RE: Mapping Class A network ( any easy trick?)

• Previous message: robert_at_dyadsecurity.com: "RE: Mapping Class A network ( any easy trick?)"
• Maybe in reply to: John Thomas: "Mapping Class A network ( any easy trick?)"
• Next in thread: Ismael Gonzalez: "Re: Mapping Class A network ( any easy trick?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 9 Feb 2005 20:33:58 -0500
To: "Henderson, Dennis K." <Dennis.Henderson@umb.com>, "Moonen, Ralph" <Moonen.Ralph@kpmg.nl>, "John Thomas" <mjohn2000_99@yahoo.com>, <pen-test@securityfocus.com>

Some thoughts:
* Enable netflow on the gateway router(s)
* Switch MLS tables, router/server/gateway ARP tables.
* Passive sniffing & accounting if you can tap the gateways.
* Poison the DNS for something commonly used like windowsupdate.com,
google.com, msn.com, Slashdot, etc. Relay the traffic or you'll make
your client mad though.
* Yea, no broadcast pings. Some stacks will reply, most won't but
routers typically will drop directed broadcasts anyway. You could also
add a static route in the gateway router.
* I remember recently a guy successfully used nmap on a class A.
Actually, it resulted in a memory management bug patch.
* If you truly have permission of the client a tap(s) would be your best
bet. Pay their ISP and they may give you some accounting data (netflow,
argus, ipfix, ntop, cflow, et al).

-Jeff

-----Original Message-----
From: Henderson, Dennis K. [mailto:Dennis.Henderson@umb.com]
Sent: Tuesday, February 08, 2005 6:28 PM
To: Moonen, Ralph; John Thomas; pen-test@securityfocus.com
Subject: RE: Mapping Class A network ( any easy trick?)

If you can reach a router with SNMP you could retrieve the routing
table. That could help sharpen your pencil. Perhaps a quick scan for
routers with public strings and then when you find one get the routing
table and target your pings to those networks.

Apps like solar winds make this a very easy task.

Dennis

-----Original Message-----
From: Moonen, Ralph [mailto:Moonen.Ralph@kpmg.nl]
Sent: Tuesday, February 08, 2005 2:13 PM
To: John Thomas; pen-test@securityfocus.com
Subject: RE: Mapping Class A network ( any easy trick?)

Hi,

What is the problem with 17 million pings? If you turn of DNS resolution
it will be quite fast, even on a 10 mbit LAN. Don't use broadcast pings:
you don't know where the subnet boundaries are and therefore won't be
able to know the broadcast addresses. If it really is a /8 network (i.e.
flat, which I doubt) then you could use broadcast pings, but please note
that:
A: not all devices that respond to ping respond to broadcast ping
B: you will miss replies due to the fact that many devices will answer
simultanesouly

You might also want to manage expectations. Pentesting a full class A,
even given low population of the network will take you months. I think
what you really want to do is a vulnerability scan. Just that part,
running nmap and nessus on a full class A will keep you busy for a while
:-) Just make sure the client is aware that not all IP's on his class A
will be hit.

--Ralph
 

-----Original Message-----
From: John Thomas [mailto:mjohn2000_99@yahoo.com]
Sent: 08 February 2005 17:42
To: pen-test@securityfocus.com
Subject: Mapping Class A network ( any easy trick?)

--- Virus checked / op virussen gecontroleerd ---

I am about to do a penetration testing on a "Class A network" and
wondering how I can map the network without pinging 17 million IPs.(nmap
-Sp 10.0.0.0/8)

I did some research and the best information I got is from one of the
earlier post on this
list(http://seclists.org/lists/pen-test/2004/Jul/0067.html)
. It was to use broadcast IPs for pings. But it may miss some subnets.

Is that the best way to it? If not, please advise

------------------------------------------------------------------------
--------------------------------------------------------------------
De informatie verzonden met dit e-mailbericht (en bijlagen) is
uitsluitend bestemd voor de geadresseerde(n) en zij die van de
geadresseerde(n) toestemming hebben dit bericht te lezen. Gebruik door
anderen dan geadresseerde(n) is verboden. De informatie in dit
e-mailbericht (en de bijlagen) kan vertrouwelijk van aard zijn en kan
binnen het bereik vallen van een geheimhoudingsplicht. KPMG is niet
aansprakelijk voor schade ten gevolge van het gebruik van elektronische
middelen van communicatie, daaronder begrepen -maar niet beperkt tot-
schade ten gevolge van niet aflevering of vertraging bij de aflevering
van elektronische berichten, onderschepping of manipulatie van
elektronische berichten door derden of door programmatuur/apparatuur
gebruikt voor elektronische communicatie en overbrenging van virussen en
andere kwaadaardige programmatuur.

Any information transmitted by means of this e-mail (and any of its
attachments) is intended exclusively for the addressee or addressees and
for those authorized by the addressee or addressees to read this
message. Any use by a party other than the addressee or addressees is
prohibited. The information contained in this e-mail (or any of its
attachments) may be confidential in nature and fall under a duty of
non-disclosure. KPMG shall not be liable for damages resulting from the
use of electronic means of communication, including -but not limited to-
damages resulting from failure or delay in delivery of electronic
communications, interception or manipulation of electronic
communications by third parties or by computer programs used for
electronic communications and transmission of viruses and other
malicious code.

------------------------------------------------------------------------
--------------------------------------------------------------------

• Previous message: robert_at_dyadsecurity.com: "RE: Mapping Class A network ( any easy trick?)"
• Maybe in reply to: John Thomas: "Mapping Class A network ( any easy trick?)"
• Next in thread: Ismael Gonzalez: "Re: Mapping Class A network ( any easy trick?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]