From: Yonatan Bokovza (Yonatan@xpert.com)
Date: Thu Jun 10 2004 - 18:12:58 EDT
> -----Original Message-----
> From: NetExpress [mailto:NetExpress@infogroup.it]
> Sent: Thursday, June 10, 2004 13:13
> To: pen-test@securityfocus.org
> Subject: Multiple IP on the same server howo to idenfity
>
>
> Hi, the problem is, if I am doing a penetration test from internte to
> many servers, probably there should be some IP ont the same server o
> network adapter like load balancer.
> In a report, and to avoid false positive, should be usefull
> to identify
> which IPs are on the same server, but how?
> If I should be in the internal network I am testing I'll use
> arp to find
> the MAC address of each IP and I should have solved, but from
> Internet I
> cannot use arp.
>
> From Internet I could use the banner, but this is not sure, I could
> have more then one application server on the same server with n-IP on
> application server A and m-IP on the application server B getting the
> banner should not be the right choise especialy with proxy.
>
> Any idea?
You could use the TCP Timestamp option to see the uptime of both
servers. If it is similar enough, there is a good chance it is the same
server. (unless the loadbalancer changes the Timestamp...)
See section 3.2 here:
http://www.faqs.org/rfcs/rfc1323.html
Regards,
Yonatan Bokovza
IT Security Consultant
Xpert Systems
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT