RE: Find out the subnetting of a company

From: Dieter Sarrazyn (dsr_at_ascure.com)
Date: 07/20/04

Next message: Miles Stevenson: "Re: Find out the subnetting of a company"

Previous message: Chris Brenton: "Re: Why eEye Retina (was MBSA scanner)"
Maybe in reply to: il.prof_at_virgilio.it: "Find out the subnetting of a company"
Next in thread: Volker Tanger: "Re: Find out the subnetting of a company"
Reply: Volker Tanger: "Re: Find out the subnetting of a company"
Reply: Rob J Meijer: "RE: Find out the subnetting of a company"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 Jul 2004 08:38:42 +0200
To: <il.prof@virgilio.it>, <pen-test@securityfocus.com>

Hi,

You can find lot's of the subnet structure with ping & traceroute scans
already. First, you can use the ping functionality of nmap (nmap -sP)
which should give you information about network and broadcast addresses.
If you found these parts, you already know how the subnetting is done.
With traceroute, you'll find out how these subnets are connected to
eachother.

Of course, if there's a router that has snmp enabled, try to find one of
the community strings & dump the routing table of this router...

Hope this helps.

regards,
Dieter

> -----Original Message-----
> From: il.prof@virgilio.it [mailto:il.prof@virgilio.it]
> Sent: donderdag 15 juli 2004 10:17
> To: pen-test@securityfocus.com
> Subject: Find out the subnetting of a company
>
> During an internal black-box penetration test, from a subnet
> of a company (with or without DHCP), how do you find out the
> structure of the other subnets of network? In particular, how
> do you determine/discover the subnetting of the IP space of a company?
>
> An example:
>
> - IP network of the company XYZ: 10.0.0.0/8 (I use a private
> class to avoid the use of a real address space)
> - I?m in the subnet 10.0.0.0/24
>
> How do you find out the structure of other subnets that are
> part of the network 10.0.0.0/8?
>
> Il Prof.
>
>
>
>

Next message: Miles Stevenson: "Re: Find out the subnetting of a company"

Previous message: Chris Brenton: "Re: Why eEye Retina (was MBSA scanner)"
Maybe in reply to: il.prof_at_virgilio.it: "Find out the subnetting of a company"
Next in thread: Volker Tanger: "Re: Find out the subnetting of a company"
Reply: Volker Tanger: "Re: Find out the subnetting of a company"
Reply: Rob J Meijer: "RE: Find out the subnetting of a company"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Find subnet
... Actually, if icmp isn't blocked, you can use traceroute on the surrounding addresses and pretty well deduce the subnetting used. ...
(alt.2600)
Re: Find out the subnetting of a company
... you can use the ping functionality of nmap ... which should give you information about network and broadcast addresses. ... you already know how the subnetting is done. ... the community strings & dump the routing table of this router... ...
(Pen-Test)