Re: Find out the subnetting of a company

["David M. Zendzian" <dmz () dmzs com>]

Ok, after a little searching I did find the info I mentioned the other day. 

Icmp can send a host mask request. For example using sing:
  Sing -mask -c 1 IPADDR

Check out http://www.whitehats.ca/main/publications/external_pubs/icmp_usage/icmp_usage.html

David
-----Original Message-----
From: "Volker Tanger" <volker.tanger () detewe de>
Date: Wed, 21 Jul 2004 09:20:31 
To:pen-test () securityfocus com
Subject: Re: Find out the subnetting of a company

Hi!

> > During an internal black-box penetration test, from a subnet 
> > of a company (with or without DHCP), how do you find out the 
> > structure of the other subnets of network? 

Sometimes it is better/easier to take a purely passive approach. 

Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest). 

Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.

Bye

Volker Tanger
ITK Security


/--------------------------------------\
 David M. Zendzian * dmz () dmzs com 
 (415) 867-7812 - phone  
  -------------                    
  Imagination is greater than knowledge * Albert Einstein
 Every day is a good day, whether you like it or not! *