Penetration Testing mailing list archives
Re: internal network mapping & traversal
From: "Robert E. Lee" <robert () outpost24 com>
Date: Tue, 23 Sep 2008 21:42:25 +0200
On Sep 22, 2008, at 10:10 PM, lister () lihim org wrote:
I would assume that there is a way to determine what networks you have access to and determine which network devices you will need to bypass (ie. all packets stop at Xnetwork devices, which may be some type of firewall/routeracl, etc).
Assuming you're on ethernet, I would spend a lot of time with arp to figure out what IP space is being used. Even completely firewalled devices typically will respond to arp
probes.The other nice thing about ARP is that it is sent as a broadcast, so sniffing should show you all the other ARP probes on the network. The most ARP'd IP's are likely servers or
routers of interest.Unicornscan has a -mA (arp scanning) mode that lets you go through arp probing very
quickly.You can also use the -t flag to specify ttl value ranges to probe tcp or udp services with (you'll want -E to see the ICMP TTL Expiration responses). If you look at which systems
are responding with TTL expired, you can determine the route being used.Finding rouge external gateways is trickier (dial-up modems, dsl lines, vpn's, etc). After you have discovered all of the live IP addresses for a network, you could send each responding host a TCP SYN packet spoofed from an unfiltered external IP address. When you see responses coming to your external IP address, you will have identified
the gateway IP's outside of the network you're testing.Lumeta has a decent tool for doing this sort of thing.. but nothing you can't do yourself.
Robert -- Robert E. Lee Chief Security Officer Outpost24 - One Step Ahead http://www.outpost24.com SE Phone: +46-8-559-21231 US Phone: +1 801-542-9292 email: robert () outpost24 com http://blog.robertlee.name ------------------------------------------------------------------------ This list is sponsored by: CenzicTop 5 Common Mistakes in Securing Web Applications
Get 45 Min Video and PPT Slides www.cenzic.com/landing/securityfocus/hackinar ------------------------------------------------------------------------
Current thread:
- internal network mapping & traversal lister (Sep 22)
- Re: internal network mapping & traversal Trygve Aasheim (Sep 23)
- Re: internal network mapping & traversal Paul Melson (Sep 23)
- <Possible follow-ups>
- Re: internal network mapping & traversal Robert E. Lee (Sep 23)
- Re: internal network mapping & traversal Paul Melson (Sep 23)
- Message not available
- RE: internal network mapping & traversal Paul Melson (Sep 24)
- Re: internal network mapping & traversal Paul Melson (Sep 23)