Re: Difficulties in Network Mapping & port scanning

---

• From: david lodge <resident.deity@xxxxxxxxx>
• Date: Tue, 10 Jan 2006 23:23:51 +0000

---

> Many thanks to everyone who replied to my original posting. The number of
> in-depth technical papers on network scanning and enumeration are thin on
> the ground from what I can gather. After some research I managed to turn up
> a few decent papers which go beyond the usual "this is an nmap SYN scan" and

This is the usual problem with a lot of papers; they cover the basics
and then leave you to work out what you need yourself.

Another technique I've used in the past is that a lot of applications
don't always govern security at layer 7. Use the existing holes in the
firewall to map out the network beyond. I've seen a number of
applications that release information:
1. IIS likes to give out the real IP address in the HTTP headers
(though this is patchable)
2. Citrix is also particular about real IP addresses and may release
the hidden address with a bit of coaxing
3. I found one webcam manufactor who leaves a selection of 'private
information' in the jpeg comment field, this includes real IP address
and NTP server address.
4. Debug info for program information (e.g. php, asp)
5. Mail headers - a lot of mail relays forget to rewrite the envelopes
6. Rogue DNS entries (especially the DNS admin's workstation :-)
7. Google (I always do google searches on a company I pen-test. It's
amazing how much admins post to forums and mailing list to get help!)

Thinking outside the usual technical mechanisms can sometimes be very
successful.

dave

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

---

• References:
  • Re: Difficulties in Network Mapping & port scanning
    • From: Don Parker
  • Re: Difficulties in Network Mapping & port scanning
    • From: David Ball

• Prev by Date: Re: Pre-Scanning for Marketing
• Next by Date: Re: Correlating an IP address with a phone number
• Previous by thread: Re: Difficulties in Network Mapping & port scanning
• Next by thread: New article on SecurityFocus
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: sorting student papers ... papers before I return them to the students. ... what technique should I use to sort ... I think any reasonable technique will do. ... What I generally do nowadays is split the papers into 6 or 7 piles ... (sci.math) Re: Tho X Bui, Alan Carruth and David Hajicek....French Polish Update..... ... I will give the papers a try in the next few days. ... I agree on the padded shellac method vs classic FP. ... The padding technique is different than FP (which is ... (rec.music.makers.builders) Re: Computerised authorship attribution ... John Burrows' "Delta" technique is very simple and easy to understand, ... See papers ... in the journals "Literary and Linguistic Computing", ... Humanities", and similar journals. ... (sci.stat.math) Re: sorting student papers ... I am teaching a class with roughly 50 students in it. ... papers before I return them to the students. ... what technique should I use to sort ... what techniques do you use to sort papers in ... (sci.math)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > pen-test  > 2006-01