.

IP Address Block Enumeration

<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Thu Nov 06, 2008 1:19 pm

IP Address Block Enumeration

I would like to what tools and methods other people may use for IP address block enumeration.  I have used qtrace.pl in the past but i'm not aware of any other tools / websites that may be of use.

I find that in books, articles and websites there is often very little emphasis on clearly identify the network boundaries of the target.

Does anyone have any suggestions?

Thanks

SynJunkie
Last edited by SynJunkie on Thu Nov 06, 2008 1:27 pm, edited 1 time in total.
----------------------------------
http://synjunkie.blogspot.com
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1911

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Nov 06, 2008 2:07 pm

Re: IP Address Block Enumeration

I guess I'm a bit confused on what you're looking for. Are you looking for owners of IP blocks? A simple whois command/lookup won't work?
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Fri Nov 07, 2008 1:03 pm

Re: IP Address Block Enumeration

I find that in general a whois might give me the isp assigned block.  but where i have found a host in a range by using something like Fierce, i want to find the size of that range assigned to the target network..
----------------------------------
http://synjunkie.blogspot.com
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 929

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Sun Nov 09, 2008 10:50 am

Re: IP Address Block Enumeration

SynJunkie,

in theory whois should provide the inform you require as BillV states. However not all LIR's keep the whois database updated to that level despite the rules and regs stating that they should so your mileage may vary.

As an alternative you could try pinging some potential network boundaries, often (not always) I have seen a broadcast IP create multiple ICMP replies to a single request.
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Sun Nov 09, 2008 6:29 pm

Re: IP Address Block Enumeration

Thanks RoleReversal.  That was one of my methods (nmap xxx.xxx.xxx.xxx/24 -sP) and then look for typical boundary type devices such as routers or firewalls.  Obviously this method isn't that reliable and I was hoping that there was another more reliable option for footprinting the target.

Oh well, worth a try.

Cheers.

Syn
----------------------------------
http://synjunkie.blogspot.com
<<

jimbob

Post Mon Nov 10, 2008 9:29 am

Re: IP Address Block Enumeration

It may also be of use to enumerate any DNS hostnames you can find and see where they resolve to. This could help define the size of the network. You can start by trying reverse lookups of the IP addreses you think are in the network. Results for an unexpected domain might indicate you are beyond the network boundaries.

If you can do a zone transfer then check the addresses where the hostnames point to. Check out DNS records such as MX and NS. Using data from separate sources and queries can help build a better understanding and increase your confidence in the results.

Jimbob
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Mon Nov 10, 2008 11:52 am

Re: IP Address Block Enumeration

Thanks Jimbob.  Again, these are methods I already use.  Maybe I was looking for a tool that does the same as Senseposts qtrace.pl but it doesn't exist.

Thanks for the reply though.
----------------------------------
http://synjunkie.blogspot.com
<<

LSOChris

Post Mon Nov 10, 2008 8:25 pm

Re: IP Address Block Enumeration

a combination of maltego and fierce should do the trick for you
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Mon Nov 10, 2008 10:36 pm

Re: IP Address Block Enumeration

Another thing I do because I am a router guy is to ping and trace route the range you suspect. With ISP's some times using there own host names you can find smaller subnet ranges with ping times. Host normally have very different reply times than routers and ture network devices. So the wire address and the network broadcast of a smaller network inside a class C IP network can some times be identified by a similar ping time. Also trace route will give you host names. I think it was already stated but reverse DNS also can help ID a smaller subnet range.

my 2 cents :)

Brian
aka Slimjim100
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

SynJunkie

Jr. Member
Jr. Member

Posts: 71

Joined: Thu Apr 17, 2008 2:41 pm

Location: UK

Post Thu Nov 13, 2008 6:34 pm

Re: IP Address Block Enumeration

The reverse DNS i was well aware ofbut the traceroute and ping method is pretty interesting.  I had thought that traceroute might be useful for certain types of mapping or helping to ID honeynets but your method certainly sounds useful.

Thanks. :)
----------------------------------
http://synjunkie.blogspot.com

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software