Penetration Testing mailing list archives
Re: RE: Discovering network subnets
From: hannibal blog <hannibalsec () gmail com>
Date: Tue, 23 Aug 2005 09:44:19 +0200
hello thanks for fixing some adressing notions I began to forget. Finally, it appeared it's a /24 network (X.X.X.0 and X.X.X.255 can't be hosts). I'm in the broadcast domain, and thanks to (or because of) CDP (Cisco discovery protocol), I got many informations on routers and networks. The output I posted seems to be my testing machine scan although my IP adress was X.X.X.7, I didn't understand why. I'm using a Knoppix STD distibution. Here is an other scan output : nmap X.X.X.0/24 -O Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host X.X.X.0 seems to be a subnet broadcast address (returned 3 extra pings). Still scanning it due to ping response from its own IP. Interesting ports on 0.0.0.0: (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http MAC Address: 00:06:28:00:00:00 (Cisco Systems) Device type: router Running: Cisco IOS 12.X OS details: Cisco 3600 router running IOS 12.2(6c), Cisco router running IOS 12.1(5)-12.2(7a), Cisco router running IOS 12.1.5-12.2.13a Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port All 1663 scanned ports on 0.0.0.4 are: filtered MAC Address: 00:40:F4:00:00:00 (Cameo Communications) Too many fingerprints match this host to give specific OS details #my testing box Interesting ports on 0.0.0.7: (The 1661 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 68/tcp open dhcpclient 6000/tcp open X11 Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux 2.4.0 - 2.5.20 Uptime 0.028 days (since Sat Jul 2 12:50:53 2005) Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port Host 0.0.0.255 seems to be a subnet broadcast address (returned 3 extra pings). Still scanning it due to ping response from its own IP. Interesting ports on 0.0.0.255: (The 1662 ports scanned but not shown below are in state: filtered) PORT STATE SERVICE 80/tcp open http MAC Address: 00:06:28:00:00:00 (Cisco Systems) Device type: router Running: Cisco IOS 12.X OS details: Cisco 3600 router running IOS 12.2(6c), Cisco router running IOS 12.1(5)-12.2(7a), Cisco router running IOS 12.1.5-12.2.13a Any ideas about how nmap deals with X.X.X.0 and X.X.X.225 (network and broadcast adresses?) 2005/8/23, chad () mr-lew com <chad () mr-lew com>:
Let's try to clear this up a bit... If you have a network mask of 255.255.255.0 (24 bits), then the .0 address is your Network ID and can NOT be used as a host address. The .255 address will be your broadcast address and also can not be used as a host address. This makes .1 thru .254 as valid host addresses. 192.168.1.0/24 - Network ID (All Host bits are 0) 192.168.1.1-254 - Host Addresses 192.168.1.255 - Broadcast Address (All Host bits are 1) You may see some responses from a Cisco router, not actually a host address, but it may respond to some of the ICMP probes. I am sure some other systems performing routing functions may do the same in some circumstances, but in my experience they do not answer up with SYN/ACK or RST/ACK for port scans. Now if you have a network mask of 255.255.254.0 (23 bits) or anything less than 24 bits for that matter, a .0 can and IS a valid host address. In the example of 10.0.0.0/23 the Network ID would be the first 23 bits, making it 10.0.0.0. The first available host would have the 32nd bit turned on, making it 10.0.0.1. The last available host would have bits 24 thru 31 turned on, with the 32nd bit turned off making it 10.0.1.254. This would include 10.0.1.0 as a VALID host address. Where the confusion comes from is crossing the bit boundary. You need to look at it in binary to see how it is just the next host when going from 10.0.0.255 to 10.0.1.0. Hopefully this diagram can help (and won't get butchered in delivery) ;) 1 1 2 6 3 1 2 6 3 1 10.0. 8 4 2 6 8 4 2 | 1 . 8 4 2 6 8 4 2 1 ---------------------------------------- NETWORK PORTION | HOST PORTION --.-. 0 0 0 0 0 0 0 | 0 . 0 0 0 0 0 0 0 0 Network ID --.-. 0 0 0 0 0 0 0 | 0 . 0 0 0 0 0 0 0 1 1st Available Host --.-. 0 0 0 0 0 0 0 | 0 . 1 1 1 1 1 1 1 1 Valid Host --.-. 0 0 0 0 0 0 0 | 1 . 0 0 0 0 0 0 0 0 Valid Host --.-. 0 0 0 0 0 0 0 | 1 . 1 1 1 1 1 1 1 0 Last Available Host --.-. 0 0 0 0 0 0 0 | 1 . 1 1 1 1 1 1 1 1 Broadcast Address Also, Classful addressing was not done away with by CIDR. CIDR granted us the ability to better use and identify/aggregate our networks. Classful addressing is still used today in numerous places (RIPv1 for example), but when possible classful addressing is normally preferred. It was pointed out that RFC 3021 outlines the specific use of a 31 bit mask, which would break this model if used. It must be pointed out that the RFC outlines this use on point- to-point links only. Considering that the system was "reported" as having ports 68/tcp, 723/tcp and 6000/tcp open, I would be inclined to rule against it being on a point-to-point link. 68/tcp - ??? Could this be some TCP based BOOTP server... 723/tcp - OpenMosix File System (curious) 6000/tcp - Probably X Windows I would try to gather some more O/S fingerprinting information by generating more ICMP and TCP responses (SYN/ACK and RST/ACK) with hping2 and then gather the responses with a sniffer to try and use p0f to get a better picture. I would be curious to hear what the final findings are... ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Discovering network subnets hannibal blog (Aug 20)
- Re: Discovering network subnets Craig Holmes (Aug 21)
- Re: Discovering network subnets Kelly Scroggins (Aug 21)
- Re: Discovering network subnets Kelly Scroggins (Aug 21)
- <Possible follow-ups>
- RE: Discovering network subnets Payton, Zack (Aug 20)
- RE: Discovering network subnets Timothy Dillman (Aug 21)
- Re: RE: Discovering network subnets nobody (Aug 21)
- Re: RE: Discovering network subnets chad (Aug 22)
- Re: RE: Discovering network subnets hannibal blog (Aug 23)