|
Penetration Testing
mailing list archives
Re: Find out the subnetting of a company
From: "David M. Zendzian" <dmz () dmzs com>
Date: Wed, 21 Jul 2004 16:58:15 -0400
Ok, after a little searching I did find the info I mentioned the other day.
Icmp can send a host mask request. For example using sing:
Sing -mask -c 1 IPADDR
Check out http://www.whitehats.ca/main/publications/external_pubs/icmp_usage/icmp_usage.html
David
-----Original Message-----
From: "Volker Tanger" <volker.tanger () detewe de>
Date: Wed, 21 Jul 2004 09:20:31
To:pen-test () securityfocus com
Subject: Re: Find out the subnetting of a company
Hi!
During an internal black-box penetration test, from a subnet
of a company (with or without DHCP), how do you find out the
structure of the other subnets of network?
Sometimes it is better/easier to take a purely passive approach.
Running ARPWATCH will tell you quite a lot about the (physically
attached) networks and devices - especially the hardware vendor IDs
(Vendor-IDs Cisco, Nortel etc. are a dead giveaways for points of
interest).
Plainly tunning TCPDUMP and filtering for NETBIOS broadcasts will tell
you quite nicely network boundaries of networks where Microsoft systems
are active.
Bye
Volker Tanger
ITK Security
/--------------------------------------\
David M. Zendzian * dmz () dmzs com
(415) 867-7812 - phone
-------------
Imagination is greater than knowledge * Albert Einstein
Every day is a good day, whether you like it or not! *
 By Date 
By Thread
Current thread:
- RE: Find out the subnetting of a company, (continued)
|
Intro
