Try Firewalk, from PacketFactory http://packetfactory.net It allows you to do a TCP equivalent of traceroute, whereby you increment the TTL of the SYN until you reach the destination. I doubt you could map much more than the route between you and the web server(s), though, and for some reason I cannot remember it fails when NAT takes place at the other end. ----- Original Message ----- From: "Jason binger" <cisspstudyat_private> To: <PEN-TESTat_private> Sent: Thursday, April 05, 2001 8:33 AM Subject: [PEN-TEST] mapping hosts behind a router with stringent ACL's > I have a client that has a web farm only protected by > a router with stringent ACL's permitting TCP 80 and > 443. No ICMP is permitted. > > Some host are not contactable from the Internet as > there are ACL's blocking access to these hosts. Access > to these hosts is permitted from internal networks. > > I am wondering if it is possible to map these hosts > that have restrictive ACLs and determine their > whereabouts within the client supplied IP block? > > I have tried techniques such as firing ACK packets > hoping to ellicit a RST with no avail. > > I have tried techniques such as using nmap with source > ports of 21 and 53 and 80.. still with no results. > > Can anyone help me here? > > I also would like to determine the IP address of the > outside interface of the router. (ICMP is being > dropped). > > Any help appreciated. > > Jason > > > > > > > __________________________________________________ > Do You Yahoo!? > Get email at your own domain with Yahoo! Mail. > http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Thu Apr 12 2001 - 23:09:00 PDT