Penetration Testing mailing list archives
Re: What's Next? Attack of Internal IP Disclosure
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 24 May 2011 08:05:38 -0700
After I launched a penetration testing attack from Internet, I could disclose the internal IP address. What would be the attack after I knew the internal IP address?
There is no attack. The server leaks a piece of low-value information that, in conjunction with other vulnerabilities, may make your life marginally easier. But usually doesn't. IP disclosure, path disclosure, server responding to ICMP pings, etc, are the canonical examples of padding in security assessment reports. /mz ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- What's Next? Attack of Internal IP Disclosure Zaki Akhmad (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Sihan (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Veronica (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Michal Zalewski (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Nikhil Wagholikar (May 24)
- RE: What's Next? Attack of Internal IP Disclosure Chadha, Sachin (May 24)