From: Yonatan Bokovza (Yonatan@xpert.com)
Date: Wed Apr 30 2003 - 04:46:37 EDT
> -----Original Message-----
> From: Vel [mailto:vel@sympatico.ca]
> Sent: Monday, April 28, 2003 18:07
> To: pen-test@securityfocus.com
> Subject: internal IP address revealed by e-mail
>
>
>
> HI all,
>
> question I have is:
>
> If e-mail header reveals the internal IP address of the
> sender (10.x.x.x),
> then how can this info be used for mapping the internal network.
You can't use the 10/8 IP address to attack your target directly,
because it's not routable, as you've noticed.
You will be able to use it if (when?) you'd compromise a target
that has both real IP address and 10/8 IP address.
The 10/8 IP address can be used to get a clearer map of the
internal network (segmentation and duplication issues).
There are blind attacks that might be relevant. They are "blind"
in the sense that you [ change the packet source to the 10/8
IP address and your IP ] will not get the response.
( Think about an attack where you send ICMP ECHO_REQUEST
to the 10/8 IP address, with a spoofed source of the 10/8
network broadcast address. If no filtering equipment drops
this obviously spoofed packet, it might cause your target to send
a broadcast ECHO_REPLY. You can used ip_id matching
trickeries to see if it succeeded. )
Best Regards,
Yonatan Bokovza
IT Security Consultant
Xpert Systems
---------------------------------------------------------------------------
Did you know that you have VNC running on your network?
Your hacker does.
Plug your security holes.
Download a free 15-day trial of VAM:
http://www.securityfocus.com/StillSecure-pen-test
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT