Penetration Testing mailing list archives

RE: Find out the subnetting of a company

From: Liberty.Anthony () Datacraft-Asia com
Date: Thu, 22 Jul 2004 08:27:18 +0700

If I'm not wrong Hping can do subnet request too.
Just see the help and set your ICMP Type (default is echo request)

Cheers.
--thony-- 

-----Original Message-----
From: David M. Zendzian [mailto:dmz () dmzs com] 
Sent: Tuesday, July 20, 2004 11:54 PM
To: dsr () ascure com; il.prof () virgilio it; pen-test () securityfocus com
Subject: Re: Find out the subnetting of a company

Isn't there some icmp or ip based packet that can be sent to most devices
querying the subnet theyare in? I am on vacation with only blackberry and
can't google it, but someone out there must be familiar with that??
-----Original Message-----
From: "Dieter Sarrazyn" <dsr () ascure com>
Date: Tue, 20 Jul 2004 08:38:42
To:<il.prof () virgilio it>, <pen-test () securityfocus com>
Subject: RE: Find out the subnetting of a company

Hi,

You can find lot's of the subnet structure with ping & traceroute scans
already. First, you can use the ping functionality of nmap (nmap -sP) which
should give you information about network and broadcast addresses.
If you found these parts, you already know how the subnetting is done.
With traceroute, you'll find out how these subnets are connected to
eachother.

Of course, if there's a router that has snmp enabled, try to find one of the
community strings & dump the routing table of this router...

Hope this helps.

regards,
Dieter

-----Original Message-----
From: il.prof () virgilio it [mailto:il.prof () virgilio it]
Sent: donderdag 15 juli 2004 10:17
To: pen-test () securityfocus com
Subject: Find out the subnetting of a company

During an internal black-box penetration test, from a subnet of a 
company (with or without DHCP), how do you find out the structure of 
the other subnets of network? In particular, how do you 
determine/discover the subnetting of the IP space of a company?

An example:

- IP network of the company XYZ: 10.0.0.0/8 (I use a private class to 
avoid the use of a real address space)
- I?m in the subnet 10.0.0.0/24

How do you find out the structure of other subnets that are part of 
the network 10.0.0.0/8?

Il Prof.




/--------------------------------------\
 David M. Zendzian * dmz () dmzs com
 (415) 867-7812 - phone  
  -------------                    
  Imagination is greater than knowledge * Albert Einstein  Every day is a
good day, whether you like it or not! *


This email and all contents are subject to the following disclaimer:

http://www.datacraft-asia.com/html/001about_us/disclaimer.asp

Current thread:

RE: Find out the subnetting of a company, (continued)
- RE: Find out the subnetting of a company easternerd (Jul 21)
- Re: Find out the subnetting of a company Tim (Jul 21)
- RE: Find out the subnetting of a company Dieter Sarrazyn (Jul 20)
  - Re: Find out the subnetting of a company Volker Tanger (Jul 21)
  - RE: Find out the subnetting of a company Rob J Meijer (Jul 21)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 21)
  - Re: Find out the subnetting of a company Tony Carter (Jul 22)
  - Re: Find out the subnetting of a company Martin Mačok (Jul 23)
    - RE: Find out the subnetting of a company Jerry Shenk (Jul 28)
- Re: Find out the subnetting of a company David M. Zendzian (Jul 22)
- RE: Find out the subnetting of a company Liberty . Anthony (Jul 22)