RE: Discovering network subnets

From: Payton, Zack (Zack.Payton@MWAA.com)
Date: Sat Aug 20 2005 - 18:35:27 EDT

• Next message: Richard: "Cheaper and Stronger than V:I:A:G:R:A!!"
• Previous message: h1kari@toorcon.org: "ToorCon 7 Lineup Finalized & Pre-Registration Ending"
• Maybe in reply to: hannibal blog: "Discovering network subnets"
• Next in thread: Timothy Dillman: "RE: Discovering network subnets"
• Reply: Timothy Dillman: "RE: Discovering network subnets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Most likely it's not a /24 but some kind of larger network like a /23
for example.

For example:
10.0.0.0/23 ranges from 10.0.0.0 - 10.0.1.255 making 10.0.1.0 a
completely valid address.

As far as figuring out the topology map where are you in relation to the
network?
If you're on the broadcast domain use DHCP or a sniffer to listen for
broadcast packets.
If not... See if you can query network devices using SNMP... It's pretty
trivial to figure out packet signatures for cisco and Juniper routers
and then brute force SNMP. Using DHCP relay sometimes works. ICMP
Address mask requests if they're not behind a firewall which they don't
appear to be if X windows is exposed to the internet. If it's not a
private network just use traceroute.orgs route servers.... If you're in
the same AS it may be possible to for a routing adjacency with the IGP
using FX's virtual router attack kit...

Who knows?
Z
 

-----Original Message-----
From: hannibal blog [mailto:hannibalsec@gmail.com]
Sent: Saturday, August 20, 2005 7:07 AM
To: pen-test@securityfocus.com
Subject: Discovering network subnets

hello list

I'm actually doing a blackbox audit of a network, and I'm trying to
discover network architecture.

I got this output with nmap X.X.X.0/24

interresting ports on X.X.X.0
68/tcp
723/tcp
6000/tcp

I'm not sure the network is a C class one, but I'm surprised that such
an ip adress is an host IP.
What do u think ?
Any idea to guess network adressing map ?

------------------------------------------------------------------------
------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You
Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
------------------------------------------------------------------------
-------

------------------------------------------------------------------------------
FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

Learn the hacker's secrets that compromise wireless LANs. Secure your
WLAN by understanding these threats, available hacking tools and proven
countermeasures. Defend your WLAN against man-in-the-Middle attacks and
session hijacking, denial-of-service, rogue access points, identity
thefts and MAC spoofing. Request your complimentary white paper at:

http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
-------------------------------------------------------------------------------

• Next message: Richard: "Cheaper and Stronger than V:I:A:G:R:A!!"
• Previous message: h1kari@toorcon.org: "ToorCon 7 Lineup Finalized & Pre-Registration Ending"
• Maybe in reply to: hannibal blog: "Discovering network subnets"
• Next in thread: Timothy Dillman: "RE: Discovering network subnets"
• Reply: Timothy Dillman: "RE: Discovering network subnets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:46 EDT