Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

pen-test logo Penetration Testing mailing list archives

Re: Find out the subnetting of a company
From: Miles Stevenson <miles () mstevenson org>
Date: Tue, 20 Jul 2004 12:34:33 -0400
On Tuesday 20 July 2004 12:22 pm, J.A. Terranson wrote:


Dangr Will Robinson!

This is not necessarily so.  Early BSD and BSD derived systems/devices may
also answer to broadcasts on the "lower end".  Historically, the broadcast
was originally designed to *be* the same as the network address, it is
only recently that the last address has become the standard.

There are any number of older, and in somecases (like the Nortel CVX call
concentrators) newer devices answering on both the top and bottom
addresses.


I was not aware of this, but great point! It would be interesting to try out 
some experimentation with some of these older BSD systems and incorporate 
some clever workarounds. If anyone has any VM images of such a case that they 
would like to share (licenses permitting of course) I would love to toy with 
it.

Hmmmm. Perhaps a little more R&D on the topic would be helpful to the infosec 
community (assuming there are still questions on this topic that have yet to 
be answered in a public write-up). It might be worth while to take a look at 
how some of the automated network mapping tools out there handle this. Maybe 
there are some improvements to be made.

Comments/Suggestions? 

-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]