Penetration Testing mailing list archives

Re: What's Next? Attack of Internal IP Disclosure

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 24 May 2011 08:05:38 -0700

After I launched a penetration testing attack from Internet, I could
disclose the internal IP address. What would be the attack after I
knew the internal IP address?


There is no attack. The server leaks a piece of low-value information
that, in conjunction with other vulnerabilities, may make your life
marginally easier. But usually doesn't.

IP disclosure, path disclosure, server responding to ICMP pings, etc,
are the canonical examples of padding in security assessment reports.

/mz

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

Current thread:

What's Next? Attack of Internal IP Disclosure Zaki Akhmad (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Sihan (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Veronica (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Michal Zalewski (May 24)
- Re: What's Next? Attack of Internal IP Disclosure Nikhil Wagholikar (May 24)
- RE: What's Next? Attack of Internal IP Disclosure Chadha, Sachin (May 24)