Penetration Testing mailing list archives

Re: Find out the subnetting of a company

From: "Volker Tanger" <volker.tanger () detewe de>
Date: Wed, 21 Jul 2004 09:20:31 +0200

Hi!

During an internal black-box penetration test, from a subnet 
of a company (with or without DHCP), how do you find out the 
structure of the other subnets of network?


Sometimes it is better/easier to take a purely passive approach. 

Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest). 

Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.

Bye

Volker Tanger
ITK Security

Current thread:

Find out the subnetting of a company il . prof (Jul 19)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
  - Re: Find out the subnetting of a company J.A. Terranson (Jul 20)
    - Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
  - Re: Find out the subnetting of a company Andy Cuff (Jul 21)
- RE: Find out the subnetting of a company easternerd (Jul 21)
- Re: Find out the subnetting of a company Tim (Jul 21)
- <Possible follow-ups>
- RE: Find out the subnetting of a company Dieter Sarrazyn (Jul 20)
  - Re: Find out the subnetting of a company Volker Tanger (Jul 21)
  - RE: Find out the subnetting of a company Rob J Meijer (Jul 21)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 21)
  - Re: Find out the subnetting of a company Tony Carter (Jul 22)
  - Re: Find out the subnetting of a company Martin Mačok (Jul 23)
    - RE: Find out the subnetting of a company Jerry Shenk (Jul 28)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 22)
- RE: Find out the subnetting of a company Liberty . Anthony (Jul 22)