Re: OT: the detection of illegal gateways



Jhein,

You could examine the TTL of packets returned in a traceroute map of your network. Essentially you do a traceroute to a computer inside the remote office you're auditing, then do a ping to every hop returned in the traceroute and examine the TTL. If you find the TTL off by one then there is a transparent network device inbetween the nodes on your traceroute. This works because every device that touches but does not consume a packet must reduce the TTL by one. I'm a bit up on meds at the moment so here's an example of what I mean:

1) traceroute to a computer deep within remote office A.
2) ping to every node returned from step 1. Say you ping hopes 7A and 8A.
3) Examine the TTL of each packet. If the TTL of 7A is 45 and the TTL of 8A is 43, then there is a network device between 7A and 8A that's not showing up on pings.

The nice thing about this is it can easily be scripted, if a scan like this doesn't already exist. I suggest checking if the script exists in the NMAP scripts, if the script isn't there then NMAP will have all the tools you need.

-----------------------------------------------------------------
Adam Mooz
Adam.Mooz@xxxxxxxxx
http://www.AdamMooz.com

On 2010-05-18, at 3:58 PM, Zack Payton wrote:

Sorry, I hit send too early.

Off the top I can think of several techniques that my be of use.
I don't have any experience with IP Sonar so I'm of no help regarding that.

1. A simple way could be to use SNMP to poll all of your switches and
look for OUI codes in the CAM tables of well known router product
vendors. This technique is not wholly reliable and is easy to
deceive.

2. Using differences in time stamps in the TCP headers and IP ID's it
is possible to determine how many hosts are behind a firewall/router
unless the firewall is really good at normalizing traffic.

3. A really good way would be to do inline reverse TCP tracerouting
to trace backward through existing TCP connections to the end hosts.
Unfortunately, I'm not aware of any products that do this but you
could probably whip something up using libnet or scapy.

Just a couple of ideas for you.
Z

On Tue, May 18, 2010 at 3:53 PM, Zack Payton <zpayton@xxxxxxxxx> wrote:
Off the top I can think of several techniques that may be of use.

1. A simple

On May 17, 2010, at 5:39 AM, J Hein <j.hein@xxxxxxxxx> wrote:

hi all,
this post might be somewhat off-topic, so please accept my apologies
first.

I have a somewhat difficult problem to crack - there is a large corporate
network which covers several Nordic countries, and unfortunately there have
been cases in the past where a device with routing capability has been
plugged into the network (for creating a "faster" connection to the internet
for a branch office). Because this violates corporate policies and creates
"invisible" entry points to the internal network, I have been given a task
to find a suitable software for finding such kind of illegal routers.

Are there any good products for detecting illegally installed boxes with a
routing capability? One of my fellow consultants suggested IP Sonar (by
Lumeta) for this purpose which (as he claims) has been successfully used by
BT in the past. From the product description I've got an impression that IP
Sonar cleverly uses traceroute for detecting routers that illegally exchange
information between internal networks and the internet (so called "network
leaks").

I understand that router detection is a complex issue, and in order to
address this problem fully, one needs to analyze traffic that flows through
all key routers and switches in the whole corporate network. Unfortunately,
since the deployment of such monitoring system takes a lot of time, I'd like
to begin with a relatively simple solution which attempts to locate network
leaks by polling the network from few points only (like IP Sonar does, using
traceroute for that purpose).

Can anyone recommend any such commercial or open source tools? (open
source utilities would actually be my preference :) Also, what is your
experience with IP Sonar -- is it really a good stuff?

Thanks in advance :)
--
jhein





------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a
full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


Attachment: smime.p7s
Description: S/MIME cryptographic signature



Relevant Pages

  • Re: ntp woes (and more-general questions about startup and logging)
    ... the script didn't run the "stop" ... Our 10.4 machines are 10.4.7. ... been thinking that the underlying network, ... deny) what traffic (IP + port) goes to what port. ...
    (comp.sys.mac.system)
  • Re: split/isolate network
    ... R> as part of the network set-up? ... R> A script is how you would make it permanent. ... R> writing your own firewall rules. ... R> You'll also want to read up on NAT ...
    (Ubuntu)
  • Re: Modelling Complex Sentences
    ... re-inventing the network data model). ... If such as classifying node does not exist, ... Since people complained that dbd's scripts were too long, ... you typically use the CREATE/INSERT commands to ...
    (comp.databases.theory)
  • Re: Is this proof that systemd is completely broken?
    ... systemd will start the *.service first! ... a server with only statically configured network interfaces. ... documentation, systemd must wait until this script is complete, before ... Interface: lan0 is up ...
    (Fedora)
  • RE: Strange traceroute output on Road Runner for an RFC 1918 address
    ... I'd thought the ingress/egress filtering was being done on the ... individual cable modems as well. ... traceroute goes that far into RR's network, ...
    (Security-Basics)