mailing list archives
Re: [PEN-TEST] Network Mapping
From: "Teicher, Mark" <mark.teicher () NETWORKICE COM>
Date: Wed, 13 Sep 2000 14:37:10 -0700
The mapping feature in CyberCop Scanner is a cool view from a 3-d view, but
not real useful and very hard to print out.
Network mapping is to provide a customer an overall view of the network
plus a couple of layers below the 30,000 foot view.
Within the layers when conducting a penetration assessment, one would want
to indicate to the customer the verious network paths or ASYNC paths one
took to gain access.
A to B to Z type of thing
At 05:35 PM 9/13/00 +0100, Ollie Whitehouse wrote:
This graphical path analysis exists in Cybercop scanner (or sorts) from a
physical network perspective. Yet from a logical perspective it would be
Security Team Leader
tel: +44 (0)20 79160200
mai: ollie () delphisplc com
From: Curphey, Mark (ISS Atlanta) [mailto:MCurphey () ISS NET]
Sent: Wednesday, September 13, 2000 3:52 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Network Mapping
Mr Batz sir, Hope youre well ?
Agreed totally. I guess the question is what sort of map are you trying to
acomplish. There are physical maps and logical maps.
With NT Hosts for instance you may want to map all the hosts that have
accounts in a particular domain (I wrote a Perl script to do this). You may
additionally want to map the same hosts based on IP address. You may want to
workout backbones and map those to geographical location.
I think Batz's point of a multi-layered approach is spot on. We recently did
some work using an ODBC and importing data from multiple tools into it. In
old days I was an AutoCAd fanatic so was interested to note the last post on
AutoDesk. Assuming the tools is part of AutoCAD you should be able to assign
layers that can relate directly to a TCP/IP stack and filter layers
accordingly. Imagine being able to shut of the trees and see the wood.
Imagine being abole to see where databases are physically located, logically
located. Imagine shutting of layers to just show where web servers are,
where routers sit, where .......
Has anyone gotten really creative and modelled ACL's on network devices ?
Imagine a graphical path analysis ?
Anyone want to start a project ?
From: batz [mailto:batsy () VAPOUR NET]
Sent: Tuesday, September 12, 2000 9:11 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Network Mapping (was Re: [PEN-TEST] How to "break into" the
On Mon, 11 Sep 2000, Carric Dooley wrote:
:- I think the best tools for network mapping may be the free stuff (used
:Visio 2K Enterprise... extremely painful. The SolarWinds stuff is nice
:though. That with nmap, nlog can go a long way. SolarWinds or
:are extremely fast and can give you a host list to work with. I would
:go back with those host lists and feed them to ISS Scanner, and nmap.
:cybercop or nessus too. Depends on what you are trying to accomplish.
Mapping the network, and making a network map require seperate tools.
Mapping is best done with nessus, firewalk, ping, traceroute, and
the route servers for network and transport layer. tcpdump, arp and
anti-sniff for ethernet/link layer. Nmap is fine for session. Application,
well, that's brute forcers, skriptz, whisker, and good old fashioned
kung-f00 with some genuine clue thrown in for good measure.
Some of the commercial tools do mapping AFAIK, and are useful for comparing
your results to, but pointing tkined, visio 2k, or cheops at a network
probably won't give you a thorough picture. If you wouldn't bill your
clients for cookie cutter cybercop/iss/retina/nmap/nessus reports, why
would you bill them for the same from a network mapping package?
Making a network map; White board, and visio has cute widgets.
Each layer of the protocol stack is a map unto itself. Tool based
methodologies have the inherant problem of a top down approach.
They enumerate services and their associated vulnerabilities and
then induce that by there being a service and vuln, there must be a
host, which implies a network, and vaguely suggests an underlying
Seems logical right? It is, but it's still wrong. It's consistant
with an inductive method, it's true within the scope of what is required
for a network to exist, but it's totally incomplete.
This e-mail and any files transmitted with it are intended solely for the
addressee and are confidential. They may also be legally
privileged.Copyright in them is reserved by Delphis Consulting PLC
["Delphis"] and they must not be disclosed to, or used by, anyone other than
the addressee.If you have received this e-mail and any accompanying files in
error, you may not copy, publish or use them in any way and you should
delete them from your system and notify us immediately.E-mails are not
secure. Delphis does not accept responsibility for changes to e-mails that
occur after they have been sent. Any opinions expressed in this e-mail may
be personal to the author and may not necessarily reflect the opinions of