Penetration Testing mailing list archives
RE: network informations brought by cdp
From: "Josh Perrymon" <perrymonj () networkarmor com>
Date: Thu, 10 Nov 2005 07:47:17 -0600
WHy dont you just flood the arp table and turn it into a hub? Then you can sniff all you want? Or MITM attack on the gateway. What about SNMP? I'm sure it is not rutned off on the inside---- You'll Own them, JP -----Original Message----- From: hannibal blog [mailto:hannibalsec () gmail com] Sent: Wed 11/9/2005 10:05 AM To: pen-test () securityfocus com Cc: Subject: Fwd: network informations brought by cdp ---------- Forwarded message ---------- From: hannibal blog <hannibalsec () gmail com> Date: 9 nov. 2005 11:04 Subject: Re: network informations brought by cdp To: Jason Mayer <slamboy () gmail com> here is the full "case study". I'm actually doing a blackbox pentest, so i don't have access to routers config files to check if my suppositions are right. my ip 192.168.0.193 my gateway 192.168.0.1 Trying to discover network architecture from the LAN. Using ethereal to capture trafic on a switched network, probably vlaned. Captured several cdp packets. AFAK, the "adresses/ip address" field contains the address of the interface witch the cdp packet was sent through. You can map it to a port thanks to the "Port ID" field. Thus, for the first packet, with adresses/ip address = 192.168.0.1 and "Port ID" = FastEthernet0/1, I concluded that the router has a FastEthernet interface whose ip address is 192.168.0.1 and mac address is the one in the ethernet source address field. In this packet, IP prefixes = 26, according to cisco's doc, "each IP prefix represents one of the directly connected IP network segments of the local router". In the second packet, which came from the same router (device ID field is the same), but through a different interface, FastEthernet1/1 (ip address field = X.Y.0.1 and different mac address), IP prefixes = 25 = 26 - 1. Where is the 26th segment ? I think the two interfaces belong to the same vlan. doc link : http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/frames.htm#xtocid12 2005/11/9, Jason Mayer <slamboy () gmail com>: > CDP packets are what cisco (and others maybe?) routers send out on timed > intervals. Say I havea router connected to 2 other routers via serial and > also connected to a switch through ethernet. The CDP packets should only > show the devices directly connected to the router in question. The Address > field only puts out the IP of the devices connected to the router. Feel > free to correct me if I'm wrong, I was just playing with a Cisco 2500 series > router in a lab last night and this is only what we determined... it's not > documentation of any sort. > > Also, I forgot the address to send to the security focus list, so I'm just > going to send this directly to you :) > > > On 11/8/05, hannibal blog < hannibalsec () gmail com> wrote: > > > > hello guys > > > > I have captured several CDP packets on my network, and I'm looking for > > help to fully understand and analyse their content. > > Is there any good article on the web, that explains cdp fields and > behavior. > > > > Example of questions i'm wondering : for the "adresses" field, does it > > only put the ip adress of the interface sending the packet, or the ip > > of a prédefined interface ? > > > > thx > > > > > ------------------------------------------------------------------------------ > > Audit your website security with Acunetix Web Vulnerability Scanner: > > > > Hackers are concentrating their efforts on attacking applications on your > > website. Up to 75% of cyber attacks are launched on shopping carts, forms, > > login pages, dynamic content etc. Firewalls, SSL and locked-down servers > are > > futile against web application hacking. Check your website for > vulnerabilities > > to SQL injection, Cross site scripting and other web attacks before > hackers do! > > Download Trial at: > > > > http://www.securityfocus.com/sponsor/pen-test_050831 > > > ------------------------------------------------------------------------------- > > > > > > ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- network informations brought by cdp hannibal blog (Nov 08)
- Re: network informations brought by cdp ilaiy (Nov 09)
- Message not available
- Message not available
- Fwd: network informations brought by cdp hannibal blog (Nov 09)
- Message not available
- Re: network informations brought by cdp Ivan . (Nov 09)
- Re: network informations brought by cdp Matthias Vallentin (Nov 10)
- <Possible follow-ups>
- RE: network informations brought by cdp Josh Perrymon (Nov 10)