Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: Find out the subnetting of a company

Re: Find out the subnetting of a company

From: Miles Stevenson <miles_at_mstevenson.org>
Date: Mon, 19 Jul 2004 14:24:18 -0400

Usually, the best way to map out how a chunk of address space has been
subnetted, is by finding out which addresses are used for broadcasting. This
is a trivial task for a tool like nmap, which will notify you when it has
stumbled upon a broadcast address.

Once you have found a broadcast address, you know that you have the "top end"
of a subnet. From there its a simple matter of finding the bottom end. There
are multiple ways to go about this.

One good way, is to assume that the first address on the subnet will be used
for that networks router, which is a very common way of doing things. You can
try tracerouting to 2 addresses beyond your broadcast address, and then see
which hops are identified as routers. Keep in mind that you may or may not be
allowed to use traceroute depending on any network filtering going on, and
you may not hit a router as the first IP of a subnet (although that would be
very rare).

A more reliable method of finding the "bottom end" of the subnet, is to
continue scanning downward through the address space until you find another
broadcast address. By finding out where the previous network ends, you now
know where the next network begins (the next address would be the network
address).

Just don't forget about all the modern and tricky things you can do with
software like honeyd and vmware. What you happen to map out on paper, may not
be actual physical devices at all, but rather one large machine running a
complex internal vmware or honeyd setup. These are rare cases, but they do
happen.

Hope that helps.

On Thursday 15 July 2004 04:17 am, il.prof_at_virgilio.it wrote:
> During an internal black-box penetration test, from a subnet of a company
> (with or without DHCP), how do you find out the structure of the other
> subnets of network? In particular, how do you determine/discover the
> subnetting of the IP space of a company?
>
> An example:
>
> - IP network of the company XYZ: 10.0.0.0/8 (I use a private class to avoid
> the use of a real address space)
> - I?m in the subnet 10.0.0.0/24
>
> How do you find out the structure of other subnets that are part of the
> network 10.0.0.0/8?
>
> Il Prof. 

-- 
Miles Stevenson
miles_at_mstevenson.org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63
Received on Jul 20 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]