Jump to content

Recommended Posts

Posted

I am just wondering for GP if anyone knows of a way to squeeze internal IP addresses and subnets from a corp. network that has echo requests disabled. (ping, tracert(DOS)) I am looking especially for a solution that has the attacker inside the network. Since most security breaches are either initiated or unknowingly assisted from within the network. I ask only because I am wondering if there is a way and if so what is the means to protect against it.

Since once someone has internal IP addresses and an understanding of the network's structure and layout they can spoof, knock, spy, probe, hijack, and access to their hearts content. Of course this is after research has been done of the network.

So what are some common methods that someone from the inside could use to unearth some of these internal IP address. I know that someone could ipconfig /all on windows boxes and figure out their own local and the IP of their default gateway, however since most people in a work environment were the installation of software is strictly monitored the use of Nmap, BlackICE, and sing wouldn't be likely. Determined attackers usually find away around things like this. I normally would try a boot CD like backtrack2 to gain access but if I am trying to secure the network then it doesn't really help unless I have a box passively monitoring all requests across the network searching for suspicious requests from within. But then if these requests are blocked then we are back were we started.

So if an employee dedicated on mapping the network from within were to try to do so then what are some ideas on how they would do it and how to prevent them from doing it either at all or in the future.

I assure you that this is not for execution but for adding to my ability to secure corp. networks. I am not currently a corp. network administrator, I only setup small bus. networks for now. if it is a simple fix then please tell me I tend to miss the dumbest thing.

I have seen techniques used while connected to a wireless network which had echo requests disabled but corp. networks tend to be more heavily secured and monitored.

Posted

The question is: "How can some one get a (vaig) picture of a net from monitoring packets?"

Well, you can't really. You can make assumptions based on what you know. For example, if there are computers with different subnets/netmasks in the same room yet they both have access to the same services, then it's safe to say that they are routed together some how. This doesn't necessarily mean they are physically on another switch, they may be on separate VLANs.

And I can't go on becasue I must leave now...

Posted

That makes sense. I was thinking if someone was within the network already then he would probably have access to at least a couple of computers. If this is the case then learning the local IP address of those computers and their default gateways would at least be a start to uncovering more usefull IPs. Securing against this would probably be have some easy fixes.

Posted

If only it were that easy, a lot of software needs admin permissions to run. Most of our users have admin permissions. ipconfig (nix=ip addr)and nslookup output all the local info (same as the tcp/ip settings). Other tools like nmap will give you a good idea of network layout. I also have a tool called simply advanced IP scanner v1.5 by radmin. This will map and subnet you choose, this gives you a list of ips and computer names (I even tried it on my isp and got a list of all computers attached to my isps dns).

Not to mention the physical security, half the office knows our mail server ip simply because they've watched me set up there mail accounts. One ip will give you a subnet to be working on.

On the subject of mail, don't forget mail headers contain the internal originator ip aswell as the external ip of the mail server…. my god sparda is right this could go on forever.   

Posted

Once you're inside the network, I'd expect you to start with setting up a passive sniffer that would allow you to keep track of where how much of what kind of traffic is going. That should quickly show where the interesting (well, to that network at least) machines are. For sniffing to work, the network adapter needs to be in promiscuous mode. There are programs that claim to be able to remotely detect network adapters that are in this mode, though their use is being questioned looking at the tone of this Wikipedia article:

http://en.wikipedia.org/wiki/Promiscuous_mode

You could use a trusted copy of ifconfig, but if your box is rooted (which is has to be for the attacker to be able to run a sniffer) you can't really trust its output even if you know the binary is sane.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...