RE: Find out the subnetting of a company
From: Dieter Sarrazyn (dsr_at_ascure.com)
Date: Tue, 20 Jul 2004 08:38:42 +0200 To: <email@example.com>, <firstname.lastname@example.org>
You can find lot's of the subnet structure with ping & traceroute scans
already. First, you can use the ping functionality of nmap (nmap -sP)
which should give you information about network and broadcast addresses.
If you found these parts, you already know how the subnetting is done.
With traceroute, you'll find out how these subnets are connected to
Of course, if there's a router that has snmp enabled, try to find one of
the community strings & dump the routing table of this router...
Hope this helps.
> -----Original Message-----
> From: email@example.com [mailto:firstname.lastname@example.org]
> Sent: donderdag 15 juli 2004 10:17
> To: email@example.com
> Subject: Find out the subnetting of a company
> During an internal black-box penetration test, from a subnet
> of a company (with or without DHCP), how do you find out the
> structure of the other subnets of network? In particular, how
> do you determine/discover the subnetting of the IP space of a company?
> An example:
> - IP network of the company XYZ: 10.0.0.0/8 (I use a private
> class to avoid the use of a real address space)
> - I?m in the subnet 10.0.0.0/24
> How do you find out the structure of other subnets that are
> part of the network 10.0.0.0/8?
> Il Prof.