masakari098

Sneaky server

6 posts in this topic

I'm trying to find information on a computer that is in my normal route to the internet. I can pass virtually any kind of traffic through this server. When I try to run tracert (either the icmp version or the udp version) I get the first 3 hops no problem, then my packets disappear. If I try to trace a route from outside this particular network, it will work for awhile, then again, my packets disappear (presumably due to the same computer dropping the packets). Is there any other way to find a computer's ip along a route other than using tracert?

0

Share this post


Link to post
Share on other sites

If you have an idea what's in between from working through ip's you maybe able to figure it out. The real question is the device on the inside of the network you are working from, as it sounds. If it is this could be some kind of packet shaper, and will allow almost all traffic through, but may block some service protocols to it. Just a guess.

0

Share this post


Link to post
Share on other sites
I'm trying to find information on a computer that is in my normal route to the internet. I can pass virtually any kind of traffic through this server. When I try to run tracert (either the icmp version or the udp version) I get the first 3 hops no problem, then my packets disappear. If I try to trace a route from outside this particular network, it will work for awhile, then again, my packets disappear (presumably due to the same computer dropping the packets). Is there any other way to find a computer's ip along a route other than using tracert?

You mentioned that you can pass traffic THROUGH it.... meaning that you can still use it as a router, however you are unable to actually gain any information about the device, correct? If so then assume it is a network appliance, and use clever NMAP scans, or nessus to attempt to determine the operating system or platform. If it is a network appliance there should be a port open on it somewhere for management. I haven't see many network administrators who only uses console access to their routers/firewalls.

0

Share this post


Link to post
Share on other sites
You mentioned that you can pass traffic THROUGH it.... meaning that you can still use it as a router, however you are unable to actually gain any information about the device, correct? If so then assume it is a network appliance, and use clever NMAP scans, or nessus to attempt to determine the operating system or platform. If it is a network appliance there should be a port open on it somewhere for management. I haven't see many network administrators who only uses console access to their routers/firewalls.

I'd love to be able to do that, but I have no idea what the IP address of this computer is.

Let me drop the tracert so you can see what I mean.

From outside the network:

1 gw.freeshell.org (192.94.73.62) 0.626 ms 0.601 ms 0.405 ms

2 sl-gw28-fw-6-1-0-TS22.sprintlink.net (160.81.88.169) 4.357 ms 4.048 ms sl-gw28-fw-6-1-0-TS12.sprintlink.net (160.81.88.133) 7.122 ms

3 sl-bb21-fw-2-0.sprintlink.net (144.232.12.165) 4.230 ms 4.180 ms 4.215 ms

4 sprint-gw.dlstx.ip.att.net (192.205.32.69) 32.868 ms 37.988 ms 37.717 ms

5 12.122.81.194 (12.122.81.194) 33.453 ms 35.893 ms 36.509 ms

6 gbr2-p20.phmaz.ip.att.net (12.122.10.82) 63.953 ms 56.439 ms 55.816 ms

7 gar2-p370.phmaz.ip.att.net (12.123.142.49) 54.986 ms 54.954 ms 55.812 ms

8 12.125.99.38 (12.125.99.38) 77.338 ms 61.281 ms 61.712 ms

9 *

From inside the network:

Tracing route to google.com [216.239.57.99]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms ucchub-gw.net.nau.edu [134.114.32.1]

2 1 ms <1 ms <1 ms 10.3.7.25

3 1 ms 1 ms 20 ms 10.3.7.58

4 * *

(the above tracert is using the regular, ICMP tracert that comes with windows xp, but Nscan's UDP tracert gives the same results)

When I check an internet website to read my IP address, it detects the IP of my computer, not the shady border computer.

Soo....I can't detect the computer with UDP or ICMP tracert, and the packets from my computer pass through it unmangled. It is OBVIOUSLY a Layer 3+ capable device because it detects/drops my UDP/ICMP packets, and it changes the TTL of the packet because it doesn't just move on to the next computer. Any ideas?

I suppose I COULD just ask my boss what this computer is, but that would be no fun :)

Edited by masakari098
0

Share this post


Link to post
Share on other sites
You mentioned that you can pass traffic THROUGH it.... meaning that you can still use it as a router, however you are unable to actually gain any information about the device, correct? If so then assume it is a network appliance, and use clever NMAP scans, or nessus to attempt to determine the operating system or platform. If it is a network appliance there should be a port open on it somewhere for management. I haven't see many network administrators who only uses console access to their routers/firewalls.

I'd love to be able to do that, but I have no idea what the IP address of this computer is.

Let me drop the tracert so you can see what I mean.

From outside the network:

1 gw.freeshell.org (192.94.73.62) 0.626 ms 0.601 ms 0.405 ms

2 sl-gw28-fw-6-1-0-TS22.sprintlink.net (160.81.88.169) 4.357 ms 4.048 ms sl-gw28-fw-6-1-0-TS12.sprintlink.net (160.81.88.133) 7.122 ms

3 sl-bb21-fw-2-0.sprintlink.net (144.232.12.165) 4.230 ms 4.180 ms 4.215 ms

4 sprint-gw.dlstx.ip.att.net (192.205.32.69) 32.868 ms 37.988 ms 37.717 ms

5 12.122.81.194 (12.122.81.194) 33.453 ms 35.893 ms 36.509 ms

6 gbr2-p20.phmaz.ip.att.net (12.122.10.82) 63.953 ms 56.439 ms 55.816 ms

7 gar2-p370.phmaz.ip.att.net (12.123.142.49) 54.986 ms 54.954 ms 55.812 ms

8 12.125.99.38 (12.125.99.38) 77.338 ms 61.281 ms 61.712 ms

9 *

From inside the network:

Tracing route to google.com [216.239.57.99]

over a maximum of 30 hops:

1 1 ms <1 ms <1 ms ucchub-gw.net.nau.edu [134.114.32.1]

2 1 ms <1 ms <1 ms 10.3.7.25

3 1 ms 1 ms 20 ms 10.3.7.58

4 * *

(the above tracert is using the regular, ICMP tracert that comes with windows xp, but Nscan's UDP tracert gives the same results)

When I check an internet website to read my IP address, it detects the IP of my computer, not the shady border computer.

Soo....I can't detect the computer with UDP or ICMP tracert, and the packets from my computer pass through it unmangled. It is OBVIOUSLY a Layer 3+ capable device because it detects/drops my UDP/ICMP packets, and it changes the TTL of the packet because it doesn't just move on to the next computer. Any ideas?

I suppose I COULD just ask my boss what this computer is, but that would be no fun :)

The box shows up as a * because it drops all ICMP. You would have to discover it using some sort of network managment protocol, such as SNMP, CDP, or by monitoring routing protocol updates. The most time consuming way to determine the address of this host would be to ping sweep the subnet, and see what DIDN'T reply. If addresses are assigned in a logical fashion you should be able to determine it's IP address. If not, then I'd port scan everything in the subnet giving nmap the parameter of -P0 so it doesn't attempt to ping first. If the device has any open ports (and it most likely does) you should be able to find it. If not query all devices on the network using SNMP (use common community strings like public, private), or monitor CDP if you think it's a Cisco device. Also you should keep an eye out for routing updates, however you may be required to join a multicast group for OSPF, and some implementatiosn of RIP2.

Hope that helps,

Lumi

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now