Re: Find out the subnetting of a company
From: Miles Stevenson (miles_at_mstevenson.org)
Date: 07/19/04
- Previous message: Dieter Sarrazyn: "RE: Find out the subnetting of a company"
- In reply to: il.prof_at_virgilio.it: "Find out the subnetting of a company"
- Next in thread: J.A. Terranson: "Re: Find out the subnetting of a company"
- Reply: J.A. Terranson: "Re: Find out the subnetting of a company"
- Reply: Andy Cuff: "Re: Find out the subnetting of a company"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: pen-test@securityfocus.com Date: Mon, 19 Jul 2004 14:24:18 -0400
Usually, the best way to map out how a chunk of address space has been
subnetted, is by finding out which addresses are used for broadcasting. This
is a trivial task for a tool like nmap, which will notify you when it has
stumbled upon a broadcast address.
Once you have found a broadcast address, you know that you have the "top end"
of a subnet. From there its a simple matter of finding the bottom end. There
are multiple ways to go about this.
One good way, is to assume that the first address on the subnet will be used
for that networks router, which is a very common way of doing things. You can
try tracerouting to 2 addresses beyond your broadcast address, and then see
which hops are identified as routers. Keep in mind that you may or may not be
allowed to use traceroute depending on any network filtering going on, and
you may not hit a router as the first IP of a subnet (although that would be
very rare).
A more reliable method of finding the "bottom end" of the subnet, is to
continue scanning downward through the address space until you find another
broadcast address. By finding out where the previous network ends, you now
know where the next network begins (the next address would be the network
address).
Just don't forget about all the modern and tricky things you can do with
software like honeyd and vmware. What you happen to map out on paper, may not
be actual physical devices at all, but rather one large machine running a
complex internal vmware or honeyd setup. These are rare cases, but they do
happen.
Hope that helps.
On Thursday 15 July 2004 04:17 am, il.prof@virgilio.it wrote:
> During an internal black-box penetration test, from a subnet of a company
> (with or without DHCP), how do you find out the structure of the other
> subnets of network? In particular, how do you determine/discover the
> subnetting of the IP space of a company?
>
> An example:
>
> - IP network of the company XYZ: 10.0.0.0/8 (I use a private class to avoid
> the use of a real address space)
> - I?m in the subnet 10.0.0.0/24
>
> How do you find out the structure of other subnets that are part of the
> network 10.0.0.0/8?
>
> Il Prof.
-- Miles Stevenson miles@mstevenson.org PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
- Previous message: Dieter Sarrazyn: "RE: Find out the subnetting of a company"
- In reply to: il.prof_at_virgilio.it: "Find out the subnetting of a company"
- Next in thread: J.A. Terranson: "Re: Find out the subnetting of a company"
- Reply: J.A. Terranson: "Re: Find out the subnetting of a company"
- Reply: Andy Cuff: "Re: Find out the subnetting of a company"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
