Mapping a Network

Started by benthehutt, September 07, 2005, 05:33:23 PM

Previous topic - Next topic
Say I wanted to map the current school network I'm on, but (obviously) I don't want to attract attention.  This network has no subnets.  From my current understanding of how TCP/IP protocols work, if I send out a bunch of packets to check out responses, the packets would include my IP address.  (Correct me if I'm wrong)  What if, instead of putting my address in the packet header, I put a broadcast address?  That way the info would go everywhere and I would just pick up the peices.  And when admins go looking through logs, they couldn't find me.  (I assume this has already been done, so tell me if you know of any similar ideas that have been implemented)
Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.

Actually, yeah, similar things have been done. It basically is spoofing ...  but that is a blind attack (thankfully in most cases, unfortunate in others).

Ever hear of the Smurf attack ? Very nasty, but the idea is to abuse the broadcast address in such a way that an entire network can flood the victim's address.

Basically, if I remember right (been a long while since I've looked at the code):

A raw socket is opened to allow for manually adding the header (so that it can be spoofed). That step is important (without a raw socket, the spoofing isn't really going to happen).

With this, a flood of ICMP echo requests (Pings) are sent to a bunch of broadcasts (which it reads from a file), but the return (source) address is spoofed to be the victim.

Now what happens is that when the broadcasts get this packet and the networks are not configured properly, _every_ node related to that bcast, will ping the victim ... thus generating loads of traffic on the victim.

So, to answer your question a bit more:

I'm not sure if what you're saying is going to work... do you want to spoof yourself ? The thing is, if you do that, how will you receive the information ? If you spoof it, then you won't receive .. or were you thinking something else ?

That being said, there are probably other ways to figure out the layout of the network. Maybe check which services they have open ? What kind of network is it ? And what os do the machines run ? Those kinds of questios will help you.

As for logs.. I'm not sure that everyone really logs pings (especially if not flooded) but it certainly is possible... But if you just do one ping or so, then it probably isn't even going to be noticed. Also, if icmp echo requests are filtered, this won't work at all (which you'd then have to go to another method -- such as other services).

Hope that helps some, and I'll be willing to help more with more info. Just have some things I have to do for a few, so you'll have to forgive the quality of this message...



"My Terminal is my Soul"

That helps alot, thanks Metty.  I was thinking more basically than that (maybe that's where I'm going wrong) but I think you took care of my question--and then some.  What I'll probably end up doing is asking my boss if I can map the network (since I'm on the ITS staff).  I just got hired this week and they don't even have a basic map of the network!  It's crazy!  I mean, the guys all know it, but when one of them leaves...

Anyway, it wasn't a big deal, just an idea that popped into my head.
Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.

Glad to be of help.

It's funny.. I was thinking you might have more luck with just asking them. And since they don't have  a map and that you're on the staff, even better.

Grats on the job btw... What sorts of things will you be doing (specifically) ?
"My Terminal is my Soul"

benthehutt:

There are some cool tools to help map out a network. Things like hping2 can do some of the things you were asking about. Tools like languard are a bit abusive on the network, but make life easy for you if you take it slow (mapping it out in bits and pieces will not cause any flags to jump up). Also, things like ethereal or ettercap in passive mode will give you plenty of data to sift through without being detected. Or, what I think is a good idea...create your own tools using C, perl, python, and/or shell scripts. Good luck...


Wilnix
alt email address: wilnix@hackphreak.org

Thanks wilnix, I was just bouncing a theory off you guys (since you know this stuff real well).

Anyway, Metgod, in ITS I'm really just doing about everything.  We run primarily windows servers, so they were happy I am primarily a windows guy.  They were also excited I've got a decent knowlege of Apple stuff too.  Anyway, right now I'm basically going on service calls for physical aspects of the network (fixing data ports, cabling) which is cool cause I don't know alot about that kinda stuff so they're helping me out.

But I also do some scripting, general programming, and am actually about to start a project in perl (which I hope will be pretty easy to pick up).  We also might be changing everything over to IP-based stuff, (Running phones, power, cable tv over cat6, etc) cause our cable provider's being a jerk-hole.

So really I just do whatever needs done right now.  It's a testing period where they just want me to stick to the general, not specific aspects of network administration.
Build a man a fire, and he'll be warm for a day. Set a man on fire, and he'll be warm for the rest of his life.

Nice. I never could do physical things such as making cables and such. Not coordinated enough (maybe some other things, but that's about all I can think of right now).

And good points Will made. I should have thought of sniffers/etc. Those are really interesting and you can learn quite a lot from them.

Another thought is learn to code sockets (in C for example). Can learn a lot from just that.

Another interesting tool is called 'p0f'.

Now that I think of it, there are a lot of ways from the software end to learn about networking.


Anyway, good luck!
"My Terminal is my Soul"

SMF spam blocked by CleanTalk