RE: Multiple IP on the same server howo to idenfity

From: Pursifull, Mike (Mike.Pursifull@cryptek.com)
Date: Thu Jun 10 2004 - 23:37:50 EDT


>From the Internet:

1) break into the box

2) look around. ifconfig (*nix) and ipconfig (windows) work well.

*grin*

Seriously, if you're looking for a lucky break you should definitely be
tracking server response below the level of most of your port/scanning
tools.

It's somewhat of a long shot, but I have often obtained just the sort of
data you're looking for by carefully tracking return responses of scans
manually or with extra technologies. Consider, for example, always run
something like icmpinfo (-vvv!) while you are probing/scanning. It is
very common when dealing with async routes, alternate routes, multiple
interfaces and nat/loadbalancer conditions to have data in an error
condition icmp packet [or other response] come back telling you more
than it should.

Ex. You send a packet to 192.168.1.1 and get an icmp port unreachable
matching your packet, but coming from another ip address (It may very
well be that your OS even matches the response to the packet but does
not point out the difference! - very common!) There are hundreds of
possibilities of different variations. Most of the time, they involve or
expose async routing for a dual homed box. The IP you are targeting,
then, is the secondary (non-default gateway interface). This might
expose a dual-firewall condition that can lead to compromise, may expose
multi-homed servers and many other situations...

There is no magic bullet, but there are lots of techniques. Beyond using
just tools, you want to suck every bit of information out of every
packet you send out (for this type of scouting). Most of the 'modern'
pen testers and so-called h4x0rs of today may not recall, may have
forgotten, or may never have learned the old lessons because today's
world is focused on mass data, you mine bulk data seeking answers...if
it's not spelled out in one article at right level to scan text for an
answer, search google for another article with just the right level of
detail. Many older explorers spent months re-reading that same Ma Bell
tech bulletin that..err..fell off a truck over and over until the
unexplained terms and concepts formed their own picture in your mind.
Err....sorry for the nostalgia...

Just one byte can tell you want you want to know....but you will have to
catch it, and understand what it is whispering to you...

Best of luck...

-Mike

-----Original Message-----
From: Yonatan Bokovza [mailto:Yonatan@xpert.com]
Sent: Thursday, June 10, 2004 6:13 PM
To: pen-test@securityfocus.org
Subject: RE: Multiple IP on the same server howo to idenfity

> -----Original Message-----
> From: NetExpress [mailto:NetExpress@infogroup.it]
> Sent: Thursday, June 10, 2004 13:13
> To: pen-test@securityfocus.org
> Subject: Multiple IP on the same server howo to idenfity
>
>
> Hi, the problem is, if I am doing a penetration test from internte to
> many servers, probably there should be some IP ont the same server o
> network adapter like load balancer.
> In a report, and to avoid false positive, should be usefull
> to identify
> which IPs are on the same server, but how?
> If I should be in the internal network I am testing I'll use
> arp to find
> the MAC address of each IP and I should have solved, but from
> Internet I
> cannot use arp.
>
> From Internet I could use the banner, but this is not sure, I could
> have more then one application server on the same server with n-IP on
> application server A and m-IP on the application server B getting the
> banner should not be the right choise especialy with proxy.
>
> Any idea?

You could use the TCP Timestamp option to see the uptime of both
servers. If it is similar enough, there is a good chance it is the same
server. (unless the loadbalancer changes the Timestamp...)
See section 3.2 here:
http://www.faqs.org/rfcs/rfc1323.html

Regards,
Yonatan Bokovza
IT Security Consultant
Xpert Systems



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT