RE: Network discovery

From: David McCaskill (david@mccaskillda.com)
Date: Mon Aug 29 2005 - 19:43:50 EDT

• Next message: Marc.Werner@t-systems.com: "AW: Where are Windows "Enforce password history" passwords stored ?"
• Previous message: Stefano Zanero: "Re: Exploit for old 3com bug ("3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability")"
• In reply to: Javier Fernandez-Sanguino: "Re: Network discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Try ipsonar or cheops-ng

-----Original Message-----
From: Javier Fernandez-Sanguino [mailto:jfernandez@germinus.com]
Sent: Monday, August 29, 2005 5:39 AM
To: Arjun Venkatraman
Cc: pen-test@securityfocus.com
Subject: Re: Network discovery

Arjun Venkatraman wrote:

> Hi,
> does anyone know of an efficient way to discover a complete network
> tree starting from a root node. i have a network where i want to add
> clients to intermediate servers at will , and i want the superserver
> to discover the complete tree with the hierarchy.
>
> the config i have is something like this
(...)

You are not providing many details. ¿Is this a TCP/IP network? ¿Is
this using some kind of specific application you want to discover if
it's being used in a network (i.e. have a target port for it)?

Your scheme is quite similar to a multicast application so maybe you
can customise the application to incorporate some kind of "echo" (like
ICMP does) through it.

Superserver -> sends echo to all intermediate servers registered to it
-> intermediate servers send echo to all clients connected to it ->
clients reply -> servers send replies back to superserver.

Nmap will just not catch it as it does not have any knowledge of how
to find client B if it's in a different network than superserver A.

If you are looking at a traditional TCP/IP network _and_ have an
application port (XXX) associated with the client/server/superserver
you might get around this doing a traditional network discovery test
(i.e. like network tools such as HP Openview's Network Node Manager
implement) and then extract the list elements of the network that are
'up' and feed that to a 'nmap -sT -p XXX' scan.

Network scanning such as that done with NNM however, is not efficient
and heavily relies on the network elements "behaving properly". That is:

1.- network devices (such as routers or switches) reply to SNMP
communities and their configuration (interfaces they have, networks
connected to) can be retrieved remotely through it.

2.- hosts answer to ICMP queries and (maybe) have SNMP agents that
provide additional network information (in case of dual-homed hosts).

So if you don't have proper access to the devices a tool like that
will don't do a thing and will only discover your local subnet.

Such a network test is far from efficient as it tries to discover
_all_ network systems. It might even go beyond your own network if you
don't limit it properly, so be careful if you code it yourself :-)

Regards

Javier

• Next message: Marc.Werner@t-systems.com: "AW: Where are Windows "Enforce password history" passwords stored ?"
• Previous message: Stefano Zanero: "Re: Exploit for old 3com bug ("3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability")"
• In reply to: Javier Fernandez-Sanguino: "Re: Network discovery"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:48 EDT