Penetration Testing mailing list archives
Re: internal network mapping & traversal
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 22 Sep 2008 20:47:33 -0400
On Mon, Sep 22, 2008 at 4:10 PM, <lister () lihim org> wrote:
Getting on the network you would have DHCP and the provided information (gw, dns, etc), but what about determining other networks used internally? Is this just trial and error with network probing? Do you run multiple traceroutes against different IP addresses to find the network gateways/firewalls?
Traceroute is a good tool for finding your way to the edge, but if you want to discover as much of the network as possible, I would start with some more basic stuff. 1. Examine your DHCP lease for clues. Minimally, you'll get an IP, subnet, and gateway. If you wind up with some small or weird subnet mask, assume there are more like it. Also, you probably got an internal domain suffix and a DNS server IP address or two. That leads me to... 2. DNS zone xfer. Many networks are still very soft in the middle and either because there's too much inherent trust or because they have to, they allow zone xfers. These will often yield lots of great results because you'll use DNS for almost all of the network. So you'll see every important server, as well as possibly workstations, routers, and printers. And speaking of too much inherent trust... 3. SNMP 'public' scans. I like SolarWinds' IP Network Browser for this job. In some networks, this has been more than enough to start breaking into stuff. I love what Win2K or NetWare will give up by default, like users, running services, routes, subnet masks, etc. Even if you only get routers and switches, there will still be lots of great information about allocated address space. 4. If you don't have the whole network mapped just yet, use nmap to perform ICMP scans to try and find other hosts. If the network seems to be using router ACL's or other internal firewall techniques (e.g. lots of hostnames that resolve in DNS but don't respond to ping), you may also want to try TCP ping scanning as well. I find that ports 25, 80, and ports used by backup software agents are good for this. Also, on the topic of scanning internal networks, I have this idea, but have never bothered to code it. Maybe it already exists. I wanted to write a small program to take the local machine's IP address, default gateway, and subnet mask. Then perform a basic ICMP scan outward by decreasing the subnet bit by one, calculating all of the subnets with the same mask as your machine within the larger mask, and substituting the 4th quad of the default gateway. Then repeat the subnet recalculation and scan again, excluding previously scanned addresses. It would look something like this: IP: 10.128.0.44 mask 255.255.255.0 gw: 10.128.0.2 1st round scan (23 bits): 10.128.1.2 2nd round scan (22 bits): 10.128.2.2 10.128.3.2 3rd round scan (21 bits): 10.128.4.2 10.128.5.2 10.128.6.2 10.128.7.2 This would provide a quick and easy way to map an internal network by making some logical guesses as to where other subnets might be. You could make perform a full subnet sweep when a likely router address responded, or make it auto-stop when it got a 0% reply rate, etc. Anyway, I don't do pen-testing anymore, internal or external, so optimized subnet discovery isn't something I'm likely to put more work into. But if somebody does this, or already has done it, I'd be interested to hear about it. PaulM ------------------------------------------------------------------------ This list is sponsored by: Cenzic Top 5 Common Mistakes in Securing Web Applications Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- internal network mapping & traversal lister (Sep 22)
- Re: internal network mapping & traversal Trygve Aasheim (Sep 23)
- Re: internal network mapping & traversal Paul Melson (Sep 23)
- <Possible follow-ups>
- Re: internal network mapping & traversal Robert E. Lee (Sep 23)
- Re: internal network mapping & traversal Paul Melson (Sep 23)
- Message not available
- RE: internal network mapping & traversal Paul Melson (Sep 24)
- Re: internal network mapping & traversal Paul Melson (Sep 23)