Re: Mapping a network

[Kurt Buff <kurt.buff () gmail com>]

If you wish to expand your list of software for internal use, might I
suggest NetDisco? It uses CDP/LLDP to map the network, and produces a
nifty little graph, among many other things. Of course, that assumes
that you have SNMP community strings, but...

Kurt

On Sat, Sep 12, 2009 at 12:12, arvind doraiswamy
<arvind.doraiswamy () gmail com> wrote:
> Hey Guys,
> What's the best way to completely map an internal network? In 2 situations:
> a) Sitting on the Internet
> b) On the internal network
>
> Here are my thoughts after thinking a while and reading a few old
> threads on this list as well.
>
> a) From the Internet , I think its tough to map an internal network at
> all. You might be able to say identify the perimeter devices at best -
> meaning their external firewall and their border routers at best.
> Maybe a few internal IP addresses will be revealed through
> misconfigurations - but beyond that I think its tough to do anything
> more. Is this correct?
>
> b) On an internal network things get interesting though. Note that I'm
> looking at something like an internal pentest where I'm allowed to put
> a machine into the network. Here are various ways in which one can
> obtain information:
> --- Start Wireshark and just listen to traffic. You'll get plenty of
> ranges of valid IP addresses.
> --- Start something like p0f for the same purpose as above.
> --- Look for weak SNMP community strings and obtain routing information
> --- Scan for DNS servers and try a zone transfer(Yes this worked recently)
> --- Nmap's ARP scan/Ping scan/known port scan
> --- Simple ICMP pings
> --- ICMP,UDP and TCP Traceroute to get the exact paths and placement of devices
>
> What else? I read up a lot of old threads to see whether there was
> something that was already in use. I got a lot of software names of
> which some were familiar. Here is part of that list:
>
> etherape
> ntop
> cheops
> opte
> lumeta
> Visio enterprise
> friendly pinger
> ipswitch whatsup pro
> Intermapper
> networkview
>
> Now I think a lot of that is commercial and i daresay there are many
> more products which "claim" to do a lot of accurate mapping. Right now
> I'm looking just at open source though. I tried Cheops last month but
> it doesn't seem to be totally accurate .. it didn't even detect
> everything that was live on my LAN.
>
> So what's the best way forward? Is it a good idea to write code to
> brute force each and every private IP address in the entire space to
> check if it is live? I'm open to writing the code -- just thought I'd
> bounce this off the list before I got started.
>
> All inputs are welcome.
>
> Thanks
> Arvind
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------