Sign in to follow this  
Followers 0
cruisefx

Proper Way to Query /Sniff / Broadcast to Unconventional Static Networ

21 posts in this topic

This is a question that has been irking me for awhile, and I never had enough time to explore for myself how to answer it.

Let's say there was a library network setup where the network was unconventional (ie. does not use the 255.255.255.0 subnet mask, and does not utilize DHCP [every device is established statically for security purposes.]) And when I mean unconventional, I mean beyond guessing status. Let's say the second half of 172.17.30.0/25. The universal broadcast ping address 255.255.255.255 is disabled in most cases, so no joy there. Is there a plugin, say, in Wireshark that could properly either sniff out or somehow tcp/arp/other ping the other established machines on that particular network, independent of your own IP address and subnet mask? Or is there a way to otherwise find out about the correct network specifications? What would be the proper route of action here?

--

Edited by cruisefx
0

Share this post


Link to post
Share on other sites

hmm. there are probably better options for network/machine discovery. but you can always use kismet to have wireshark packet filter in monitor mode.

0

Share this post


Link to post
Share on other sites

hmm. there are probably better options for network/machine discovery. but you can always use kismet to have wireshark packet filter in monitor mode.

It is one thing if it is wireless we are talking about, but what about wired?

--

0

Share this post


Link to post
Share on other sites

You should see it in wireshark. You'll see, "Who's at [gives mac address]" and the computer will respond "[ip address] is at [mac address]".

0

Share this post


Link to post
Share on other sites

You should see it in wireshark. You'll see, "Who's at [gives mac address]" and the computer will respond "[ip address] is at [mac address]".

I believe that this applies only when you are on the same network with the same network settings as the hosts in question. Just setting your IP address to 192.168.0.2/24 and sniffing from there wouldn't cut it.

--

Edited by cruisefx
0

Share this post


Link to post
Share on other sites

Well if you're on a remote network you can use Nmap to perform some recon and then deduce info from there. Nmap has quite a few features for reconnaissance.

I believe there is a ICMP datagram that can return network information.

You would have to look it up, and then find a tool that can send it.

If you can break the network down into subnets, if the network is divided into subnetworks. Then you can send data to the broadcast address of that particular subnet in hope for a response depending on what you send to the broadcast address. This would have to happen locally though to view the responses from nodes.

Edited by schippystrich
0

Share this post


Link to post
Share on other sites

This would have to happen locally though to view the responses from nodes.

That being the whole problem to begin with.

That ICMP datagram would be type 15.

However, it states that host and even router implementations of this are obsolete? *bah*

It seems as if all of the more direct ways to come across this information have been made defunct.

The whole ideology of switches complicate this matter even more. It would be ineffective to develop a device that can read all of the data off the wire because the switch would have to associate you with an address to see any incoming traffic.

Edited by cruisefx
0

Share this post


Link to post
Share on other sites

This would have to happen locally though to view the responses from nodes.

That being the whole problem to begin with.

That ICMP datagram would be type 15.

However, it states that host and even router implementations of this are obsolete? *bah*

It seems as if all of the more direct ways to come across this information have been made defunct.

The whole ideology of switches complicate this matter even more. It would be ineffective to develop a device that can read all of the data off the wire because the switch would have to associate you with an address to see any incoming traffic.

Yep, on the other hand you could perform ARP Poison Routing to help circumvent this.

0

Share this post


Link to post
Share on other sites

Yep, on the other hand you could perform ARP Poison Routing to help circumvent this.

Or something like that. But, I think even you need to declare an IP address for ARP poisoning to function. I'm talking about a device that would read data off the line in a raw fashion. Something like a vamp tap.

0

Share this post


Link to post
Share on other sites

Try using the "Capture packets in promiscuous mode" feature in Wireshark.

You could also do a dns/netbios name lookup of a known entry in the domain/workgroup you are looking for.

Edited by jabzor
0

Share this post


Link to post
Share on other sites

Try using the "Capture packets in promiscuous mode" feature in Wireshark.

You could also do a dns/netbios name lookup of a known entry in the domain/workgroup you are looking for.

Never mind, I got off topic. My mind slipped about promisc. mode. But, this is where I need to establish a lab. I am not willing to believe that such a network's specifications can be established from sniffing in promiscuous mode. I am really talking about being able to join the network, not just receiving packets from it.

0

Share this post


Link to post
Share on other sites

Capturing packets in promiscuous mode when wired switches are in play will only grab broadcast and multicast traffic or traffic sent to you.

Edited by schippystrich
0

Share this post


Link to post
Share on other sites

As far as I can tell, the destination address portion of an Ethernet frame does not contain any subnetting information. I am self-admittedly confused about where subnet information is retained and processed in the scope of hosts. Apparently, SNAP has nothing to do with this. And I am unclear as if there is any way to query subnet mask information from a host remotely. I have to do some more research on this matter, apparently.

0

Share this post


Link to post
Share on other sites

Capture packets in promiscuous mode when wired switches are in play will only grab broadcast and multicast traffic or traffic sent to you.

Unless you are doing ARP poisoning at the same time. I'm not a big fan of ARP poisoning, especially the dsniff implementation. Plus, it is circumventable. I have a feeling that the network admins were one step ahead of this on all of the networks I've tried. Plus, it really saturates the connection from your end.

Edited by cruisefx
0

Share this post


Link to post
Share on other sites

Capture packets in promiscuous mode when wired switches are in play will only grab broadcast and multicast traffic or traffic sent to you.

Unless you are doing ARP poisoning at the same time. I'm not a big fan of ARP poisoning, especially the dsniff implementation. It is circumventable. I have a feeling that the network admins were one step ahead of this on all of the networks I've tried. Plus, it really saturates the connection from your end.

0

Share this post


Link to post
Share on other sites

You don't have to do arp-poisoning to a specific host, you can also just flood the switch cam-table turning it in to a hub.

You can also put a hub directly between the switch and the router and capture all non-local traffic, or set up a port-mirror/span/rspan on the switch and forward your sniffer all of the traffic. I do this a lot at work, the span/rspan.

Edited by jabzor
0

Share this post


Link to post
Share on other sites

You don't have to do arp-poisoning to a specific host, you can also just flood the switch cam-table turning it in to a hub.

You can also put a hub directly between the switch and the router and capture all non-local traffic, or set up a port-mirror/span/rspan on the switch and forward your sniffer all of the traffic. I do this a lot at work, the span/rspan.

Yes, but we're taking this from a "hacking" perspective and assuming that the network hardware is not properly ours to control. And we're assuming that the command line of the switch is off-limits. Good point about cam table flooding, even though this, again, can be circumvented by good administration. Interesting points.

Edited by cruisefx
0

Share this post


Link to post
Share on other sites

You don't have to do arp-poisoning to a specific host, you can also just flood the switch cam-table turning it in to a hub.

You can also put a hub directly between the switch and the router and capture all non-local traffic, or set up a port-mirror/span/rspan on the switch and forward your sniffer all of the traffic. I do this a lot at work, the span/rspan.

Good point about cam table flooding, even though this, again, can be circumvented by good administration. Interesting points.

That's the biggest problem (Or a good thing depending on your perspective.), most any vulnerability can be taken care of by proper administration and host configuration. Of course there's always going to be 0-day stuff. But that is usually restricted to black-hats that develop the tools to exploit the flaws.

0

Share this post


Link to post
Share on other sites

since that block of IPs is in a private block, i'd assume this network's internet connection had NAT setup, so scanning from the outside wouldn't necessarily work.

in the situation that this is a library, there's often computers for public use set up, so what i would try is to use one of these public computers (since it already communicates on the network properly) and try and get some info from it. start at the local pc, find it's IP and subnet mask, with which you can figure out whatever kind of custom subnetting is set up, which will let you predict what other IPs would be in the subnet, and maybe help you take a look at any nearby subnets. from that pc, since you know it's working you will have a point where you can explore other parts of the network via scanning. or, if you want to just get on the network with a personal pc (like a laptop) you could unplug the public pc and jump on with it's IP/mac addresses. depending how the network's setup you might only be able to plug in at a specific spot, so there might be some guesswork involved.

really, once you find out how the LAN is configured subnet-wise, getting on should be a matter of finding an AP/ethernet connection.

0

Share this post


Link to post
Share on other sites

You certainly don't hear a whole lot about CAM flooding anymore.

I was actually going to mention this along with APR but I figured it wasn't worth it.

Since the thread was about gathering information remotely not that APR is.

But thanks for pointing this out for everyone jabzor.

If anyone is interested the Dsniff suite includes a tool called macof which will accomplish this.

0

Share this post


Link to post
Share on other sites

in the situation that this is a library, there's often computers for public use set up, so what i would try is to use one of these public computers (since it already communicates on the network properly) and try and get some info from it. start at the local pc, find it's IP and subnet mask, with which you can figure out whatever kind of custom subnetting is set up, which will let you predict what other IPs would be in the subnet, and maybe help you take a look at any nearby subnets. from that pc, since you know it's working you will have a point where you can explore other parts of the network via scanning. or, if you want to just get on the network with a personal pc (like a laptop) you could unplug the public pc and jump on with it's IP/mac addresses. depending how the network's setup you might only be able to plug in at a specific spot, so there might be some guesswork involved.

really, once you find out how the LAN is configured subnet-wise, getting on should be a matter of finding an AP/ethernet connection.

Ah, assume that the computers are locked down (which they are in a real-life configuration I can think of). I figured that this might be a preferred route in network security, setting up on an unconventional subnet. But, I wasn't completely sure.

Library 1 Hacker 0.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0