Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Identifying Machines

From: Jose Nazario <jose () biocserver BIOC cwru edu>
Date: Tue, 19 Jun 2001 17:38:25 -0400 (EDT)
On Tue, 19 Jun 2001, Rick Who Else? wrote:


Let me clarify somewhat. Lets imagine a scenario, of being on a
seperate network of your target network. So sniffing traffic and MAC
addresses don't apply. And you wish to see how many machines on are a
certain subnet. So you wish to scan the entire range of a class C,
lets say. ICMP is filtered out.  And some of the machines may have no
ports open. What I mean by that, as someone asked, would be no
services running on any port. Therefore there are no banners.


[active measures]

outbound ICMP is closed? that means no 'ICMP_PORT_UNREACHABLE' messages,
and also no host unreachable messages either via ICMP.

that's not a problem, for detection or identification.

you will still have access to TCP bidirectional traffic, which is what you
can use. provided the firewall ISN'T pretending to be the target traffic,
TCP RSTs (in response to SYNs sent to closed ports on living machines)
will let you know who is there. no response means no host (if the router
isn't letting you know the host doesn't exist).

if broadcasts are not filtered, you can glean subnet masks and layouts via
walking up the CIDR blocks, ie TCP packets to various broadcasts for
networks like /27, /26 etc ...

based on TTL and option rewrite/respect behavior, you may be able to get a
sense of the OSs.

[passive measures]

as long as traffic comes through your network its fair game. you can
passively fingerprint a machine several networks away, that's not a
problem. between some routing (or switching) games you can redirect
traffic your way. you can get slashdotted, ie forge an email that will
entice a LOT of people to visit your site (ie 'the boss naked and bound at
this URL!') and analyze the resulting traffic (and application behavior).

the closer you can get to their network, obviously (ie right outside their
gateway(s)), the more traffic you can observe and the more hosts you can
identify passively.

hope this helps.

____________________________
jose nazario                                                 jose () cwru edu
                     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
                                       PGP key ID 0xFD37F4E5 (pgp.mit.edu)
Previous By Date Next
Previous By Thread Next

Current thread: