Penetration Testing mailing list archives
RE: testing for IP address space leakage in NAT systems
From: Joshua Wright <Joshua.Wright () jwu edu>
Date: Tue, 22 Jan 2002 16:32:50 -0500
IIS is famous for revealing internal IP addresses. Here is a perl snippet I have used to get information about the internal IP address from IIS 4.0 and 5.0 HTTPS servers using the sslcat CPAN tool: #!/usr/bin/perl # referrer-addr.pl # Joshua.Wright () jwu edu use strict; use Net::SSLeay qw(sslcat); my $server; my @results; my $reply; my $i; my $port = "443"; my $CRLF = "\x0d\x0a"; unless (@ARGV == 1) { print "$0 - Discover internal IP of IIS Server with malformed\n"; print " GET request.\n"; print "Usage: $0 host\n"; exit 1; } ($server) = @ARGV; $reply = sslcat($server, $port, "GET / HTTP/1.0$CRLF$CRLF"); @results = split($CRLF,$reply); while ($i < 8) { print "$results[$i]\n"; $i++; } print "<snip>\n\n"; exit(0); Umm, I am seeing silly things I did in this code already. Live and learn; use at your own risk. -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wright () jwu edu pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73 fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 -----Original Message----- From: Gamble [mailto:a629w () unb ca] Sent: Monday, January 21, 2002 6:04 PM To: R P G Cc: pen-test () securityfocus com Subject: Re: testing for IP address space leakage in NAT systems On Mon, 21 Jan 2002, R P G wrote:
I was wondering if anyone knows of a method to test a NAT system for address space leakage. Thanks. --Bob
The easiest way to do this is try a zone transfer (host -l abc.com). If the DNS servers are not set up correctly, you have a good shot at having a list of the internal machines. Also, sometimes if you traceroute to a machine, you will get the internal IP of the gateway, which might be of use. SNMP might also be good to you and give you a few internal IP's, but there is a very good chance that the firewall will block SNMP, but you might get lucky. I havn't heard of any specific tools to tast for leaks, and from what I have seen in the past, the best method is to query the various network servers which are known to give away network information. -- Jamie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: testing for IP address space leakage in NAT systems Jonah Kowall (Jan 21)
- <Possible follow-ups>
- Re: testing for IP address space leakage in NAT systems R P G (Jan 21)
- RE: testing for IP address space leakage in NAT systems Joshua Wright (Jan 22)