Re: Identifying whether 2 IPs are from the same server

From: Andrew Simmons (asimmons@messagelabs.com)
Date: Sun Nov 27 2005 - 18:13:30 EST


Hello,

BSK wrote:
> Hello,
>
> I am doing a Penetration Testing for 2 IP addresses.
> My findings till now for both the servers are exactly
> same. I strongly feel that both the IPs belong to the
> same machine. May be a scenario where two NICs are on
> the same machine with two Public IPs. I ran HPING to
> match their IP IDs but it shows different series for
> both of them.
>
> Is there any other technique that we can use to
> ascertain such a situation?
>

Steven Bellovin did a paper on counting unique hosts behind NATs a while
back, using some techniques that might be implementable manually with
hping and so on... *googles* ah, here we are:

http://www.cs.columbia.edu/~smb/papers/fnat.pdf

"A Technique for Counting NATted Hosts
Steven M. Bellovin
smb@research.att.com
AT&T Labs Research

"Abstract— There have been many attempts to measure
how many hosts are on the Internet. Many of those endpoints,
however, are NAT boxes (Network Address Translators),
and actually represent several different computers.
We describe a technique for detecting NATs and counting
the number of active hosts behind them. The technique is
based on the observation that on many operating systems,
the IP header’s ID field is a simple counter. By suitable
processing of trace data, packets emanating from individual
machines can be isolated, and the number of machines
determined. Our implementation, tested on aggregated local
trace data, demonstrates the feasibility (and limitations)
of the scheme."

I remember it well, because the massively detailed graph data choked my
printer :)

ISTR some related research appeared in the last year or two that went
further than this, but my memory's frustratingly hazy and google's not
working for me at this late hour.

This:
http://www.mit.edu/~rbeverly/papers/tcpclass-pam04.pdf
is along similar lines,.. but that's not what I'm trying to remember.

Something to do with Dan Kaminsky? Or p0f? anyone?

cheers

\a

-- 
Andrew Simmons
MessageLabs Security Dept.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:12 EDT