Blunderboy Posted June 23, 2007 Posted June 23, 2007 I am just wondering for GP if anyone knows of a way to squeeze internal IP addresses and subnets from a corp. network that has echo requests disabled. (ping, tracert(DOS)) I am looking especially for a solution that has the attacker inside the network. Since most security breaches are either initiated or unknowingly assisted from within the network. I ask only because I am wondering if there is a way and if so what is the means to protect against it. Since once someone has internal IP addresses and an understanding of the network's structure and layout they can spoof, knock, spy, probe, hijack, and access to their hearts content. Of course this is after research has been done of the network. So what are some common methods that someone from the inside could use to unearth some of these internal IP address. I know that someone could ipconfig /all on windows boxes and figure out their own local and the IP of their default gateway, however since most people in a work environment were the installation of software is strictly monitored the use of Nmap, BlackICE, and sing wouldn't be likely. Determined attackers usually find away around things like this. I normally would try a boot CD like backtrack2 to gain access but if I am trying to secure the network then it doesn't really help unless I have a box passively monitoring all requests across the network searching for suspicious requests from within. But then if these requests are blocked then we are back were we started. So if an employee dedicated on mapping the network from within were to try to do so then what are some ideas on how they would do it and how to prevent them from doing it either at all or in the future. I assure you that this is not for execution but for adding to my ability to secure corp. networks. I am not currently a corp. network administrator, I only setup small bus. networks for now. if it is a simple fix then please tell me I tend to miss the dumbest thing. I have seen techniques used while connected to a wireless network which had echo requests disabled but corp. networks tend to be more heavily secured and monitored. Quote
Sparda Posted June 23, 2007 Posted June 23, 2007 The question is: "How can some one get a (vaig) picture of a net from monitoring packets?" Well, you can't really. You can make assumptions based on what you know. For example, if there are computers with different subnets/netmasks in the same room yet they both have access to the same services, then it's safe to say that they are routed together some how. This doesn't necessarily mean they are physically on another switch, they may be on separate VLANs. And I can't go on becasue I must leave now... Quote
Blunderboy Posted June 23, 2007 Author Posted June 23, 2007 That makes sense. I was thinking if someone was within the network already then he would probably have access to at least a couple of computers. If this is the case then learning the local IP address of those computers and their default gateways would at least be a start to uncovering more usefull IPs. Securing against this would probably be have some easy fixes. Quote
uber_tom Posted June 25, 2007 Posted June 25, 2007 If only it were that easy, a lot of software needs admin permissions to run. Most of our users have admin permissions. ipconfig (nix=ip addr)and nslookup output all the local info (same as the tcp/ip settings). Other tools like nmap will give you a good idea of network layout. I also have a tool called simply advanced IP scanner v1.5 by radmin. This will map and subnet you choose, this gives you a list of ips and computer names (I even tried it on my isp and got a list of all computers attached to my isps dns). Not to mention the physical security, half the office knows our mail server ip simply because they've watched me set up there mail accounts. One ip will give you a subnet to be working on. On the subject of mail, don't forget mail headers contain the internal originator ip aswell as the external ip of the mail server…. my god sparda is right this could go on forever. Quote
cooper Posted June 25, 2007 Posted June 25, 2007 Once you're inside the network, I'd expect you to start with setting up a passive sniffer that would allow you to keep track of where how much of what kind of traffic is going. That should quickly show where the interesting (well, to that network at least) machines are. For sniffing to work, the network adapter needs to be in promiscuous mode. There are programs that claim to be able to remotely detect network adapters that are in this mode, though their use is being questioned looking at the tone of this Wikipedia article: http://en.wikipedia.org/wiki/Promiscuous_mode You could use a trusted copy of ifconfig, but if your box is rooted (which is has to be for the attacker to be able to run a sniffer) you can't really trust its output even if you know the binary is sane. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.