Re: internal network mapping & traversal

["Paul Melson" <pmelson () gmail com>]

On Mon, Sep 22, 2008 at 4:10 PM,  <lister () lihim org> wrote:
> Getting on the network you would have DHCP and the provided information (gw, dns, etc), but
> what about determining other networks used internally?  Is this just trial and error with
> network probing?  Do you run multiple traceroutes against different IP addresses to find
> the network gateways/firewalls?

Traceroute is a good tool for finding your way to the edge, but if you
want to discover as much of the network as possible, I would start
with some more basic stuff.

1. Examine your DHCP lease for clues.  Minimally, you'll get an IP,
subnet, and gateway.  If you wind up with some small or weird subnet
mask, assume there are more like it.  Also, you probably got an
internal domain suffix and a DNS server IP address or two.  That leads
me to...

2. DNS zone xfer.  Many networks are still very soft in the middle and
either because there's too much inherent trust or because they have
to, they allow zone xfers.  These will often yield lots of great
results because you'll use DNS for almost all of the network.  So
you'll see every important server, as well as possibly workstations,
routers, and printers.  And speaking of too much inherent trust...

3. SNMP 'public' scans.  I like SolarWinds' IP Network Browser for
this job.  In some networks, this has been more than enough to start
breaking into stuff.  I love what Win2K or NetWare will give up by
default, like users, running services, routes, subnet masks, etc.
Even if you only get routers and switches, there will still be lots of
great information about allocated address space.

4. If you don't have the whole network mapped just yet, use nmap to
perform ICMP scans to try and find other hosts.  If the network seems
to be using router ACL's or other internal firewall techniques (e.g.
lots of hostnames that resolve in DNS but don't respond to ping), you
may also want to try TCP ping scanning as well.  I find that ports 25,
80, and ports used by backup software agents are good for this.


Also, on the topic of scanning internal networks, I have this idea,
but have never bothered to code it.  Maybe it already exists.  I
wanted to write a small program to take the local machine's IP
address, default gateway, and subnet mask.  Then perform a basic ICMP
scan outward by decreasing the subnet bit by one, calculating all of
the subnets with the same mask as your machine within the larger mask,
and substituting the 4th quad of the default gateway.  Then repeat the
subnet recalculation and scan again, excluding previously scanned
addresses.  It would look something like this:

IP:  10.128.0.44
mask 255.255.255.0
gw: 10.128.0.2

1st round scan (23 bits):
10.128.1.2

2nd round scan (22 bits):
10.128.2.2
10.128.3.2

3rd round scan (21 bits):
10.128.4.2
10.128.5.2
10.128.6.2
10.128.7.2

This would provide a quick and easy way to map an internal network by
making some logical guesses as to where other subnets might be.  You
could make perform a full subnet sweep when a likely router address
responded, or make it auto-stop when it got a 0% reply rate, etc.
Anyway, I don't do pen-testing anymore, internal or external, so
optimized subnet discovery isn't something I'm likely to put more work
into.  But if somebody does this, or already has done it, I'd be
interested to hear about it.

PaulM

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------