Re: Difficulties in Network Mapping & port scanning

From: david lodge (resident.deity@gmail.com)
Date: Tue Jan 10 2006 - 18:23:51 EST


> Many thanks to everyone who replied to my original posting. The number of
> in-depth technical papers on network scanning and enumeration are thin on
> the ground from what I can gather. After some research I managed to turn up
> a few decent papers which go beyond the usual "this is an nmap SYN scan" and

This is the usual problem with a lot of papers; they cover the basics
and then leave you to work out what you need yourself.

Another technique I've used in the past is that a lot of applications
don't always govern security at layer 7. Use the existing holes in the
firewall to map out the network beyond. I've seen a number of
applications that release information:
1. IIS likes to give out the real IP address in the HTTP headers
(though this is patchable)
2. Citrix is also particular about real IP addresses and may release
the hidden address with a bit of coaxing
3. I found one webcam manufactor who leaves a selection of 'private
information' in the jpeg comment field, this includes real IP address
and NTP server address.
4. Debug info for program information (e.g. php, asp)
5. Mail headers - a lot of mail relays forget to rewrite the envelopes
6. Rogue DNS entries (especially the DNS admin's workstation :-)
7. Google (I always do google searches on a company I pen-test. It's
amazing how much admins post to forums and mailing list to get help!)

Thinking outside the usual technical mechanisms can sometimes be very
successful.

dave

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:21 EDT