RE: Network discovery

["David McCaskill" <david () mccaskillda com>]

Try ipsonar or cheops-ng

-----Original Message-----
From: Javier Fernandez-Sanguino [mailto:jfernandez () germinus com] 
Sent: Monday, August 29, 2005 5:39 AM
To: Arjun Venkatraman
Cc: pen-test () securityfocus com
Subject: Re: Network discovery

Arjun Venkatraman wrote:

> Hi,
> does anyone know of an efficient way to discover a complete network
> tree starting from a root node. i have a network where i want to add
> clients to intermediate servers at will , and i want the superserver
> to discover the complete tree with the hierarchy.
>
> the config i have is something like this
(...)

You are not providing many details. ¿Is this a TCP/IP network? ¿Is 
this using some kind of specific application you want to discover if 
it's being used in a network (i.e. have a target port for it)?

Your scheme is quite similar to a multicast application so maybe you 
can customise the application to incorporate some kind of "echo" (like 
ICMP does) through it.

Superserver -> sends echo to all intermediate servers registered to it 
-> intermediate servers send echo to all clients connected to it -> 
clients reply -> servers send replies back to superserver.

Nmap will just not catch it as it does not have any knowledge of how 
to find client B if it's in a different network than superserver A.

If you are looking at a traditional TCP/IP network _and_ have an 
application port (XXX) associated with the client/server/superserver 
you might get around this doing a traditional network discovery test 
(i.e. like network tools such as HP Openview's Network Node Manager 
implement) and then extract the list elements of the network that are 
'up' and feed that to a 'nmap -sT -p XXX' scan.

Network scanning such as that done with NNM however, is not efficient 
and heavily relies on the network elements "behaving properly". That is:

1.- network devices (such as routers or switches) reply to SNMP 
communities and their configuration (interfaces they have, networks 
connected to) can be retrieved remotely through it.

2.- hosts answer to ICMP queries and (maybe) have SNMP agents that 
provide additional network information (in case of dual-homed hosts).

So if you don't have proper access to the devices a tool like that 
will don't do a thing and will only discover your local subnet.

Such a network test is far from efficient as it tries to discover 
_all_ network systems. It might even go beyond your own network if you 
don't limit it properly, so be careful if you code it yourself :-)

Regards

Javier