Penetration Testing mailing list archives
RE: Find out the subnetting of a company
From: Rob J Meijer <rmeijer () xs4all nl>
Date: Wed, 21 Jul 2004 09:54:47 +0200 (CEST)
I would sugest starting out at a lower level, you are on a directly connected segment with routers to talk to directly, just using the 'remote' methods of testing is throwing away lots of information available by being on the same segment as some of the routers. With ARP Just sweep the full /8 for arp responses as in many cases routing boxes will respond to the IP of one interface on an other interface, in some cases they will even respond to any routable adress, and in any case you will locate routers by 'router only vendors' by looking at their MAC prefix. After this you will have a probably (almost) complete list of available routers on your segment. Ones you have the MAC adress of the routers, you can try to communicate with it using any of the normaly available router protocols in order to get you starting information on subnet routing. Ones you know (or have a viable hypothesis about) what subnets are available truegh what routers, you can adjust your own routing table accordingly and you can start using the different type of 'remote' scans available to locate systems on the subnets and try to use traceroute to the subnets. If traceroute fails, you can try to use the TTL of IP to at least find the hopcount, although this isn't reliable anymore for 'remote' tests, when directly connected to a simple routing architecture, the results tend te be usable. Rob On Tue, 20 Jul 2004, Dieter Sarrazyn wrote:
Hi, You can find lot's of the subnet structure with ping & traceroute scans already. First, you can use the ping functionality of nmap (nmap -sP) which should give you information about network and broadcast addresses. If you found these parts, you already know how the subnetting is done. With traceroute, you'll find out how these subnets are connected to eachother. Of course, if there's a router that has snmp enabled, try to find one of the community strings & dump the routing table of this router... Hope this helps. regards, Dieter-----Original Message----- From: il.prof () virgilio it [mailto:il.prof () virgilio it] Sent: donderdag 15 juli 2004 10:17 To: pen-test () securityfocus com Subject: Find out the subnetting of a company During an internal black-box penetration test, from a subnet of a company (with or without DHCP), how do you find out the structure of the other subnets of network? In particular, how do you determine/discover the subnetting of the IP space of a company? An example: - IP network of the company XYZ: 10.0.0.0/8 (I use a private class to avoid the use of a real address space) - I?m in the subnet 10.0.0.0/24 How do you find out the structure of other subnets that are part of the network 10.0.0.0/8? Il Prof.
Current thread:
- Find out the subnetting of a company il . prof (Jul 19)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
- Re: Find out the subnetting of a company J.A. Terranson (Jul 20)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)
- Re: Find out the subnetting of a company Andy Cuff (Jul 21)
- Re: Find out the subnetting of a company J.A. Terranson (Jul 20)
- RE: Find out the subnetting of a company easternerd (Jul 21)
- Re: Find out the subnetting of a company Tim (Jul 21)
- <Possible follow-ups>
- RE: Find out the subnetting of a company Dieter Sarrazyn (Jul 20)
- Re: Find out the subnetting of a company Volker Tanger (Jul 21)
- RE: Find out the subnetting of a company Rob J Meijer (Jul 21)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 21)
- Re: Find out the subnetting of a company Tony Carter (Jul 22)
- Re: Find out the subnetting of a company Martin Mačok (Jul 23)
- RE: Find out the subnetting of a company Jerry Shenk (Jul 28)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 22)
- RE: Find out the subnetting of a company Liberty . Anthony (Jul 22)
- Re: Find out the subnetting of a company Miles Stevenson (Jul 20)