Penetration Testing mailing list archives
Restricted IP access to running services
From: "arvind doraiswamy" <arvind.doraiswamy () gmail com>
Date: Fri, 21 Nov 2008 08:56:09 +0530
Hey Guys, I'm quite sure a lot of people here have come across a Port open BUT Restricted to IP's scenario whenever you'll have pen tested. This could be the case with potentially any running service - HTTP/HTTPS/FTP/SMTP relay to name a few. My question is - What are the methods you use to enumerate exact IP addresses that you think are allowed access? Once you do that how do you use them? Here are my thoughts: --- Apart from directly asking the client about which IP's he's given access (which isn't going to be fruitful at all IMO) the only bet at finding out is to browse the web/social engineer/spider the website for contacts and social engineer your way into getting a list of clients/IP addresses(if you're lucky) What if you don't succeed here? Are there any other techniques you use? Apart from trying to get lucky with a scanner on some other exposed service and work your way backward from there to the blocked service. Then again, what if you do succeed? Assume you enumerate say; 3 IP addresses that are allowed to access that HTTP firewall administrative page over the Internet. How do you exploit this behavior? --- Do you just change your IP address to that public IP address and start trying to gain access? This again is not easy - On a dialup/any other dynamic IP allocator you're going to be assigned one IP from their pool and cant change it else you get dropped. --- Behind a FW/Router/Proxy scenario you would have to NAT your private IP to that public IP --- VMWare is an option too in bridged mode --- Maybe Hping by spoofing source addresses and creating customized packets to access the remote "filtered" service (though this can be painful) That's all I could think of off the top of my head. What would you do? Its a question which has bugged me for a while now as to why just IP restrictions are not considered good enough(this isn't the main question :) ) Cheers Arvind ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Restricted IP access to running services arvind doraiswamy (Nov 21)
- RE: Restricted IP access to running services Shenk, Jerry A (Nov 22)
- Re: Restricted IP access to running services natron (Nov 24)
- RE: Restricted IP access to running services Shenk, Jerry A (Nov 22)