Penetration Testing mailing list archives
RE: internal IP address revealed by e-mail
From: "Yonatan Bokovza" <Yonatan () xpert com>
Date: Wed, 30 Apr 2003 11:46:37 +0300
-----Original Message----- From: Vel [mailto:vel () sympatico ca] Sent: Monday, April 28, 2003 18:07 To: pen-test () securityfocus com Subject: internal IP address revealed by e-mail HI all, question I have is: If e-mail header reveals the internal IP address of the sender (10.x.x.x), then how can this info be used for mapping the internal network.
You can't use the 10/8 IP address to attack your target directly, because it's not routable, as you've noticed. You will be able to use it if (when?) you'd compromise a target that has both real IP address and 10/8 IP address. The 10/8 IP address can be used to get a clearer map of the internal network (segmentation and duplication issues). There are blind attacks that might be relevant. They are "blind" in the sense that you [ change the packet source to the 10/8 IP address and your IP ] will not get the response. ( Think about an attack where you send ICMP ECHO_REQUEST to the 10/8 IP address, with a spoofed source of the 10/8 network broadcast address. If no filtering equipment drops this obviously spoofed packet, it might cause your target to send a broadcast ECHO_REPLY. You can used ip_id matching trickeries to see if it succeeded. ) Best Regards, Yonatan Bokovza IT Security Consultant Xpert Systems --------------------------------------------------------------------------- Did you know that you have VNC running on your network? Your hacker does. Plug your security holes. Download a free 15-day trial of VAM: http://www.securityfocus.com/StillSecure-pen-test ----------------------------------------------------------------------------
Current thread:
- RE: internal IP address revealed by e-mail Yonatan Bokovza (Apr 30)
- <Possible follow-ups>
- Re: internal IP address revealed by e-mail Chris McNab (Apr 30)