
Penetration Testing mailing list archives
Re: Mapping a network
From: Ty Miller <tyronmiller () gmail com>
Date: Wed, 16 Sep 2009 08:58:23 +1000
If you want to enumerate internal hosts and ports remotely you can use JavaScript port scanning via a type of phishing attack where the victim has to simply visit your site.
There is a JavaScript port scanner implemented within AttackAPI.You can also use a zombie scan within nmap to bypass firewall rules by 'bouncing' scans off another host within the DMZ. I haven't seen this attack work remotely in a long time though, but you may be lucky.
Ty Not sent from my iPhoneOn 13/09/2009, at 5:12 AM, arvind doraiswamy <arvind.doraiswamy () gmail com > wrote:
Hey Guys,What's the best way to completely map an internal network? In 2 situations:a) Sitting on the Internet b) On the internal network Here are my thoughts after thinking a while and reading a few old threads on this list as well. a) From the Internet , I think its tough to map an internal network at all. You might be able to say identify the perimeter devices at best - meaning their external firewall and their border routers at best. Maybe a few internal IP addresses will be revealed through misconfigurations - but beyond that I think its tough to do anything more. Is this correct? b) On an internal network things get interesting though. Note that I'm looking at something like an internal pentest where I'm allowed to put a machine into the network. Here are various ways in which one can obtain information: --- Start Wireshark and just listen to traffic. You'll get plenty of ranges of valid IP addresses. --- Start something like p0f for the same purpose as above.--- Look for weak SNMP community strings and obtain routing information --- Scan for DNS servers and try a zone transfer(Yes this worked recently)--- Nmap's ARP scan/Ping scan/known port scan --- Simple ICMP pings--- ICMP,UDP and TCP Traceroute to get the exact paths and placement of devicesWhat else? I read up a lot of old threads to see whether there was something that was already in use. I got a lot of software names of which some were familiar. Here is part of that list: etherape ntop cheops opte lumeta Visio enterprise friendly pinger ipswitch whatsup pro Intermapper networkview Now I think a lot of that is commercial and i daresay there are many more products which "claim" to do a lot of accurate mapping. Right now I'm looking just at open source though. I tried Cheops last month but it doesn't seem to be totally accurate .. it didn't even detect everything that was live on my LAN. So what's the best way forward? Is it a good idea to write code to brute force each and every private IP address in the entire space to check if it is live? I'm open to writing the code -- just thought I'd bounce this off the list before I got started. All inputs are welcome. Thanks Arvind--- --------------------------------------------------------------------- This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org--- ---------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review BoardProve to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Mapping a network, (continued)
- Re: Mapping a network Lee (Sep 22)
- Re: Mapping a network Zack Payton (Sep 22)
- Re: Mapping a network Lee (Sep 22)
- Re: Mapping a network Zack Payton (Sep 22)
- Re: Mapping a network Lee (Sep 22)
- Re: Mapping a network Chris Brenton (Sep 23)
- Re: Mapping a network Zack Payton (Sep 23)
- RE: Mapping a network David_Falloon (Sep 24)
- Re: Mapping a network Elizabeth Greene (Sep 23)