Penetration Testing mailing list archives
Re: Topology discover
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Tue, 11 Oct 2005 12:28:45 +0200
RSMC wrote:
But I think I am missing some techniques to find out what the topology is. I know about traceroute, firewalk and CDP, but I would like to know if there is a whitepaper or documentation that explains how to find out as much as possible about the enviroment I am in. Help about discovering VLANs is also welcomed.
Also, have you read the following threads: http://archives.neohapsis.com/archives/sf/pentest/2005-08/0272.html So, your basic stuff is: - "Listen" the network traffic, do a list of systems active on the network, IP addresses, etc. You can map broadcasts and determine what subnets are there. You can sometimes: - pinpoint OS for some systems, since some of them might broadcast information to all the network and some MAC addresses are a "give away" (i.e. network devices of some vendors are easy to spot based on their MACs) - determine which are servers/routers and which are clients (you will usually "see" more ARP requests for IP addresses that belong to servers or routers than to clients) [ This is obviously easier if you are _not_ on a switched network, you will end up with lot of information in this case ] If you feel a little bit lost here, try with this book: http://lcamtuf.coredump.cx/silence.shtml - Scan the network you are aware of: 1- start with ARP pings to the systems in it, then do ICMP 2- find where network devices (routers, switches) and extract their configuration through SNMP (try default communities) or query them through their specific network protocols (i.e. CDP) or, even, through administrative interfaces (telnet, ssh or web(s)) 3- find where servers are by scanning for common server ports. You can actually use these scans to determine their OS either by active fingerprinting or passive fingerptinting. You should be able to gather information of more networks from here and then you can do 1-3 again (minus ARP pings) and again and again. If you go through documentation of vendors providing network management stations with "auto-discovery" (i.e. HP Openview Network Node Manager, Tivoli's Netview, Aprisma Spectrum or Cheops) you will find that the "active scan" part is a common feature. It's usually not very agressive, you might want to be a little bit more if you are doing an internal pen-test. Just my few cents Regards Javier ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Topology discover Steve McLaughlin (Oct 07)
- <Possible follow-ups>
- Re: Topology discover Javier Fernandez-Sanguino (Oct 11)