Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Network discovery
From: Javier Fernandez-Sanguino <jfernandez () germinus com>
Date: Mon, 29 Aug 2005 11:38:42 +0200

Arjun Venkatraman wrote:

Hi,
does anyone know of an efficient way to discover a complete network
tree starting from a root node. i have a network where i want to add
clients to intermediate servers at will , and i want the superserver
to discover the complete tree with the hierarchy.

the config i have is something like this
(...)

You are not providing many details. ¿Is this a TCP/IP network? ¿Is this using some kind of specific application you want to discover if it's being used in a network (i.e. have a target port for it)?

Your scheme is quite similar to a multicast application so maybe you can customise the application to incorporate some kind of "echo" (like ICMP does) through it.

Superserver -> sends echo to all intermediate servers registered to it -> intermediate servers send echo to all clients connected to it -> clients reply -> servers send replies back to superserver.

Nmap will just not catch it as it does not have any knowledge of how to find client B if it's in a different network than superserver A.

If you are looking at a traditional TCP/IP network _and_ have an application port (XXX) associated with the client/server/superserver you might get around this doing a traditional network discovery test (i.e. like network tools such as HP Openview's Network Node Manager implement) and then extract the list elements of the network that are 'up' and feed that to a 'nmap -sT -p XXX' scan.

Network scanning such as that done with NNM however, is not efficient and heavily relies on the network elements "behaving properly". That is:

1.- network devices (such as routers or switches) reply to SNMP communities and their configuration (interfaces they have, networks connected to) can be retrieved remotely through it.

2.- hosts answer to ICMP queries and (maybe) have SNMP agents that provide additional network information (in case of dual-homed hosts).

So if you don't have proper access to the devices a tool like that will don't do a thing and will only discover your local subnet.

Such a network test is far from efficient as it tries to discover _all_ network systems. It might even go beyond your own network if you don't limit it properly, so be careful if you code it yourself :-)

Regards

Javier


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]