1

The scenario is that you get to plug your laptop into an Ethernet port in some building. You get an IP address (DHCP) and can access the internet.

Right out of the gate you know your IP, gateway, and subnet mask, and you can do an ARP scan to identify hosts on the immediate subnet. What about other internal subnets that you may have access to now that you didn't from the internet?

I am looking for what kinds of tools or technologies you could use to identify these networks.

Some ideas:

  • passively listen for any broadcasted traffic that happens to go to a different subnet (this seems unlikely on a switched network).

  • check the publicly known ARIN blocks to see if any are reachable internally that were firewalled from an external perspective.

  • zone transfer may be allowed internally that could identify other servers on other internal subnets.

What did I miss? Of the above strategies, what works best in your experience?

Gray
  • 728
  • 4
  • 15
  • 2
    A simple `tracert / traceroute` can come in handy sometimes – cutrightjm Sep 09 '16 at 19:15
  • 1
    Yup - traceroute to an external site can give you interesting info about network topology. If the IP address you get is an IANA internal one (https://www.arin.net/knowledge/address_filters.html) you can traceroute to each one in the range. nmap is also a handy tool - you can use it to scan each host in the same ranges. Doing any of this on a network you don't control can get you in an insane amount of trouble, mind you. – crovers Sep 09 '16 at 19:57
  • Yeah, I understand that. I am a pentester looking for how other people deal with this situation. Fair enough to make the disclaimer though. Also, traceroute makes sense as a suggestion, I could see that working in some cases for sure. – Gray Sep 09 '16 at 19:58
  • @dandavis I dunno, dude. I was looking for other suggestions. Obviously, I shared what I did know. Do you have something to add? I have more of a development background, so I know more about web apps than networking... just looking to learn more. – Gray Sep 09 '16 at 20:03
  • https://github.com/robertdavidgraham/masscan is pretty good when you just arrive – dandavis Sep 09 '16 at 20:06
  • So... I have used masscan before, and it works ok from an external perspective scanning known IP ranges... I am saying I don't know the IP ranges. I only know my current subnet, and I am trying to find adjacent internal networks. If I had an IP range to scan, I wouldn't need to ask this question. Am I missing something here? – Gray Sep 09 '16 at 20:12
  • Scan your subnet and adjacent ones for MS08-067. You're likely to find at least one vulnerable. Exploit it, grab the admin hashes, then try against other systems. Often the admin hashes get you in to most boxes. Each box you pop, check who's logged in. Soon enough you'll find a domain admin and you can steal their creds from memory. – paj28 Sep 09 '16 at 20:58
  • i think it's me that missing something; considering masscan can do the whole internet in seconds, i can't see why you can't scan everything in the same pool as yourself, or even a subnet or two up... – dandavis Sep 09 '16 at 20:59
  • @paj28 this is neither relevant or accurate, but... Thanks anyway. It's 2016, and that vulnerability is not nearly as common as vulnerable VMs may have led you to believe. – Gray Sep 09 '16 at 21:08
  • @dandavis subnets don't go "up"... I don't get what you mean with that. I may be in 192.168.1.x, but there's also 10.111.x.x that I could reach, or even 155.154.x.x that is only accessible from the internal network due to a firewall/routing configuration. Considering you tried to slam me earlier for even asking about this topic, I'm not really interested in explaining what's wrong with your reasoning here. – Gray Sep 09 '16 at 21:13
  • @Gray - Given your scenario of getting on an ethernet port, hostile reconnaissance seems relevant. Maybe it's not, whatever, I was trying to help you out. No point saying thanks then proceeding to talk down to me like some kind of cluebait. Learn some manners – paj28 Sep 09 '16 at 21:15
  • @paj28 sorry. I didn't mean for it to come off that way. I'm on my phone, so I was more curt than I intended. Again, I do apologize. – Gray Sep 09 '16 at 21:18
  • @Gray - no worries – paj28 Sep 09 '16 at 21:22
  • i believe some subtleties of your request are/were not fully apparent... – dandavis Sep 09 '16 at 21:23

2 Answers2

1

Those are pretty solid ideas. However, I think you're overthinking this. I'd start with something like nmap, angry IP, or some other network scanner against internal (non-routable) address blocks. Zone transfer or scripting rDNS is also worth a shot. You can get a lot of info out of DNS.

Jesse K
  • 1,068
  • 6
  • 13
  • So scanning 10.0.0.0/8 would take quite a while and be incredibly noisy, I'd think. I am generally doing blackbox testing, where IR is not supposed to know we are there. Might be able to get away with scanning the other ranges, at least parts of them. Thanks for your answer - good to know I am not missing something obvious. – Gray Sep 09 '16 at 20:21
  • You are entirely accurate, but that wasn't part of the question. There are also settings to throttle the scope of such scans to reduce noise and improve speed, but that may still not meet your needs. Zone transfer shouldn't be allowed in a well secured DNS configuration, but unless you hit a flooding protection limit, you can run a lot of queries. – Jesse K Sep 09 '16 at 20:25
  • Yeah, you are right - stealth was not really part of the question. Definitely still good info for people in different situations, but it is worth mentioning the drawbacks too. Good point about overdoing the DNS queries. There's definitely a lot you can get from DNS that are tricky to automate too, like similarly named workstations/servers that may exist on other subnets. – Gray Sep 09 '16 at 20:31
1

Sniffing can be very fruitful.

Some other ideas:

  • Nmap sweep scan. Often a simple ICMP ping works on an internal network. Otherwise, use common ports like 139 and 22.
  • Identify patterns in host names - if you're on wks-1234, try wks-1235
  • Brute force DNS for common names
  • Scan adjacent subnets. If you're on 192.168.3.xx then try 192.168.4.xx
  • Find the domain controllers (may just be your DNS servers). Think you can extract a list of computer accounts, but not done this recently
  • There are some service location protocols (some based on DNS)

More hostile:

  • Sniffing on a switched network with ARP spoofing
  • Compromise hosts and escalate around the network (as my comment mentioned).
paj28
  • 32,736
  • 8
  • 92
  • 130