Re: internal network mapping & traversal

[Trygve Aasheim <trygve () pogostick net>]

Some common ways:

- who gave you the ip? The dhcp server is usually on a server network. 
Or the DNS servers are.
- what other servers are on that network?
- what type of services are they offering
- is you domain account (if you have one) valid here?
- are any of these services typically more than just office backend 
services (ntp, dns, backup, smtp etc). These servers probably have 
access into other networks.
- Do they use a proxy? What is the proxy address (dmz?)?
- Is there a secondary DNS server in the DCHP reply? Same IP segment as 
the first?
- What IPs are in the mail headers of the company? Do they give away 
internal IP addresses from a dmz?
- Are there any directories on the file server that indicates that is 
has connections to production environments? (statistics, reports etc). 
Then it might have access to other networks, or the reports might give 
away info.
- Does nslookup on servers with names like "ciscoworks", "fwmgmt", 
"ntp", "ns", "wpad", "backup", "files", "mail", "tivoli", "idsmgmt", 
"oracle", "sps", "openview", "cvs", "exchange", "notes", "domino" and so 
on give anything from the internal dns server?
- Does the dns names of internal servers follow some rules, guidelines 
or trail that you can try to follow (location+rack, star trek names or 
whatever)
- If you manage to get access to a server, check routing, interfaces, 
host files and so on.
- All hosts revealing themselves on new segments gives you hints of new 
networks.
- Play with the resources you have as a valid client in the network. A 
network is for sharing information, not hiding it - so it will all 
reveal itself in the end...and remember; DNS is the LAN phonebook.



Good luck,
T

lister () lihim org wrote:
> What techniques have you found useful for mapping out a network from a starting position?
>
> An internal network could use all RFC 1918 networks 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
>
> Basically if you are dropped into an internal network (general dhcp user workstations), what
> would be good starting points to discover what networks are available and the paths
> through the network.
>
> I would assume that there is a way to determine what networks you have access to and
> determine which network devices you will need to bypass (ie. all packets stop at X
> network devices, which may be some type of firewall/routeracl, etc).
>
> Getting on the network you would have DHCP and the provided information (gw, dns, etc), but
> what about determining other networks used internally?  Is this just trial and error with
> network probing?  Do you run multiple traceroutes against different IP addresses to find
> the network gateways/firewalls?
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Top 5 Common Mistakes in 
> Securing Web Applications
> Get 45 Min Video and PPT Slides
>
> www.cenzic.com/landing/securityfocus/hackinar
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------