Re: Find out the subnetting of a company

From: David M. Zendzian (dmz@dmzs.com)
Date: Wed Jul 21 2004 - 16:58:15 EDT


Ok, after a little searching I did find the info I mentioned the other day.

Icmp can send a host mask request. For example using sing:
  Sing -mask -c 1 IPADDR

Check out http://www.whitehats.ca/main/publications/external_pubs/icmp_usage/icmp_usage.html

David
-----Original Message-----
From: "Volker Tanger" <volker.tanger@detewe.de>
Date: Wed, 21 Jul 2004 09:20:31
To:pen-test@securityfocus.com
Subject: Re: Find out the subnetting of a company

Hi!

> > During an internal black-box penetration test, from a subnet
> > of a company (with or without DHCP), how do you find out the
> > structure of the other subnets of network?

Sometimes it is better/easier to take a purely passive approach.

Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest).

Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.

Bye

Volker Tanger
ITK Security

/--------------------------------------\
 David M. Zendzian * dmz@dmzs.com
 (415) 867-7812 - phone
  -------------
  Imagination is greater than knowledge * Albert Einstein
 Every day is a good day, whether you like it or not! *



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT