Results 1 to 7 of 7

Thread: Finding companies IP range

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    11

    Default Finding companies IP range

    How can you find a companies IP range if all you have is their domain name, and their website and email are hosted(AKA, no DNS records)?

    I know if you have 1 IP, you can do a ARPNIC whois search, but if you do a DNS search and they don't have any IPs showing, what then?



    Thanks in advance

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: Finding companies IP range

    Why do you need a companies IP range?

    @ all others please allow the OP a chance to respond before posting anything.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  3. #3
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    11

    Default Re: Finding companies IP range

    Quote Originally Posted by Archangel-Amael View Post
    Why do you need a companies IP range?

    @ all others please allow the OP a chance to respond before posting anything.
    I actually do vulnerability assessments.
    In the past we've always asked the company to supply us with their external IPs, but the guy running the project has been learning about different methodologies and they like the idea of us doing blind assessments. I was just going through the actions with my current job and it just so happens I'm not seeing ANYTHING in their DNS records to help me. Their MX records point to their ISP and their only A records points to their ISP.

    I assure you, I'm not a 'hacker'. I'm actually embarrassed I don't know the answer.


    Thanks again.

  4. #4
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Finding companies IP range

    Quote Originally Posted by jmpebx View Post
    I actually do vulnerability assessments.
    In the past we've always asked the company to supply us with their external IPs, but the guy running the project has been learning about different methodologies and they like the idea of us doing blind assessments. I was just going through the actions with my current job and it just so happens I'm not seeing ANYTHING in their DNS records to help me. Their MX records point to their ISP and their only A records points to their ISP.

    I assure you, I'm not a 'hacker'. I'm actually embarrassed I don't know the answer.


    Thanks again.
    Does this guy know why he likes the idea of blind assessments? Because they more closely resemble the things a "real hacker" might have to do to break into a company? That's a fallacy (or at least its not the whole truth).

    A real hacker would not be limitied in some of the same ways that someone doing a legitimate penetration test or vulnerability assessment would be. A real hacker can take as much time as they want, but a professional pentester has to complete their tasks within an allotted time. A real hacker is not limited by notions of scope, but a professional pentester has to worry about accidentally accessesing systems that he does not have permission to access, especially those owned by third parties to the client. Part of your job is to educate the client about things like this, and tell them that asking for a blind test may actually result in them getting less value for money for their test, as the time you spend on mapping their network could instead be spent on more closely analysing their systems. Now it could be that they want you to spend the time on that information gathering, but you should try and ensure that they are making an informed decision in that regard - its in both your best interests.

    Now, the approach you are taking to find out their IP addresses is more or less correct, just perhaps lacking in some depth - standard information gathering techniques still apply in this case. Check forward and reverse DNS lookups, try zone transfers, do whois searches, use various search engines to try and identify hosts used by this company. The firece DNS scanner and dnsenum have some interesting methods of using these type of queries to discover hosts - check them out. The trick is, once you have found some hosts related to the client, call the client and ask them if these hosts are in scope for a scan and covered under your permission agreement. Yes, thats a standard thing to do in black box tests. Make sure that any third parties have also provided permission. Your permission agreement should contain the necessary legal language to allow this (consult a laywer if required). The client should then be able to tell you whether or not you have found the hosts they are interested in. If you don't manage to find the correct hosts, they will most likely realise that this approach is not for them (or they will hire someone else to do the job).
    Last edited by lupin; 09-07-2010 at 08:03 AM.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  5. #5
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Finding companies IP range

    This site might/not help Welcome to the RADb bgp

  6. #6
    Just burned his ISO
    Join Date
    Apr 2010
    Posts
    11

    Default Re: Finding companies IP range

    Quote Originally Posted by lupin View Post
    Does this guy know why he likes the idea of blind assessments? Because they are more closely resemble the things a "real hacker" might have to do to break into a company? That's a fallacy (or at least its not the whole truth).

    A real hacker would not be limitied in some of the same ways that someone doing a legitimate penetration test or vulnerability assessment would be. A real hacker can take as much time as they want, but a professional pentester has to complete their tasks within an allotted time. A real hacker is not limited by notions of scope, but a professional pentester has to worry about accidentally accessesing systems that he does not have permission to access, especially those owned by third parties to the client. Part of your job is to educate the client about things like this, and tell them that asking for a blind test may actually result in them getting less value for money for their test, as the time you spend on mapping their network could instead be spent on more closely analysing their systems. Now it could be that they want you to spend the time on that information gathering, but you should try and ensure that they are making an informed decision in that regard - its in both your best interests.
    Very nice. You put it a lot better than I did. I simply gave the issue with time, but I didn't add that the loss in time could be spent in other areas. I think that's what I need for them to get it. Yeah I think the idea of the assessment resembling a 'real' attack vs just a vulnerability assessment is what they want. Or what they think they want, yet they still have to beat other peoples bids, so there's only so much you can do in X hours.


    Quote Originally Posted by lupin View Post
    Now, the approach you are taking to find out their IP addresses is more or less correct, just perhaps lacking in some depth - standard information gathering techniques still apply in this case. Check forward and reverse DNS lookups, try zone transfers, do whois searches, use various search engines to try and identify hosts used by this company. The firece DNS scanner and dnsenum have some interesting methods of using these type of queries to discover hosts - check them out. The trick is, once you have found some hosts related to the client, call the client and ask them if these hosts are in scope for a scan and covered under your permission agreement. Yes, thats a standard thing to do in black box tests. Make sure that any third parties have also provided permission. Your permission agreement should contain the necessary legal language to allow this (consult a laywer if required). The client should then be able to tell you whether or not you have found the hosts they are interested in. If you don't manage to find the correct hosts, they will most likely realise that this approach is not for them (or they will hire someone else to do the job).
    Thanks for the help. I didn't know if I was missing something obvious or not.
    I'll checkout those DNS tools.
    It's funny, in all the classes they stress enumeration, and everyone rolls their eyes. I know see why they stressed it so much....

  7. #7
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default Re: Finding companies IP range

    Quote Originally Posted by jmpebx View Post
    Thanks for the help. I didn't know if I was missing something obvious or not.
    I'll checkout those DNS tools.
    It's funny, in all the classes they stress enumeration, and everyone rolls their eyes. I know see why they stressed it so much....
    Yep, it always comes back to the basics...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Similar Threads

  1. Wireless Range
    By theprez98 in forum OLD Wireless
    Replies: 86
    Last Post: 10-12-2009, 02:11 PM
  2. BT3 out of range.
    By SephStorm in forum OLD BT3final Support
    Replies: 2
    Last Post: 07-13-2009, 04:43 AM
  3. out of range display
    By skyx72 in forum OLD LiveCD Support
    Replies: 9
    Last Post: 01-03-2008, 03:24 PM
  4. invalid dep range
    By confuded in forum OLD Newbie Area
    Replies: 3
    Last Post: 08-17-2007, 06:57 PM
  5. IP address Range
    By maxweb in forum OLD BackTrack v2.0 Final
    Replies: 1
    Last Post: 05-04-2007, 05:07 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •