[PEN-TEST] Network Mapping

["Curphey, Mark (ISS Atlanta)" <MCurphey () ISS NET>]

Mr Batz sir, Hope youre well ?

Agreed totally. I guess the question is what sort of map are you trying to
acomplish. There are physical maps and logical maps.

With NT Hosts for instance you may want to map all the hosts that have
accounts in a particular domain (I wrote a Perl script to do this). You may
additionally want to map the same hosts based on IP address. You may want to
workout backbones and map those to geographical location.

I think Batz's point of a multi-layered approach is spot on. We recently did
some work using an ODBC and importing data from multiple tools into it. In
old days I was an AutoCAd fanatic so was interested to note the last post on
AutoDesk. Assuming the tools is part of AutoCAD you should be able to assign
layers that can relate directly to a TCP/IP stack and filter layers
accordingly.  Imagine being able to shut of the trees and see the wood.
Imagine being abole to see where databases are physically located, logically
located. Imagine shutting of layers to just show where web servers are,
where routers sit, where .......

Has anyone gotten really creative and modelled ACL's on network devices ?
Imagine a graphical path analysis ?

Anyone want to start a project ?

-----Original Message-----
From: batz [mailto:batsy () VAPOUR NET]
Sent: Tuesday, September 12, 2000 9:11 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Network Mapping (was Re: [PEN-TEST] How to "break into" the
Pen-Testing field)


On Mon, 11 Sep 2000, Carric Dooley wrote:

:- I think the best tools for network mapping may be the free stuff (used
:Visio 2K Enterprise... extremely painful.  The SolarWinds stuff is nice
:though.  That with nmap, nlog can go a long way.  SolarWinds or
SuperScanner
:are extremely fast and can give you a host list to work with.  I would
maybe
:go back with those host lists and feed them to ISS Scanner, and nmap.
Maybe
:cybercop or nessus too.  Depends on what you are trying to accomplish.


Mapping the network, and making a network map require seperate tools.

Mapping is best done with nessus, firewalk, ping, traceroute, and
the route servers for network and transport layer.  tcpdump, arp and
anti-sniff for ethernet/link layer. Nmap is fine for session. Application,
well, that's brute forcers, skriptz, whisker, and good old fashioned
kung-f00 with some genuine clue thrown in for good measure.

Some of the commercial tools do mapping AFAIK, and are useful for comparing
your results to, but pointing tkined, visio 2k, or cheops at a network
probably won't give you a thorough picture. If you wouldn't bill your
clients for cookie cutter cybercop/iss/retina/nmap/nessus reports, why
would you bill them for the same from a network mapping package?

Making a network map; White board, and visio has cute widgets.

Each layer of the protocol stack is a map unto itself. Tool based
methodologies have the inherant problem of a top down approach.
They enumerate services and their associated vulnerabilities and
then induce that by there being a service and vuln, there must be a
host, which implies a network, and vaguely suggests an underlying
architecture.

Seems logical right? It is, but it's still wrong. It's consistant
with an inductive method, it's true within the scope of what is required
for a network to exist, but it's totally incomplete.