Penetration Testing mailing list archives

Re: Find out the subnetting of a company

From: "Andy Cuff" <lists () securitywizardry com>
Date: Tue, 20 Jul 2004 18:33:36 +0100

Hi
A nice tool to assist at 3AM when the braincells just can't cope with
subnetting is the FREE Solarwinds advanced subnet calculator
http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm
You still have to do some legwork for the information but it helps

-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message ----- 
From: "Miles Stevenson" <miles () mstevenson org>
To: <pen-test () securityfocus com>
Sent: Monday, July 19, 2004 7:24 PM
Subject: Re: Find out the subnetting of a company

Usually, the best way to map out how a chunk of address space has been
subnetted, is by finding out which addresses are used for broadcasting.

This

is a trivial task for a tool like nmap, which will notify you when it has
stumbled upon a broadcast address.

Once you have found a broadcast address, you know that you have the "top

end"

of a subnet. From there its a simple matter of finding the bottom end.

There

are multiple ways to go about this.

One good way, is to assume that the first address on the subnet will be

used

for that networks router, which is a very common way of doing things. You

can

try tracerouting to 2 addresses beyond your broadcast address, and then

see

which hops are identified as routers. Keep in mind that you may or may not

be

allowed to use traceroute depending on any network filtering going on, and
you may not hit a router as the first IP of a subnet (although that would

be

very rare).

A more reliable method of finding the "bottom end" of the subnet, is to
continue scanning downward through the address space until you find

another

broadcast address. By finding out where the previous network ends, you now
know where the next network begins (the next address would be the network
address).

Just don't forget about all the modern and tricky things you can do with
software like honeyd and vmware. What you happen to map out on paper, may

not

be actual physical devices at all, but rather one large machine running a
complex internal vmware or honeyd setup. These are rare cases, but they do
happen.

Hope that helps.


On Thursday 15 July 2004 04:17 am, il.prof () virgilio it wrote:

During an internal black-box penetration test, from a subnet of a

company

(with or without DHCP), how do you find out the structure of the other
subnets of network? In particular, how do you determine/discover the
subnetting of the IP space of a company?

An example:

- IP network of the company XYZ: 10.0.0.0/8 (I use a private class to

avoid

the use of a real address space)
- I?m in the subnet 10.0.0.0/24

How do you find out the structure of other subnets that are part of the
network 10.0.0.0/8?

Il Prof.


-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

Current thread:

Find out the subnetting of a company il . prof (Jul 19)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
  - Re: Find out the subnetting of a company J.A. Terranson (Jul 20)
    - Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
  - Re: Find out the subnetting of a company Andy Cuff (Jul 21)
- RE: Find out the subnetting of a company easternerd (Jul 21)
- Re: Find out the subnetting of a company Tim (Jul 21)
- <Possible follow-ups>
- RE: Find out the subnetting of a company Dieter Sarrazyn (Jul 20)
  - Re: Find out the subnetting of a company Volker Tanger (Jul 21)
  - RE: Find out the subnetting of a company Rob J Meijer (Jul 21)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 21)
  - Re: Find out the subnetting of a company Tony Carter (Jul 22)
  - Re: Find out the subnetting of a company Martin Mačok (Jul 23)
    - RE: Find out the subnetting of a company Jerry Shenk (Jul 28)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 22)

(Thread continues...)