Hello, I posted this in the OffSec PWB forum, but I don't think it's frequented that often hence no response. Apologies for the re-post if you've already come across this.

I've been doing some research into tcp wrappers recently, having noticed that a few services within the pwb lab are wrapped. As I understand it tcpwrappers are a method of applying an ACL to a service, based on IP address.

I've figured that I can only talk to wrapped services if i'm bouncing through another host, but is there a reliable way of determining which hosts are in the ACL? The only ideas i've had on this so far seem to require some cache poisoning, which seems more than likely to mess things up (and poisoning is not allowed in the labs anyway!).

Spoofing my source address could be an option I suppose, but that would mean responses are directed elsewhere I guess...

Can anyone share any insights into this? Even a nudge in the right direction would be appreciated.