TR: Mapping Class A network ( any easy trick?)

From: Bénoni MARTIN (Benoni.MARTIN_at_libertis.ga)
Date: 02/18/05

  • Next message: chris_at_compucounts.com: "Bypassing NTFS ACL" 
    Date: Fri, 18 Feb 2005 13:02:34 +0100
To: "Tim" <tim-pentest@sentinelchicken.org>, "Moonen, Ralph" <Moonen.Ralph@kpmg.nl>

    I worked in a finantial institution where I had around 65 000 000 of potential IP adresses. I mean "potential" IP adresses: many of them where empty, others with just a couple of machines, and very few had all the IP adresses given to physical machines.

    To scan this (there wer actually just classes C), it took me 5 days & nights for covering all the IP adresses, and we were just nmaping (simple nmap -sS) all of these IP adresses.

    Just notice that this tuming depends a lot on the traffic on your subnets: the more traffic there is, the slower will be your scans ... ;)

    -----Message d'origine-----
    De : Tim [mailto:tim-pentest@sentinelchicken.org]
    Envoyé : jeudi 10 février 2005 03:38
    À : Moonen, Ralph
    Cc : pen-test@securityfocus.com
    Objet : Re: Mapping Class A network ( any easy trick?)

    > Apart from the timing issues (I agree totally) I still think that you
    > cannot call nmap+nbtstat or nmap+nessus or whatever combinatioin
    > 'penetration testing'. To me that is Vulnerability Analysis. VA on a
    > class A is tricky enough. Pentesting (ie attempted exploitation of all
    > discovered vulenrabilities) on a full class A is extremely difficult.
    > Impossible for 1 man and his laptop, given average population of
    > networks.

    Of course not. I was merely trying to provide some information on what it takes to actually scan that many IPs. Our scan only consisted of OS fingerprinting, about 20 TCP and 20 UDP ports scanned, and a quick nbtscan query. This would be enough information to map a network where one truly doesn't know what is out there, but by no means is it a "penetration test". Just the first step (in some situations).

    tim

  • Next message: chris_at_compucounts.com: "Bypassing NTFS ACL"

    Relevant Pages

    • Re: Anonymizing Packets yet ensuring 0 % packet loss
      ... exercise of mine is to by pass the security systems in place & prove ... you need anything that needs a reply from the network, ... We do not want the administration to say that " we could have stopped ... enumerate the services, administration subnets, department subnets, ...
      (Pen-Test)
    • Re: Anonymizing Packets yet ensuring 0 % packet loss
      ... exercise of mine is to by pass the security systems in place & prove ... you need anything that needs a reply from the network, ... We do not want the administration to say that " we could have stopped ... enumerate the services, administration subnets, department subnets, ...
      (Security-Basics)
    • Re: Multi NIC Windows 2003 routing problem
      ... You cannot use two IP#s from different subnets on the same NIC unless it is ... > All network traffic destined for the 192.168.20.x and 192.168.90.x should ... (still does, but that server has to go, for obvious reasons). ... >> Microsoft Windows XP - Multihoming Considerations ...
      (microsoft.public.win2000.networking)
    • Re: Anonymizing Packets yet ensuring 0 % packet loss
      ... exercise of mine is to by pass the security systems in place & prove ... you need anything that needs a reply from the network, ... We do not want the administration to say that " we could have stopped ... enumerate the services, administration subnets, department subnets, ...
      (Pen-Test)
    • Re: Anonymizing Packets yet ensuring 0 % packet loss
      ... exercise of mine is to by pass the security systems in place & prove ... you need anything that needs a reply from the network, ... We do not want the administration to say that " we could have stopped ... enumerate the services, administration subnets, department subnets, ...
      (Security-Basics)