Penetration Testing mailing list archives
Re: Find out the subnetting of a company
From: Miles Stevenson <miles () mstevenson org>
Date: Mon, 19 Jul 2004 14:24:18 -0400
Usually, the best way to map out how a chunk of address space has been subnetted, is by finding out which addresses are used for broadcasting. This is a trivial task for a tool like nmap, which will notify you when it has stumbled upon a broadcast address. Once you have found a broadcast address, you know that you have the "top end" of a subnet. From there its a simple matter of finding the bottom end. There are multiple ways to go about this. One good way, is to assume that the first address on the subnet will be used for that networks router, which is a very common way of doing things. You can try tracerouting to 2 addresses beyond your broadcast address, and then see which hops are identified as routers. Keep in mind that you may or may not be allowed to use traceroute depending on any network filtering going on, and you may not hit a router as the first IP of a subnet (although that would be very rare). A more reliable method of finding the "bottom end" of the subnet, is to continue scanning downward through the address space until you find another broadcast address. By finding out where the previous network ends, you now know where the next network begins (the next address would be the network address). Just don't forget about all the modern and tricky things you can do with software like honeyd and vmware. What you happen to map out on paper, may not be actual physical devices at all, but rather one large machine running a complex internal vmware or honeyd setup. These are rare cases, but they do happen. Hope that helps. On Thursday 15 July 2004 04:17 am, il.prof () virgilio it wrote:
During an internal black-box penetration test, from a subnet of a company (with or without DHCP), how do you find out the structure of the other subnets of network? In particular, how do you determine/discover the subnetting of the IP space of a company? An example: - IP network of the company XYZ: 10.0.0.0/8 (I use a private class to avoid the use of a real address space) - I?m in the subnet 10.0.0.0/24 How do you find out the structure of other subnets that are part of the network 10.0.0.0/8? Il Prof.
-- Miles Stevenson miles () mstevenson org PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
Current thread:
- Find out the subnetting of a company il . prof (Jul 19)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
- Re: Find out the subnetting of a company J.A. Terranson (Jul 20)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
- Re: Find out the subnetting of a company Andy Cuff (Jul 21)
- Re: Find out the subnetting of a company J.A. Terranson (Jul 20)
- RE: Find out the subnetting of a company easternerd (Jul 21)
- Re: Find out the subnetting of a company Tim (Jul 21)
- <Possible follow-ups>
- RE: Find out the subnetting of a company Dieter Sarrazyn (Jul 20)
- Re: Find out the subnetting of a company Volker Tanger (Jul 21)
- RE: Find out the subnetting of a company Rob J Meijer (Jul 21)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 21)
- Re: Find out the subnetting of a company Tony Carter (Jul 22)
(Thread continues...)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)