From: Andy Cuff (lists@securitywizardry.com)
Date: Tue Jul 20 2004 - 13:33:36 EDT
Hi
A nice tool to assist at 3AM when the braincells just can't cope with
subnetting is the FREE Solarwinds advanced subnet calculator
http://www.solarwinds.net/Tools/Free_tools/Subnet_Calc/index.htm
You still have to do some legwork for the information but it helps
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
----- Original Message -----
From: "Miles Stevenson" <miles@mstevenson.org>
To: <pen-test@securityfocus.com>
Sent: Monday, July 19, 2004 7:24 PM
Subject: Re: Find out the subnetting of a company
> Usually, the best way to map out how a chunk of address space has been
> subnetted, is by finding out which addresses are used for broadcasting.
This
> is a trivial task for a tool like nmap, which will notify you when it has
> stumbled upon a broadcast address.
>
> Once you have found a broadcast address, you know that you have the "top
end"
> of a subnet. From there its a simple matter of finding the bottom end.
There
> are multiple ways to go about this.
>
> One good way, is to assume that the first address on the subnet will be
used
> for that networks router, which is a very common way of doing things. You
can
> try tracerouting to 2 addresses beyond your broadcast address, and then
see
> which hops are identified as routers. Keep in mind that you may or may not
be
> allowed to use traceroute depending on any network filtering going on, and
> you may not hit a router as the first IP of a subnet (although that would
be
> very rare).
>
> A more reliable method of finding the "bottom end" of the subnet, is to
> continue scanning downward through the address space until you find
another
> broadcast address. By finding out where the previous network ends, you now
> know where the next network begins (the next address would be the network
> address).
>
> Just don't forget about all the modern and tricky things you can do with
> software like honeyd and vmware. What you happen to map out on paper, may
not
> be actual physical devices at all, but rather one large machine running a
> complex internal vmware or honeyd setup. These are rare cases, but they do
> happen.
>
> Hope that helps.
>
>
> On Thursday 15 July 2004 04:17 am, il.prof@virgilio.it wrote:
> > During an internal black-box penetration test, from a subnet of a
company
> > (with or without DHCP), how do you find out the structure of the other
> > subnets of network? In particular, how do you determine/discover the
> > subnetting of the IP space of a company?
> >
> > An example:
> >
> > - IP network of the company XYZ: 10.0.0.0/8 (I use a private class to
avoid
> > the use of a real address space)
> > - I?m in the subnet 10.0.0.0/24
> >
> > How do you find out the structure of other subnets that are part of the
> > network 10.0.0.0/8?
> >
> > Il Prof.
>
> --
> Miles Stevenson
> miles@mstevenson.org
> PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT