From: David M. Zendzian (dmz@dmzs.com)
Date: Wed Jul 21 2004 - 16:58:15 EDT
Ok, after a little searching I did find the info I mentioned the other day.
Icmp can send a host mask request. For example using sing:
Sing -mask -c 1 IPADDR
Check out http://www.whitehats.ca/main/publications/external_pubs/icmp_usage/icmp_usage.html
David
-----Original Message-----
From: "Volker Tanger" <volker.tanger@detewe.de>
Date: Wed, 21 Jul 2004 09:20:31
To:pen-test@securityfocus.com
Subject: Re: Find out the subnetting of a company
Hi!
> > During an internal black-box penetration test, from a subnet
> > of a company (with or without DHCP), how do you find out the
> > structure of the other subnets of network?
Sometimes it is better/easier to take a purely passive approach.
Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest).
Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.
Bye
Volker Tanger
ITK Security
/--------------------------------------\
David M. Zendzian * dmz@dmzs.com
(415) 867-7812 - phone
-------------
Imagination is greater than knowledge * Albert Einstein
Every day is a good day, whether you like it or not! *
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT