RE: OT: the detection of illegal gateways

["Demetris Papapetrou" <dpapapetrou () internalaudit gov cy>]

Hi all,

You can Ping the workstations in each subnet using a spoofed source IP
address. You need to do this from within your network (from different
locations depending on your filtering rules).
The spoofed IP will be the one utilized by a second machine you control on
the Internet. The workstations will receive the spoofed packets and they
will reply by sending their packets to the Internet through their default
gateway. If their default gateway is an unauthorized routing device then its
public IP address will be captured by your Internet connected machine. 

You can assign a unique number to each packet to make it easier for you to
identify from which machine the reply originated. 

Prerequisite: The offending workstations must be switched on, they must be
reachable from your location and they must reply to the packets you send
them. 

Demetris Papapetrou
Internal Audit Officer
 
Republic of Cyprus
Internal Audit Service
Tel.: 22450386
email: dpapapetrou () internalaudit gov cy
-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Lee
Sent: Saturday, May 22, 2010 5:43 PM
To: J Hein
Cc: pen-test () securityfocus com
Subject: Re: OT: the detection of illegal gateways

There's been a lot of good suggestions for finding 'illegal' routers.
The two I like the best are:
> 5) talk with purchasing dept and give them 'keywords' that they can use to
> look through purchases to see where an internet connection may have been
> purchased with a corporate credit card
>   ...
> 7) if all internet traffic is supposed to pass through an internet
firewall
> or proxy, look for "lack of traffic" from IP blocks on your WAN.  Even a
> regular windows machine sitting at rest is sending out queries to windows
> update, NTP, DNS, etc.

What I haven't seen mentioned yet is using Netflow to report on layer 2
traffic.

If you're ok with writing your own software & the customer has the
right hardware you could try modifying he cisco TCL Portscanner
(http://www.packetlevel.ch/html/cisco/ciscotcl.html) to loop thru all
addresses on the user subnet doing a
  ip route $internetWebServer 255.255.255.255 $host
  connect $internetWebServer 80
  no ip route $internetWebServer 255.255.255.255 $host
to find the 'illegal' routers.

Regards,
Lee


On 5/17/10, J Hein <j.hein () ymail com> wrote:
> hi all,
> this post might be somewhat off-topic, so please accept my apologies
first.
> I have a somewhat difficult problem to crack - there is a large corporate
> network which covers several Nordic countries, and unfortunately there
have
> been cases in the past where a device with routing capability has been
> plugged into the network (for creating a "faster" connection to the
internet
> for a branch office). Because this violates corporate policies and creates
> "invisible" entry points to the internal network, I have been given a task
> to find a suitable software for finding such kind of illegal routers.
>
> Are there any good products for detecting illegally installed boxes with a
> routing capability? One of my fellow consultants suggested IP Sonar (by
> Lumeta) for this purpose which (as he claims) has been successfully used
by
> BT in the past. From the product description I've got an impression that
IP
> Sonar cleverly uses traceroute for detecting routers that illegally
exchange
> information between internal networks and the internet (so called "network
> leaks").
>
> I understand that router detection is a complex issue, and in order to
> address this problem fully, one needs to analyze traffic that flows
through
> all key routers and switches in the whole corporate network.
Unfortunately,
> since the deployment of such monitoring system takes a lot of time, I'd
like
> to begin with a relatively simple solution which attempts to locate
network
> leaks by polling the network from few points only (like IP Sonar does,
using
> traceroute for that purpose).
>
> Can anyone recommend any such commercial or open source tools? (open
source
> utilities would actually be my preference :)  Also, what is your
experience
> with IP Sonar -- is it really a good stuff?
>
> Thanks in advance :)
> --
> jhein
>
>
>
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
Board
> Prove to peers and potential employers without a doubt that you can
actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually
do a proper penetration test. IACRB CPT and CEPT certs require a full
practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------