2, nmap and both 
xprobes will do the job.

Cheers,
Andrew