Penetration Testing mailing list archives
Re: OT: the detection of illegal gateways
From: Zack Payton <zpayton () gmail com>
Date: Tue, 18 May 2010 15:58:42 -0400
Sorry, I hit send too early. Off the top I can think of several techniques that my be of use. I don't have any experience with IP Sonar so I'm of no help regarding that. 1. A simple way could be to use SNMP to poll all of your switches and look for OUI codes in the CAM tables of well known router product vendors. This technique is not wholly reliable and is easy to deceive. 2. Using differences in time stamps in the TCP headers and IP ID's it is possible to determine how many hosts are behind a firewall/router unless the firewall is really good at normalizing traffic. 3. A really good way would be to do inline reverse TCP tracerouting to trace backward through existing TCP connections to the end hosts. Unfortunately, I'm not aware of any products that do this but you could probably whip something up using libnet or scapy. Just a couple of ideas for you. Z On Tue, May 18, 2010 at 3:53 PM, Zack Payton <zpayton () gmail com> wrote:
Off the top I can think of several techniques that may be of use. 1. A simple On May 17, 2010, at 5:39 AM, J Hein <j.hein () ymail com> wrote:hi all, this post might be somewhat off-topic, so please accept my apologies first. I have a somewhat difficult problem to crack - there is a large corporate network which covers several Nordic countries, and unfortunately there have been cases in the past where a device with routing capability has been plugged into the network (for creating a "faster" connection to the internet for a branch office). Because this violates corporate policies and creates "invisible" entry points to the internal network, I have been given a task to find a suitable software for finding such kind of illegal routers. Are there any good products for detecting illegally installed boxes with a routing capability? One of my fellow consultants suggested IP Sonar (by Lumeta) for this purpose which (as he claims) has been successfully used by BT in the past. From the product description I've got an impression that IP Sonar cleverly uses traceroute for detecting routers that illegally exchange information between internal networks and the internet (so called "network leaks"). I understand that router detection is a complex issue, and in order to address this problem fully, one needs to analyze traffic that flows through all key routers and switches in the whole corporate network. Unfortunately, since the deployment of such monitoring system takes a lot of time, I'd like to begin with a relatively simple solution which attempts to locate network leaks by polling the network from few points only (like IP Sonar does, using traceroute for that purpose). Can anyone recommend any such commercial or open source tools? (open source utilities would actually be my preference :) Also, what is your experience with IP Sonar -- is it really a good stuff? Thanks in advance :) -- jhein ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- OT: the detection of illegal gateways J Hein (May 18)
- Message not available
- Re: OT: the detection of illegal gateways Zack Payton (May 19)
- Re: OT: the detection of illegal gateways Adam Mooz (May 19)
- RE: OT: the detection of illegal gateways John Lampe (May 21)
- Re: OT: the detection of illegal gateways Zack Payton (May 19)
- Message not available
- Re: OT: the detection of illegal gateways ulric (May 19)
- Re: OT: the detection of illegal gateways BMF (May 21)
- Re: OT: the detection of illegal gateways Kurt Buff (May 21)
- Re: OT: the detection of illegal gateways Lee (May 24)
- RE: OT: the detection of illegal gateways Demetris Papapetrou (May 25)
- RE: OT: the detection of illegal gateways Ward, Jon (May 26)