Re: Find out the subnetting of a company

From: Volker Tanger (volker.tanger_at_detewe.de)
Date: 07/21/04

Next message: Amal Mohammad Al Hajeri: "Website search engine is a hacking tool.."

Previous message: J.A. Terranson: "Re: Find out the subnetting of a company"
In reply to: Dieter Sarrazyn: "RE: Find out the subnetting of a company"
Next in thread: Rob J Meijer: "RE: Find out the subnetting of a company"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 21 Jul 2004 09:20:31 +0200
To: pen-test@securityfocus.com

Hi!

> > During an internal black-box penetration test, from a subnet
> > of a company (with or without DHCP), how do you find out the
> > structure of the other subnets of network?

Sometimes it is better/easier to take a purely passive approach.

Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest).

Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.

Bye

Volker Tanger
ITK Security

Next message: Amal Mohammad Al Hajeri: "Website search engine is a hacking tool.."

Previous message: J.A. Terranson: "Re: Find out the subnetting of a company"
In reply to: Dieter Sarrazyn: "RE: Find out the subnetting of a company"
Next in thread: Rob J Meijer: "RE: Find out the subnetting of a company"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]