Penetration Testing mailing list archives

Re: Multiple IP on the same server howo to idenfity

From: Frank Knobbe <frank () knobbe us>
Date: Thu, 10 Jun 2004 16:28:39 -0500

On Thu, 2004-06-10 at 05:12, NetExpress wrote:

Hi, the problem is, if I am doing a penetration test from internte to 
many servers, probably there should be some IP ont the same server o 
network adapter like load balancer.
In a report, and to avoid false positive, should be usefull to identify 
which IPs are on the same server, but how?



If you can observe response packets from the servers (responses to UDP
or ICMP requests, or simple TCP requests such as telnetting to an open
port), then you can fingerprint the IP stack by hand. Examine TTL, IP ID
and Window size. Most systems don't randomize the IP ID, so you can
easily distinguish between different servers by watching the IP ID.

Remember, tcpdump is your friend :)

Regards,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Multiple IP on the same server howo to idenfity NetExpress (Jun 10)
- Re: Multiple IP on the same server howo to idenfity Paul Johnston (Jun 11)
- Re: Multiple IP on the same server howo to idenfity Frank Knobbe (Jun 14)
- <Possible follow-ups>
- RE: Multiple IP on the same server howo to idenfity Yonatan Bokovza (Jun 10)
  - Re: Multiple IP on the same server howo to idenfity Andrew A. Vladimirov (Jun 11)
- RE: Multiple IP on the same server howo to idenfity Amin Tora (Jun 10)
- RE: Multiple IP on the same server howo to idenfity Pursifull, Mike (Jun 11)
- RE: Multiple IP on the same server howo to idenfity Frank Knobbe (Jun 16)
- RE: Multiple IP on the same server howo to idenfity Amin Tora (Jun 17)