IIS is famous for revealing internal IP addresses. Here is a perl snippet I have used to get information about the internal IP address from IIS 4.0 and 5.0 HTTPS servers using the sslcat CPAN tool: #!/usr/bin/perl # referrer-addr.pl # Joshua.Wrightat_private use strict; use Net::SSLeay qw(sslcat); my $server; my @results; my $reply; my $i; my $port = "443"; my $CRLF = "\x0d\x0a"; unless (@ARGV == 1) { print "$0 - Discover internal IP of IIS Server with malformed\n"; print " GET request.\n"; print "Usage: $0 host\n"; exit 1; } ($server) = @ARGV; $reply = sslcat($server, $port, "GET / HTTP/1.0$CRLF$CRLF"); @results = split($CRLF,$reply); while ($i < 8) { print "$results[$i]\n"; $i++; } print "<snip>\n\n"; exit(0); Umm, I am seeing silly things I did in this code already. Live and learn; use at your own risk. -Joshua Wright Team Leader, Networks and Systems Johnson & Wales University Joshua.Wrightat_private pgpkey: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xD44B4A73 fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 -----Original Message----- From: Gamble [mailto:a629wat_private] Sent: Monday, January 21, 2002 6:04 PM To: R P G Cc: pen-testat_private Subject: Re: testing for IP address space leakage in NAT systems On Mon, 21 Jan 2002, R P G wrote: > I was wondering if anyone knows of a method to test a NAT system for > address space leakage. > > Thanks. > > --Bob > The easiest way to do this is try a zone transfer (host -l abc.com). If the DNS servers are not set up correctly, you have a good shot at having a list of the internal machines. Also, sometimes if you traceroute to a machine, you will get the internal IP of the gateway, which might be of use. SNMP might also be good to you and give you a few internal IP's, but there is a very good chance that the firewall will block SNMP, but you might get lucky. I havn't heard of any specific tools to tast for leaks, and from what I have seen in the past, the best method is to query the various network servers which are known to give away network information. -- Jamie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jan 22 2002 - 15:14:23 PST