Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Restricted IP access to running services

From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Fri, 21 Nov 2008 08:56:09 +0530
Hey Guys,
I'm quite sure a lot of people here have come across a Port open BUT
Restricted to IP's scenario whenever you'll have pen tested. This
could be the case with potentially any running service -
HTTP/HTTPS/FTP/SMTP relay to name a few.

My question is - What are the methods you use to enumerate exact IP
addresses that you think are allowed access? Once you do that how do
you use them? Here are my thoughts:

--- Apart from directly asking the client about which IP's he's given
access (which isn't going to be fruitful at all IMO) the only bet at
finding out is to browse the web/social engineer/spider the website
for contacts and social engineer your way into getting a list of
clients/IP addresses(if you're lucky)

What if you don't succeed here? Are there any other techniques you
use? Apart from trying to get lucky with a scanner on some other
exposed service and work your way backward from there to the blocked
service.

Then again, what if you do succeed? Assume you enumerate say; 3 IP
addresses that are allowed to access that HTTP firewall administrative
page over the Internet. How do you exploit this behavior?
--- Do you just change your IP address to that public IP address and
start trying to gain access? This again is not easy - On a dialup/any
other dynamic IP allocator you're going to be assigned one IP from
their pool and cant change it else you get dropped.
--- Behind a FW/Router/Proxy scenario you would have to NAT your
private IP to that public IP
--- VMWare is an option too in bridged mode
--- Maybe Hping by spoofing source addresses and creating customized
packets to access the remote "filtered" service (though this can be
painful)

That's all I could think of off the top of my head. What would you do?
Its a question which has bugged me for a while now as to why just IP
restrictions are not considered good enough(this isn't the main
question :) )

Cheers
Arvind

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: