That's a good suggestion. If you can get writable SNMP access (try ADMsnmp as a nice bruteforcer), you may also be able to get it to upload its config to you. Michal Zalewski (IIRC) made a script that would set the appropriate SNMP variables, start a TFTP server, and receive a config file. Having done that, you can modify it to suit (remove ACL's, etc) and upload it again. Rogan -----Original Message----- From: Javier Fernandez-Sanguino Peņa [mailto:jfernandezat_private] Sent: 23 May 2001 09:29 To: Franklin DeMatto Cc: pen-testat_private Subject: Re: Discovering hosts behind NAT > > There are two known network devices: a cisco, which seems totally silent, and a wellfleet router. > Have you tried SNMP access? First try to check if the SNMP ports (udp) are open (nmap -sU) and then do a dictionary attack against the router. A common misconfiguration is to have SNMP open to the outside world and with well-known communities. If so, you could probably get the information the router holds in its internal tables and (maybe) configure it to allow you access to the "hidden" network. Javi
This archive was generated by hypermail 2b30 : Thu May 24 2001 - 07:22:22 PDT