Re: Finding multi-homed, internet connected, systems as potential point-of-entry.

From: MadHat (madhat@unspecific.com)
Date: Tue Dec 06 2005 - 12:39:27 EST


http://www.unspecific.com/.go/routedetector/

It uses ICMP and may or may not work depending on how the local
network is set up. It worked well at my last job.

On Dec 5, 2005, at 7:41 AM, Bongers, Coen wrote:

> Hello,
>
> Im asked to assess the existence of so-called multi-homed systems
> on the
> network of a customer, that are able to directly connect to the
> internet
> (and thus circomventing the proxy services), in order to reduce the
> risk
> of network compromise through this 'illegal' internet-access.
>
> Any tips and/or help on how to approach this would be appriciated.
>
> The following approach is my present idea;
>
> -Send a spoofed (spoof an internet address under our control) message
> (IP/ICMP/UDP,etc) to the target(s) from the internal network.
> -Detect for the response of this message on the spoofed address at the
> internet.
> -Log some identifiing information in the initial message, that will
> end
> up on the response so that the response can be correlated with the
> internal address of the system.
>
> Questions for me now are;
>
> -What are the risks of false negatives and false positives using this
> methode?
> -What prerequisites are ther for thes methode to be succesfull?
> -Are there any other ways of identifieing these 'illegal' internet
> connections?
> -Are there any freeware/commercial tools that allready do the job?
> -If so, how good of a job are they doing?
>
>
> p.s.> there is no administrative access to the target systems, so it
> has to be a black-box-approach.
>
> Thank you.
>
>
>
>
>
> Met vriendelijke groet / with kind regards,
>
>
>
> Coen Bongers
>
> Security Consultant
>
> _________________________________________
>
>
>
>
> ______________________________________________________________________
> __
> ______________________________________________________________________
> __
> ____________________________________________________
>
> The information contained in this email and its attachments (if
> any) is
> confidential and may be legally privileged. It is intended solely for
> the use of the individual or entity to whom it is addressed and others
> authorised to receive it. If you are not the intended recipient you
> are
> hereby notified that any disclosure, copying, distribution or
> action in
> reliance of the contents of this information is strictly prohibited
> and
> may be unlawful. LogicaCMG is neither liable for the proper and
> complete
> transmission of the information contained in this email nor for any
> delay in its receipt. If received in error, please contact
> LogicaCMG on
> +31 (0)40 295 77 77 quoting the name of the sender and the
> addressee and
> then delete it from your system. LogicaCMG does not accept any
> responsibility for viruses and it is your responsibility to scan the
> email and attachments.
>
> ______________________________________________________________________
> __
> ______________________________________________________________________
> __
> ____________________________________________________
>
>
>
>
>
>
>
> This e-mail and any attachment is for authorised use by the
> intended recipient(s) only. It may contain proprietary material,
> confidential information and/or be subject to legal privilege. It
> should not be copied, disclosed to, retained or used by, any other
> party. If you are not an intended recipient then please promptly
> delete this e-mail and any attachment and all copies and inform the
> sender. Thank you.
>
> ----------------------------------------------------------------------
> --------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications
> on your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>

--
MadHat (at) Unspecific.com, C˛ISSP
E786 7B30 7534 DCC2 94D5  91DE E922 0B21 9DDC 3E98
gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:14 EDT