Finding IP addresses

[tarantula78]

Hi all,

Quick Q.

If you have a network to attack. How would you go about it? I tend to use social engineering on companies that arent so big (auditing nothing illegal). Because if they arent big they will most likely not host their own website so I couldnt take that route. What id usually do is use some buffer overflow exploit and hope some employee opens it.

So my question is. How would you go about attacking a network and finding the IP address that will get you in. Medium and small businesses usually have one router or so directing all their traffic. Not all have wireless networks either. So how would you go about it when you dont have any physical access or wireless access?

Please dont think im asking for some sort of tutorial i just wanted to know what your preffered methods are/would be.

Thanks

Tarantula78

[phoenix910]

Sounds a bit suss, but I'm willing to share. There's a few things you can do. Think about/find out where the email server is hosted, whether it's internally or not. If it is internal, just backtrace an email or trace back to the email server, which will have an IP. If they're a smaller business, there will be no "clearance zone" as such, and if you get into the mail server (usually relatively easy), then you can hop from there to other machines. You could also trace the IP's of employees from the company - i.e, if their IP is logged in a certain website... then you can find out what IP they originate from - which (during work hours) will come from the company's router (be careful here though, because you are going through the ISP they might still consider that illegal). You could also get their IP through social engineering on MSN or equivalent - i.e. "I'm doing a survey - go to http://ip-adress.com and tell me what you see" although, make it a bit more subtle. The other alternative is if they let you pentest from an employee perspective - i.e, give you a workstation and see if you can get it. Simple - reset the BIOS password if it has one, boot from the BT CD or USB, and pentest away as you normally would. Don't do anything illegal though

-Stephen

[hhmatt]

This question seems kinda sketchy.

Assuming you've done the reconnaisance of your target company.

If I knew how... I would spoof my email address, and send it out to the employees of the company making it look legitimate with a sort of spyware program that would return the ip address when opened. If enough people open the email you could get a good idea of how the network is setup also and possibly ip addresses of the workers at home if the email is read at different locations. Theres a website that does this sort of thing but it costs money and I don't remember the exact site atm.

[tarantula78]

This question seems kinda sketchy.

Assuming you've done the reconnaisance of your target company.

If I knew how... I would spoof my email address, and send it out to the employees of the company making it look legitimate with a sort of spyware program that would return the ip address when opened. If enough people open the email you could get a good idea of how the network is setup also and possibly ip addresses of the workers at home if the email is read at different locations. Theres a website that does this sort of thing but it costs money and I don't remember the exact site atm.

You know i always thought that this would be the easiest method but not all mailservers allow it to be spoofed..

also thanks phoenix for your input but ive never thought of hacking mail servers as easy .. tbh i dont think ive ever done it before. i mean i know how to spoof emails with unsecured servers but i guess its something i should read up on. Im sure there are different attacks for different mail server softwares. Dont worry i wasnt talking bout diong anything illegal but i knew there were other methods out there i never really gave it a good think.

[phoenix910]

Well, as you are a penetration tester, it might be worth reading up on the Hacking of mail servers. For one job I did, hacking the mail server was the only way I had in - and it only took 9 minutes. You will find that in smaller businesses, a lot of the mail servers will be fairly insecure, as the admins don't bother to secure it because they either don't think of it, or they think we won't. SSH is usually the route that I take in, but obviously it's not the only one. I build possible password lists that could relate to the admin or the company to test if it is one of the SSH pass's, and if it's not, I try all my other default lists. So google search SSH hacking and Hydra. Also, once you have access to the mail server, you can easily do some form of a MiTM to get all traffic going through it, including admin emails and passwords etc, which might include valuable network info. But search up what mail server they are using, any exploits, do a port scan, search for other vulnerabilities, etc.

-Stephen

[tarantula78]

yea im looking up man in the middle now.. its kinda shameful that im hoping to go into business as an auditor and i cant remember the basics lol .. i have a crappy memory...

thing is where i am i dont think they would have their own mailserver im sure they would get a website and with the email accounts provided they would have it forwarded on to their email clients. which is when i would probably start sending them buffer overflow exploits. Infact it would even be a good time to send them the dodgy website to get their external IP. Hacking into a router wont be so bad because most companies here almost never audit their security OR know how to read logs (though its very simple) so you could use a million passwords and they would be oblivious to it.

[phoenix910]

You could just bounce an email off their email server and read the IP address through that then - however, you have to make sure that the server is owned by them, or gives you the actual internal IP as opposed to being just a web-server based email, cause that would be illegal. But to hack the router, you will need it's IP - so that's where these other techniques come in.

-Stephen

[rshift]

Read the book Network Security Assessment and it'll give you some better tips on howto penetrate a network.

If it's a smaller business and they don't have a website, then do some google queries for some more information on the site. You can easily find some email addresses of employees and maybe see if they have a usenet group setup.

If they have a router, then you have something to work with. Try some IDS invasion techniques to probe inner machines and build a map of the inner network. Fragmented packets work on some, but it's slowly becoming obsolete. As an auditor, you should gather information about the network first before you just start trying to penetrate it.

Read a bit more because it seems like you feel that you can just find an IP address, pop it into your remote overflow exploit and then root it. It's not that easy all the time.

[thorin]

Hi all,

Quick Q.

If you have a network to attack. How would you go about it? I tend to use social engineering on companies that arent so big (auditing nothing illegal).

If you're "attacking" then it's illegal, no matter how nice you want everyone to think you are.

Because if they arent big they will most likely not host their own website so I couldnt take that route. What id usually do is use some buffer overflow exploit and hope some employee opens it.

So my question is. How would you go about attacking a network and finding the IP address that will get you in. Medium and small businesses usually have one router or so directing all their traffic. Not all have wireless networks either. So how would you go about it when you dont have any physical access or wireless access?

Please dont think im asking for some sort of tutorial i just wanted to know what your preffered methods are/would be.

You should take a Security Testing course like OPST, CEH, or similar.

Basic first steps in an IT Security Testing include lots of Info Gathering/Recon (DNS lookups, ARIN lookups, search google groups/usenet, browsing their website for info on tertiary systems, etc.)

[enigmaticzidon]

I find the easiest way is to email them but with a image attached from your website. either a small invisible one or just one at the top of the email. when they read there email the image will have to be downloaded and therefore giving you the ip by checking the logs.

works 9/10 times

Enigma