Re: RE: Discovering network subnets

chad_at_mr-lew.com
Date: 08/23/05

  • Next message: hannibal blog: "Re: RE: Discovering network subnets"
    Date: Mon, 22 Aug 2005 19:44:57 -0400
    To: pen-test@securityfocus.com
    
    

      Let's try to clear this up a bit...

    If you have a network mask of 255.255.255.0 (24 bits), then
    the .0 address is your Network ID and can NOT be used as a
    host address. The .255 address will be your broadcast
    address and also can not be used as a host address. This
    makes .1 thru .254 as valid host addresses.

    192.168.1.0/24 - Network ID (All Host bits are 0)
    192.168.1.1-254 - Host Addresses
    192.168.1.255 - Broadcast Address (All Host bits are 1)

       You may see some responses from a Cisco router, not
    actually a host address, but it may respond to some of the
    ICMP probes. I am sure some other systems performing routing
    functions may do the same in some circumstances, but in my
    experience they do not answer up with SYN/ACK or RST/ACK for
    port scans.

    Now if you have a network mask of 255.255.254.0 (23 bits) or
    anything less than 24 bits for that matter, a .0 can and IS
    a valid host address.

    In the example of 10.0.0.0/23 the Network ID would be the
    first 23 bits, making it 10.0.0.0. The first available host
    would have the 32nd bit turned on, making it 10.0.0.1. The
    last available host would have bits 24 thru 31 turned on,
    with the 32nd bit turned off making it 10.0.1.254. This
    would include 10.0.1.0 as a VALID host address.

    Where the confusion comes from is crossing the bit boundary.
    You need to look at it in binary to see how it is just the
    next host when going from 10.0.0.255 to 10.0.1.0. Hopefully
    this diagram can help (and won't get butchered in
    delivery) ;)

          1 1
          2 6 3 1 2 6 3 1
    10.0. 8 4 2 6 8 4 2 | 1 . 8 4 2 6 8 4 2 1
    ----------------------------------------
       NETWORK PORTION | HOST PORTION
    --.-. 0 0 0 0 0 0 0 | 0 . 0 0 0 0 0 0 0 0 Network ID
    --.-. 0 0 0 0 0 0 0 | 0 . 0 0 0 0 0 0 0 1 1st Available
    Host
    --.-. 0 0 0 0 0 0 0 | 0 . 1 1 1 1 1 1 1 1 Valid Host
    --.-. 0 0 0 0 0 0 0 | 1 . 0 0 0 0 0 0 0 0 Valid Host
    --.-. 0 0 0 0 0 0 0 | 1 . 1 1 1 1 1 1 1 0 Last Available
    Host
    --.-. 0 0 0 0 0 0 0 | 1 . 1 1 1 1 1 1 1 1 Broadcast Address

    Also, Classful addressing was not done away with by CIDR.
    CIDR granted us the ability to better use and
    identify/aggregate our networks. Classful addressing is
    still used today in numerous places (RIPv1 for example), but
    when possible classful addressing is normally preferred.

    It was pointed out that RFC 3021 outlines the specific use
    of a 31 bit mask, which would break this model if used. It
    must be pointed out that the RFC outlines this use on point-
    to-point links only. Considering that the system
    was "reported" as having ports 68/tcp, 723/tcp and 6000/tcp
    open, I would be inclined to rule against it being on a
    point-to-point link.

    68/tcp - ??? Could this be some TCP based BOOTP server...
    723/tcp - OpenMosix File System (curious)
    6000/tcp - Probably X Windows

    I would try to gather some more O/S fingerprinting
    information by generating more ICMP and TCP responses
    (SYN/ACK and RST/ACK) with hping2 and then gather the
    responses with a sniffer to try and use p0f to get a better
    picture.

    I would be curious to hear what the final findings are...

    ------------------------------------------------------------------------------
    FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't

    Learn the hacker's secrets that compromise wireless LANs. Secure your
    WLAN by understanding these threats, available hacking tools and proven
    countermeasures. Defend your WLAN against man-in-the-Middle attacks and
    session hijacking, denial-of-service, rogue access points, identity
    thefts and MAC spoofing. Request your complimentary white paper at:

    http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801
    -------------------------------------------------------------------------------


  • Next message: hannibal blog: "Re: RE: Discovering network subnets"

    Relevant Pages

    • Re: 2 pc network - cant see host files from pc 2 on pc 1
      ... If the second card is lost on HOST PC then DSL Internet does not connect. ... Ditch the second network card in the one ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Emailing web form information to me
      ... Which version of Publisher are you using? ... both FTP uploading and FPSE uploading. ... use of FPSE and using the form program provided by your host? ... Instead you need to map a network ...
      (microsoft.public.publisher.webdesign)
    • 2wire router configuration
      ... firewall on this router and to configure my network ... Go to Home Network -> Advanced Settings ... X Default DHCP Pool ... Configure host to use DHCP with host name sent ...
      (comp.unix.bsd.freebsd.misc)
    • Re: Do I Have A Firewalled LAN Run By ISP In Between?
      ... from that host while at host ... running a layer within a layer, with a complex network address translation ... application called "Internet Connection Sharing". ... what those packets are for, ...
      (comp.security.firewalls)
    • RE: A question for the list...
      ... attempts to remove the virus from the host. ... -If a command can be given in a channel to "shut down" the network of hosts, ... wireless LANs require network security policies ... that are enforced to protect WLANs from known vulnerabilities and threats. ...
      (Incidents)