Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Multiple IP on the same server howo to idenfity
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 10 Jun 2004 16:28:39 -0500

On Thu, 2004-06-10 at 05:12, NetExpress wrote:
Hi, the problem is, if I am doing a penetration test from internte to 
many servers, probably there should be some IP ont the same server o 
network adapter like load balancer.
In a report, and to avoid false positive, should be usefull to identify 
which IPs are on the same server, but how?

If you can observe response packets from the servers (responses to UDP
or ICMP requests, or simple TCP requests such as telnetting to an open
port), then you can fingerprint the IP stack by hand. Examine TTL, IP ID
and Window size. Most systems don't randomize the IP ID, so you can
easily distinguish between different servers by watching the IP ID.

Remember, tcpdump is your friend :)


Attachment: signature.asc
Description: This is a digitally signed message part

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]