RE: internal IP address revealed by e-mail

["Yonatan Bokovza" <Yonatan () xpert com>]

> -----Original Message-----
> From: Vel [mailto:vel () sympatico ca]
> Sent: Monday, April 28, 2003 18:07
> To: pen-test () securityfocus com
> Subject: internal IP address revealed by e-mail
>
>
>
> HI all,
>
> question I have is:
>
> If e-mail header reveals the internal IP address of the 
> sender (10.x.x.x),
> then how can this info be used for mapping the internal network.

You can't use the 10/8 IP address to attack your target directly,
because it's not routable, as you've noticed.
You will be able to use it if (when?) you'd compromise a target
that has both real IP address and 10/8 IP address.
The 10/8 IP address can be used to get a clearer map of the
internal network (segmentation and duplication issues).
There are blind attacks that might be relevant. They are "blind"
in the sense that you [ change the packet source to the 10/8
IP address and your IP ] will not get the response.
( Think about an attack where you send ICMP ECHO_REQUEST
to the 10/8 IP address, with a spoofed source of the 10/8
network broadcast address. If no filtering equipment drops
this obviously spoofed packet, it might cause your target to send
a broadcast ECHO_REPLY. You can used ip_id matching
trickeries to see if it succeeded. )

Best Regards, 

Yonatan Bokovza
IT Security Consultant
Xpert Systems

---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------