Penetration Testing mailing list archives
RE: Multiple IP on the same server howo to idenfity
From: "Pursifull, Mike" <Mike.Pursifull () cryptek com>
Date: Thu, 10 Jun 2004 23:37:50 -0400
From the Internet:
1) break into the box 2) look around. ifconfig (*nix) and ipconfig (windows) work well. *grin* Seriously, if you're looking for a lucky break you should definitely be tracking server response below the level of most of your port/scanning tools. It's somewhat of a long shot, but I have often obtained just the sort of data you're looking for by carefully tracking return responses of scans manually or with extra technologies. Consider, for example, always run something like icmpinfo (-vvv!) while you are probing/scanning. It is very common when dealing with async routes, alternate routes, multiple interfaces and nat/loadbalancer conditions to have data in an error condition icmp packet [or other response] come back telling you more than it should. Ex. You send a packet to 192.168.1.1 and get an icmp port unreachable matching your packet, but coming from another ip address (It may very well be that your OS even matches the response to the packet but does not point out the difference! - very common!) There are hundreds of possibilities of different variations. Most of the time, they involve or expose async routing for a dual homed box. The IP you are targeting, then, is the secondary (non-default gateway interface). This might expose a dual-firewall condition that can lead to compromise, may expose multi-homed servers and many other situations... There is no magic bullet, but there are lots of techniques. Beyond using just tools, you want to suck every bit of information out of every packet you send out (for this type of scouting). Most of the 'modern' pen testers and so-called h4x0rs of today may not recall, may have forgotten, or may never have learned the old lessons because today's world is focused on mass data, you mine bulk data seeking answers...if it's not spelled out in one article at right level to scan text for an answer, search google for another article with just the right level of detail. Many older explorers spent months re-reading that same Ma Bell tech bulletin that..err..fell off a truck over and over until the unexplained terms and concepts formed their own picture in your mind. Err....sorry for the nostalgia... Just one byte can tell you want you want to know....but you will have to catch it, and understand what it is whispering to you... Best of luck... -Mike -----Original Message----- From: Yonatan Bokovza [mailto:Yonatan () xpert com] Sent: Thursday, June 10, 2004 6:13 PM To: pen-test () securityfocus org Subject: RE: Multiple IP on the same server howo to idenfity
-----Original Message----- From: NetExpress [mailto:NetExpress () infogroup it] Sent: Thursday, June 10, 2004 13:13 To: pen-test () securityfocus org Subject: Multiple IP on the same server howo to idenfity Hi, the problem is, if I am doing a penetration test from internte to many servers, probably there should be some IP ont the same server o network adapter like load balancer. In a report, and to avoid false positive, should be usefull to identify which IPs are on the same server, but how? If I should be in the internal network I am testing I'll use arp to find the MAC address of each IP and I should have solved, but from Internet I cannot use arp. From Internet I could use the banner, but this is not sure, I could have more then one application server on the same server with n-IP on application server A and m-IP on the application server B getting the banner should not be the right choise especialy with proxy. Any idea?
You could use the TCP Timestamp option to see the uptime of both servers. If it is similar enough, there is a good chance it is the same server. (unless the loadbalancer changes the Timestamp...) See section 3.2 here: http://www.faqs.org/rfcs/rfc1323.html Regards, Yonatan Bokovza IT Security Consultant Xpert Systems
Current thread:
- Multiple IP on the same server howo to idenfity NetExpress (Jun 10)
- Re: Multiple IP on the same server howo to idenfity Paul Johnston (Jun 11)
- Re: Multiple IP on the same server howo to idenfity Frank Knobbe (Jun 14)
- <Possible follow-ups>
- RE: Multiple IP on the same server howo to idenfity Yonatan Bokovza (Jun 10)
- Re: Multiple IP on the same server howo to idenfity Andrew A. Vladimirov (Jun 11)
- RE: Multiple IP on the same server howo to idenfity Amin Tora (Jun 10)
- RE: Multiple IP on the same server howo to idenfity Pursifull, Mike (Jun 11)
- RE: Multiple IP on the same server howo to idenfity Frank Knobbe (Jun 16)
- RE: Multiple IP on the same server howo to idenfity Amin Tora (Jun 17)