Penetration Testing: Re: Find out the subnetting of a company

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Penetration Testing mailing list archives

Re: Find out the subnetting of a company

From: "Volker Tanger" <volker.tanger () detewe de>
Date: Wed, 21 Jul 2004 09:20:31 +0200

Hi!

During an internal black-box penetration test, from a subnet 
of a company (with or without DHCP), how do you find out the 
structure of the other subnets of network?


Sometimes it is better/easier to take a purely passive approach. 

Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest). 

Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.

Bye

Volker Tanger
ITK Security

By Date By Thread

Current thread:

Re: Find out the subnetting of a company, (continued)
- RE: Find out the subnetting of a company easternerd (Jul 21)
- Re: Find out the subnetting of a company Tim (Jul 21)
- RE: Find out the subnetting of a company Dieter Sarrazyn (Jul 20)
  - Re: Find out the subnetting of a company Volker Tanger (Jul 21)
  - RE: Find out the subnetting of a company Rob J Meijer (Jul 21)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 21)
  - Re: Find out the subnetting of a company Tony Carter (Jul 22)
  - Re: Find out the subnetting of a company Martin Mačok (Jul 23)
    - RE: Find out the subnetting of a company Jerry Shenk (Jul 28)