RE: network informations brought by cdp

• Previous message: Simpson, Brett: "RE: sugget a small pentest distro"
• Maybe in reply to: hannibal blog: "network informations brought by cdp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 10 Nov 2005 07:47:17 -0600
To: "hannibal blog" <hannibalsec@gmail.com>, <pen-test@securityfocus.com>

WHy dont you just flood the arp table and turn it into a hub? Then you can sniff all you want?
 
Or MITM attack on the gateway. What about SNMP? I'm sure it is not rutned off on the inside----
 
 
You'll Own them,
 
JP

        -----Original Message-----
        From: hannibal blog [mailto:hannibalsec@gmail.com]
        Sent: Wed 11/9/2005 10:05 AM
        To: pen-test@securityfocus.com
        Cc:
        Subject: Fwd: network informations brought by cdp
        
        

        ---------- Forwarded message ----------
        From: hannibal blog <hannibalsec@gmail.com>
        Date: 9 nov. 2005 11:04
        Subject: Re: network informations brought by cdp
        To: Jason Mayer <slamboy@gmail.com>
        
        
        here is the full "case study". I'm actually doing a blackbox pentest,
        so i don't have access to routers config files to check if my
        suppositions are right.
        
        my ip 192.168.0.193
        my gateway 192.168.0.1
        Trying to discover network architecture from the LAN.
        Using ethereal to capture trafic on a switched network, probably vlaned.
        Captured several cdp packets.
        
        AFAK, the "adresses/ip address" field contains the address of the
        interface witch the cdp packet was sent through. You can map it to a
        port thanks to the "Port ID" field.
        Thus, for the first packet, with adresses/ip address = 192.168.0.1 and
        "Port ID" = FastEthernet0/1, I concluded that the router has a
        FastEthernet interface whose ip address is 192.168.0.1 and mac address
        is the one in the ethernet source address field.
        In this packet, IP prefixes = 26, according to cisco's doc, "each IP
        prefix represents one of the directly connected IP network segments of
        the local router".
        In the second packet, which came from the same router (device ID field
        is the same), but through a different interface, FastEthernet1/1 (ip
        address field = X.Y.0.1 and different mac address), IP prefixes = 25 =
        26 - 1.
        Where is the 26th segment ?
        
        I think the two interfaces belong to the same vlan.
        
        doc link :
        http://www.cisco.com/univercd/cc/td/doc/product/lan/trsrb/frames.htm#xtocid12
        
        
        
        2005/11/9, Jason Mayer <slamboy@gmail.com>:
> CDP packets are what cisco (and others maybe?) routers send out on timed
> intervals. Say I havea router connected to 2 other routers via serial and
> also connected to a switch through ethernet. The CDP packets should only
> show the devices directly connected to the router in question. The Address
> field only puts out the IP of the devices connected to the router. Feel
> free to correct me if I'm wrong, I was just playing with a Cisco 2500 series
> router in a lab last night and this is only what we determined... it's not
> documentation of any sort.
>
> Also, I forgot the address to send to the security focus list, so I'm just
> going to send this directly to you :)
>
>
> On 11/8/05, hannibal blog < hannibalsec@gmail.com> wrote:
> >
> > hello guys
> >
> > I have captured several CDP packets on my network, and I'm looking for
> > help to fully understand and analyse their content.
> > Is there any good article on the web, that explains cdp fields and
> behavior.
> >
> > Example of questions i'm wondering : for the "adresses" field, does it
> > only put the ip adress of the interface sending the packet, or the ip
> > of a prédefined interface ?
> >
> > thx
> >
> >
> ------------------------------------------------------------------------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on your
> > website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> > login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> > futile against web application hacking. Check your website for
> vulnerabilities
> > to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> >
> -------------------------------------------------------------------------------
> >
> >
>
>
        
        ------------------------------------------------------------------------------
        Audit your website security with Acunetix Web Vulnerability Scanner:
        
        Hackers are concentrating their efforts on attacking applications on your
        website. Up to 75% of cyber attacks are launched on shopping carts, forms,
        login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
        futile against web application hacking. Check your website for vulnerabilities
        to SQL injection, Cross site scripting and other web attacks before hackers do!
        Download Trial at:
        
        http://www.securityfocus.com/sponsor/pen-test_050831
        -------------------------------------------------------------------------------
        
        
        

• Previous message: Simpson, Brett: "RE: sugget a small pentest distro"
• Maybe in reply to: hannibal blog: "network informations brought by cdp"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]