Penetration Testing mailing list archives

Re: Discovering hosts behind NAT

From: Wolfgang Zenker <wolfgang () jpaves de>
Date: Fri, 25 May 2001 14:27:12 +0200 (CEST)

Franklin DeMatto wrote:

How can hosts which are using RFC 1918 non-routed ip's be discovered and contacted?

Scenario:

A DNS Zone transfer, as well as usenet searches, indicate usage of RFC 1918 addresses for a certain domain name 
(let's call it internal.company.com).
[..]
There are two known network devices: a cisco, which seems totally silent, and a wellfleet router.


You could try to use "IP Source Routing" to contact internal hosts on the
destination network. Some versions of ping allow you to set the source route
option in your pakets using the "-g" option, you would use the outside
router of the destination network as gateway and if that does not work, try
to add a dmz host as second gateway.

Wolfgang

-- 
Wolfgang Zenker                                  Mail: W.Zenker () jpaves de
JPAVES Unix Online GmbH                          Fon:  (+49) 721 / 955 40 60
Kaiserallee 87                                   Fax:  (+49) 721 / 955 40 62
D-76185 Karlsruhe                                Web:  www.jpaves.de

Current thread:

Discovering hosts behind NAT Franklin DeMatto (May 22)
- Re: Discovering hosts behind NAT Javier Fernandez-Sanguino Peña (May 23)
- Re: Discovering hosts behind NAT Alex Butcher (May 23)
- Re: Discovering hosts behind NAT Wolfgang Zenker (May 25)
- <Possible follow-ups>
- Re: Discovering hosts behind NAT Test Working (May 24)
- RE: Discovering hosts behind NAT Dawes, Rogan (ZA - Johannesburg) (May 24)