Re: Topology discover

From: Javier Fernandez-Sanguino (jfernandez@germinus.com)
Date: Tue Oct 11 2005 - 06:28:45 EDT


RSMC wrote:

> But I think I am missing some techniques to find out what the topology
> is. I know about traceroute, firewalk and CDP, but I would like to know
> if there is a whitepaper or documentation that explains how to find out
> as much as possible about the enviroment I am in. Help about discovering
> VLANs is also welcomed.

Also, have you read the following threads:
http://archives.neohapsis.com/archives/sf/pentest/2005-08/0272.html

So, your basic stuff is:

- "Listen" the network traffic, do a list of systems active on the
network, IP addresses, etc. You can map broadcasts and determine what
subnets are there. You can sometimes:
        - pinpoint OS for some systems, since some of them might broadcast
information to all the network and some MAC addresses are a "give
away" (i.e. network devices of some vendors are easy to spot based on
their MACs)
        - determine which are servers/routers and which are clients (you will
usually "see" more ARP requests for IP addresses that belong to
servers or routers than to clients)

[ This is obviously easier if you are _not_ on a switched network, you
will end up with lot of information in this case ]

If you feel a little bit lost here, try with this book:
http://lcamtuf.coredump.cx/silence.shtml

- Scan the network you are aware of:
        1- start with ARP pings to the systems in it, then do ICMP
        2- find where network devices (routers, switches) and extract their
configuration through SNMP (try default communities) or query them
through their specific network protocols (i.e. CDP) or, even, through
administrative interfaces (telnet, ssh or web(s))
        3- find where servers are by scanning for common server ports. You
can actually use these scans to determine their OS either by active
fingerprinting or passive fingerptinting.

        You should be able to gather information of more networks from here
and then you can do 1-3 again (minus ARP pings) and again and again.

If you go through documentation of vendors providing network
management stations with "auto-discovery" (i.e. HP Openview Network
Node Manager, Tivoli's Netview, Aprisma Spectrum or Cheops) you will
find that the "active scan" part is a common feature. It's usually not
very agressive, you might want to be a little bit more if you are
doing an internal pen-test.

Just my few cents

Regards

Javier

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:03 EDT