.

Some Network Reconnaissance question's about determining DMZ Network structure?

<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Sep 17, 2010 6:30 am

Some Network Reconnaissance question's about determining DMZ Network structure?

I have  ip range of my target  network,


Also i got a scene like this,

before my traffic entering in to the target web-server  it is being passed through 4 firewalls,

like this 208.xxx.xxx.xxx--->208.xxx.xxx.xxx----208.xxx.xxx.xxx--->208.xxx.xxx.xxx----> target web- server

when  i trace-routed all the ip's in the ip range, it is being passed through at-least 3 or 4 firewalls(cisco one's) and then reaching my target..

but to my surprise when i tracerouted the DNS server,it is being passed through different firewall ip's other then the firewall ip's of the web-server

like this 185.xxx.xxx.xxx--->185.xxx.xxx---->185.xxx.xxx.xxx--->target dns web server

I want know what sort of  network architecture they are using ?

how can i determine the number of DMZ they are having?

will they have a seperate DMZ for running database servers?if yes how to detect it?

Is it possible to get the kernel version of the linux-sever they are using?
Also,i already nmapped it,it is saying the kernel version is from 2.4-2.6 kernel,I need to know exact version of kernel ,what should i do?

Also i seen some smtp and pop3 services on the cisco firewalls/routers,
This looks strange to me,why a router/firewall is running smtp/pop3 services?


want to finger print the web-Application firewall being used on the target,how can i do it?


I know these are too many to ask,but i don't have may other options so decided to ask here,even if you answer for one of the above question,it will be helpful for me...


Hope i will get some help...
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Sep 17, 2010 8:15 am

Re: Some Network Reconnaissance question's about determining DMZ Network structure?

How much penetration testing have you done to be honest? And how much do you know about ethical hacking?

This is not to be rude that I ask, but instead I am curious so I can give you some appropriate answers based on what your answers are.
Last edited by MaXe on Fri Sep 17, 2010 8:23 am, edited 1 time in total.
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Sep 17, 2010 8:47 am

Re: Some Network Reconnaissance question's about determining DMZ Network structure?

  Code:
How much penetration testing have you done to be honest? And how much do you know about ethical hacking?


I just started to learn penetration-testing and i derived an important principle(my own one),i just dont want to learn to be a tool based guy,while i am learning a particular thing ,i just read and understand what the tool is doing while we are using for pentesting,and i just understood the laws,legal issues and what are the qualities of the pen tester,as a pen tester we must satisfy the client,that should be our first priority and we should do the penetration testing in a structural way and we should not trust any thing or any one during the penetration testing process,that is the key,
And regarding ethical hacking the answer is simple according to me  "i am authorized to do any hacking may be white hat or black hat stuff, according to the situattion before me..

  Code:
This is not to be rude that I ask, but instead I am curious so I can give you some appropriate answers based on what your answers are.


yes this is not rude,i can understand what you are trying to say,
i hope the above information is enough for you to understood my level(may be noobish)
,And i am in Network Reconnaissance stage,,So looking for some answers to my questions,Hope you will help me...
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Fri Sep 17, 2010 9:10 am

Re: Some Network Reconnaissance question's about determining DMZ Network structure?

Here's a few ideas of mine  ;)

manoj9372 wrote:I want know what sort of  network architecture they are using ?

-- Social Engineering including spoofed e-mails may help you.
Also, check if they've outsourced their website to a 3rd party hoster. If yes then you need to know how that hoster functions etc. etc.

how can i determine the number of DMZ they are having?

-- By hacking the router. From the router it's virtually impossible except if it's a misconfigured (and probably older version of a) Cisco router where you can in some cases read the configuration directly via SNMP.

will they have a seperate DMZ for running database servers?if yes how to detect it?

-- Depends on how they configured their network. Some websites uses a local socket to connect to a database hosted locally while other sites uses a database hosted externally on another server or perhaps, virtual machine. The easiest way to find out where the database is, is to hack the website and read the config.php file if you can't find any hosts with port 3306 (mysql) open in their network range. You should only look for MySQL if the site is running PHP since this is the most common setup.



Is it possible to get the kernel version of the linux-sever they are using?
Also,i already nmapped it,it is saying the kernel version is from 2.4-2.6 kernel,I need to know exact version of kernel ,what should i do?

-- Again, by hacking the website you can in some scenarios run commands directly on the server, e.g. via LFI, RFI, RCE and in some cases SQLi. On linux a simple "uname -a" will tell you what you need, but you need to find a way to get remote code execution which can also be done with Social Engineering and bruteforcing too. (FTP, SSH, website and perhaps their e-mails too.)


Also i seen some smtp and pop3 services on the cisco firewalls/routers,
This looks strange to me,why a router/firewall is running smtp/pop3 services?

-- Probably "port forwarded" services. (They typically use the same IP as the router.)

want to finger print the web-Application firewall being used on the target,how can i do it?

-- Not exactly sure, are you certain there is one? In many cases there isn't though I have seen many companies use IDS's and IPS's where the last is kinda the same as a WAF. Input / Output checking is one way to check this in some cases though the problem is that it could also be the actual web application doing this.



I hope it helped a little  ;D

Update:
It's nice to see you're doing a good amount of recon, but I believe you're focusing more on the setup than actual targets.

The reason why I do recon is to find services and machines to exploit, not how their network is configured. I can always check that one out later. First priority for me is to gain entry and remote code execution  ;)
Last edited by MaXe on Fri Sep 17, 2010 9:14 am, edited 1 time in total.
I'm an InterN0T'er
<<

manoj9372

Jr. Member
Jr. Member

Posts: 72

Joined: Mon Oct 05, 2009 8:54 am

Post Fri Sep 17, 2010 11:13 am

Re: Some Network Reconnaissance question's about determining DMZ Network structure?

  Code:
I want know what sort of  network architecture they are using ?

-- Social Engineering including spoofed e-mails may help you.
Also, check if they've outsourced their website to a 3rd party hoster. If yes then you need to know how that hoster functions etc. etc.



can u tell me how spoofed e-mails willl help?
what sort of information we can get from the spoofed e-mails?
and My target is not hosted on the 3rd party hosting...
they have their own stuff..

  Code:
how can i determine the number of DMZ they are having?

-- By hacking the router. From the router it's virtually impossible except if it's a misconfigured (and probably older version of a) Cisco router where you can in some cases read the configuration directly via SNMP.



hacking routers?I am in enumeration phase,I didn't hacked routers,with out hacking those routers can't we guess the presence of number of DMZ?
can't we get those information based on any error methods?


  Code:
will they have a seperate DMZ for running database servers?if yes how to detect it?

-- Depends on how they configured their network. Some websites uses a local socket to connect to a database hosted locally while other sites uses a database hosted externally on another server or perhaps, virtual machine. The easiest way to find out where the database is, is to hack the website and read the config.php file if you can't find any hosts with port 3306 (mysql) open in their network range. You should only look for MySQL if the site is running PHP since this is the most common setup.



what can i do if it is a corporate or a  a target which is not an web-server?


  Code:
Is it possible to get the kernel version of the linux-sever they are using?
Also,i already nmapped it,it is saying the kernel version is from 2.4-2.6 kernel,I need to know exact version of kernel ,what should i do?

-- Again, by hacking the website you can in some scenarios run commands directly on the server, e.g. via LFI, RFI, RCE and in some cases SQLi. On linux a simple "uname -a" will tell you what you need, but you need to find a way to get remote code execution which can also be done with Social Engineering and bruteforcing too. (FTP, SSH, website and perhaps their e-mails too.)



The same question arises in my mind,what to do it is a non-web server?
And is there any ways to identify a kernel based on it's behaviour?
Like it's difference in  response and error to different stuff like ping,errors or any other things?

Is there any documents or papers out there regarding behaviour of each kernels?


  Code:
Also i seen some smtp and pop3 services on the cisco firewalls/routers,
This looks strange to me,why a router/firewall is running smtp/pop3 services?

-- Probably "port forwarded" services. (They typically use the same IP as the router.)


NO ,They are not NATE'D
And i want to make sure one thing

If a fire-wall with a ip of 208.xxx.xxx.xxx acts a firewall for the following 4 web-servers with ip's 208.1xx.xxx.xxx,208.2xx.xxx.xxx,208.3xx.xxx.xxx,
208.4xx.xxx.xxx and they have smtp enabled on all of them,and like you said they have enabled port -forwarding on the router/firewall,

but why it is acting as an open port?(if i am noobish i am sorry)

and can all the 4 servers use the same port on the firewall?
Because it is not an NAT'd ,so using like this will cause any issues for them?



  Code:

want to finger print the web-Application firewall being used on the target,how can i do it?

-- Not exactly sure, are you certain there is one? In many cases there isn't though I have seen many companies use IDS's and IPS's where the last is kinda the same as a WAF. Input / Output checking is one way to check this in some cases though the problem is that it could also be the actual web application doing this.


Yes there are such one,i had read some thing that it can be detected ,
based on the cookies,it's special behaviour in blocking certain things like that,As a expert hope u know,and also if possible  can u link me to some nice articles related to those,and also i seen in defcon 2008,one guys is doing a presentation on this..

And what about the traffic passing through 4 firewalls sir?
and why they have separate firewalls for filtering dns traffic and web-traffic?

any guesses sir?


I Hope i can get some more useful advice from you....


Hope u willl...

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software