Re: Identifying Machines

From: Jose Nazario (joseat_private)
Date: Tue Jun 19 2001 - 14:38:25 PDT

Next message: Jeremy Sanders: "Re: Identifying Machines"

Previous message: Meritt James: "Re: What is your policy on customers particapating in a pen test?"
In reply to: Rick Who Else?: "Re: Identifying Machines"
Next in thread: Crist Clark: "Re: Identifying Machines"
Next in thread: Lance Spitzner: "Re: Identifying Machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 19 Jun 2001, Rick Who Else? wrote:

> Let me clarify somewhat. Lets imagine a scenario, of being on a
> seperate network of your target network. So sniffing traffic and MAC
> addresses don't apply. And you wish to see how many machines on are a
> certain subnet. So you wish to scan the entire range of a class C,
> lets say. ICMP is filtered out.  And some of the machines may have no
> ports open. What I mean by that, as someone asked, would be no
> services running on any port. Therefore there are no banners.

[active measures]

outbound ICMP is closed? that means no 'ICMP_PORT_UNREACHABLE' messages,
and also no host unreachable messages either via ICMP.

that's not a problem, for detection or identification.

you will still have access to TCP bidirectional traffic, which is what you
can use. provided the firewall ISN'T pretending to be the target traffic,
TCP RSTs (in response to SYNs sent to closed ports on living machines)
will let you know who is there. no response means no host (if the router
isn't letting you know the host doesn't exist).

if broadcasts are not filtered, you can glean subnet masks and layouts via
walking up the CIDR blocks, ie TCP packets to various broadcasts for
networks like /27, /26 etc ...

based on TTL and option rewrite/respect behavior, you may be able to get a
sense of the OSs.

[passive measures]

as long as traffic comes through your network its fair game. you can
passively fingerprint a machine several networks away, that's not a
problem. between some routing (or switching) games you can redirect
traffic your way. you can get slashdotted, ie forge an email that will
entice a LOT of people to visit your site (ie 'the boss naked and bound at
this URL!') and analyze the resulting traffic (and application behavior).

the closer you can get to their network, obviously (ie right outside their
gateway(s)), the more traffic you can observe and the more hosts you can
identify passively.

hope this helps.

____________________________
jose nazario						     joseat_private
	      	     PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
				       PGP key ID 0xFD37F4E5 (pgp.mit.edu)

Next message: Jeremy Sanders: "Re: Identifying Machines"
Previous message: Meritt James: "Re: What is your policy on customers particapating in a pen test?"
In reply to: Rick Who Else?: "Re: Identifying Machines"
Next in thread: Crist Clark: "Re: Identifying Machines"
Next in thread: Lance Spitzner: "Re: Identifying Machines"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:47:26 PDT