Fwd: network informations brought by cdp

From: hannibal blog (hannibalsec@gmail.com)
Date: Wed Nov 09 2005 - 11:05:33 EST


---------- Forwarded message ----------
From: hannibal blog <hannibalsec@gmail.com>
Date: 9 nov. 2005 11:04
Subject: Re: network informations brought by cdp
To: Jason Mayer <slamboy@gmail.com>

here is the full "case study". I'm actually doing a blackbox pentest,
so i don't have access to routers config files to check if my
suppositions are right.

my ip 192.168.0.193
my gateway 192.168.0.1
Trying to discover network architecture from the LAN.
Using ethereal to capture trafic on a switched network, probably vlaned.
Captured several cdp packets.

AFAK, the "adresses/ip address" field contains the address of the
interface witch the cdp packet was sent through. You can map it to a
port thanks to the "Port ID" field.
Thus, for the first packet, with adresses/ip address = 192.168.0.1 and
"Port ID" = FastEthernet0/1, I concluded that the router has a
FastEthernet interface whose ip address is 192.168.0.1 and mac address
is the one in the ethernet source address field.
In this packet, IP prefixes = 26, according to cisco's doc, "each IP
prefix represents one of the directly connected IP network segments of
the local router".
In the second packet, which came from the same router (device ID field
is the same), but through a different interface, FastEthernet1/1 (ip
address field = X.Y.0.1 and different mac address), IP prefixes = 25 =
26 - 1.
Where is the 26th segment ?

I think the two interfaces belong to the same vlan.

doc link :
http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/frames.htm#xtocid12

2005/11/9, Jason Mayer <slamboy@gmail.com>:
> CDP packets are what cisco (and others maybe?) routers send out on timed
> intervals. Say I havea router connected to 2 other routers via serial and
> also connected to a switch through ethernet. The CDP packets should only
> show the devices directly connected to the router in question. The Address
> field only puts out the IP of the devices connected to the router. Feel
> free to correct me if I'm wrong, I was just playing with a Cisco 2500 series
> router in a lab last night and this is only what we determined... it's not
> documentation of any sort.
>
> Also, I forgot the address to send to the security focus list, so I'm just
> going to send this directly to you :)
>
>
> On 11/8/05, hannibal blog < hannibalsec@gmail.com> wrote:
> >
> > hello guys
> >
> > I have captured several CDP packets on my network, and I'm looking for
> > help to fully understand and analyse their content.
> > Is there any good article on the web, that explains cdp fields and
> behavior.
> >
> > Example of questions i'm wondering : for the "adresses" field, does it
> > only put the ip adress of the interface sending the packet, or the ip
> > of a prédefined interface ?
> >
> > thx
> >
> >
> ------------------------------------------------------------------------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on your
> > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> > futile against web application hacking. Check your website for
> vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> >
> -------------------------------------------------------------------------------
> >
> >
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:09 EDT