Re: Mapping a network

["Chris Brenton" <cbrenton () chrisbrenton org>]

Greets,

> a) From the Internet , I think its tough to map an internal network at
> all.

As it should be. ;-)

Couple of possibles:

Loading a firewall can usually get it to skip the NAT process
occasionally. If you can see traffic leaving the perimeter, this will
reveal internal private address info. Watch TTLs and you can usually
produce a pretty accurate map.

Loose source routing does not work with Cisco or Checkpoint, but it does
with many other vendors. Initial entry needs to be via a permitted port
(like TCP/53 on a DMZ NS and then head to internal address space). Set the
IP timestamp option if you need the replies to follow the same path back.


> --- Nmap's ARP scan/Ping scan/known port scan

Don't forget Zenmap. Does a great job of organizing info. I'm a Cheops
convert myself.

Also, stick with ARP scans as much as possible. This permits you to even
tag systems running a personal firewall. Obviously you need to be on the
same layer 2 for this to work.

> What else?

Broadcast data is extremely helpful. Let's you collect CDP info as well as
ID local servers.

HTH,
Chris
--
www.chrisbrenton.org



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------