From: Rob J Meijer (rmeijer@xs4all.nl)
Date: Wed Jul 21 2004 - 03:54:47 EDT
I would sugest starting out at a lower level, you are on a directly
connected segment with routers to talk to directly, just using the
'remote' methods of testing is throwing away lots of information available
by being on the same segment as some of the routers.
With ARP Just sweep the full /8 for arp responses as in many cases routing
boxes will respond to the IP of one interface on an other interface, in
some cases they will even respond to any routable adress, and
in any case you will locate routers by 'router only vendors' by
looking at their MAC prefix.
After this you will have a probably (almost) complete list of available
routers on your segment.
Ones you have the MAC adress of the routers, you can try to communicate
with it using any of the normaly available router protocols in order
to get you starting information on subnet routing.
Ones you know (or have a viable hypothesis about) what subnets are
available truegh what routers, you can adjust your own routing table
accordingly and you can start using the different type
of 'remote' scans available to locate systems on the subnets and try to
use traceroute to the subnets. If traceroute fails, you can try to use the
TTL of IP to at least find the hopcount, although this isn't reliable
anymore for 'remote' tests, when directly connected to a simple routing
architecture, the results tend te be usable.
Rob
On Tue, 20 Jul 2004, Dieter Sarrazyn wrote:
> Hi,
>
> You can find lot's of the subnet structure with ping & traceroute scans
> already. First, you can use the ping functionality of nmap (nmap -sP)
> which should give you information about network and broadcast addresses.
> If you found these parts, you already know how the subnetting is done.
> With traceroute, you'll find out how these subnets are connected to
> eachother.
>
> Of course, if there's a router that has snmp enabled, try to find one of
> the community strings & dump the routing table of this router...
>
> Hope this helps.
>
> regards,
> Dieter
>
> > -----Original Message-----
> > From: il.prof@virgilio.it [mailto:il.prof@virgilio.it]
> > Sent: donderdag 15 juli 2004 10:17
> > To: pen-test@securityfocus.com
> > Subject: Find out the subnetting of a company
> >
> > During an internal black-box penetration test, from a subnet
> > of a company (with or without DHCP), how do you find out the
> > structure of the other subnets of network? In particular, how
> > do you determine/discover the subnetting of the IP space of a company?
> >
> > An example:
> >
> > - IP network of the company XYZ: 10.0.0.0/8 (I use a private
> > class to avoid the use of a real address space)
> > - I?m in the subnet 10.0.0.0/24
> >
> > How do you find out the structure of other subnets that are
> > part of the network 10.0.0.0/8?
> >
> > Il Prof.
> >
> >
> >
> >
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:57 EDT