RE: Find out the subnetting of a company

["Dieter Sarrazyn" <dsr () ascure com>]

Hi,

You can find lot's of the subnet structure with ping & traceroute scans
already. First, you can use the ping functionality of nmap (nmap -sP)
which should give you information about network and broadcast addresses.
If you found these parts, you already know how the subnetting is done.
With traceroute, you'll find out how these subnets are connected to
eachother.

Of course, if there's a router that has snmp enabled, try to find one of
the community strings & dump the routing table of this router...

Hope this helps.

regards,
Dieter 

> -----Original Message-----
> From: il.prof () virgilio it [mailto:il.prof () virgilio it] 
> Sent: donderdag 15 juli 2004 10:17
> To: pen-test () securityfocus com
> Subject: Find out the subnetting of a company
>
> During an internal black-box penetration test, from a subnet 
> of a company (with or without DHCP), how do you find out the 
> structure of the other subnets of network? In particular, how 
> do you determine/discover the subnetting of the IP space of a company?
>
> An example:
>
> - IP network of the company XYZ: 10.0.0.0/8 (I use a private 
> class to avoid the use of a real address space)
> - I?m in the subnet 10.0.0.0/24
>
> How do you find out the structure of other subnets that are 
> part of the network 10.0.0.0/8?
>
> Il Prof.