I want know what sort of network architecture they are using ?
-- Social Engineering including spoofed e-mails may help you.
Also, check if they've outsourced their website to a 3rd party hoster. If yes then you need to know how that hoster functions etc. etc.
can u tell me how spoofed e-mails willl help?
what sort of information we can get from the spoofed e-mails?
and My target is not hosted on the 3rd party hosting...
they have their own stuff..
how can i determine the number of DMZ they are having?
-- By hacking the router. From the router it's virtually impossible except if it's a misconfigured (and probably older version of a) Cisco router where you can in some cases read the configuration directly via SNMP.
hacking routers?I am in enumeration phase,I didn't hacked routers,with out hacking those routers can't we guess the presence of number of DMZ?
can't we get those information based on any error methods?
will they have a seperate DMZ for running database servers?if yes how to detect it?
-- Depends on how they configured their network. Some websites uses a local socket to connect to a database hosted locally while other sites uses a database hosted externally on another server or perhaps, virtual machine. The easiest way to find out where the database is, is to hack the website and read the config.php file if you can't find any hosts with port 3306 (mysql) open in their network range. You should only look for MySQL if the site is running PHP since this is the most common setup.
what can i do if it is a corporate or a a target which is not an web-server?
Is it possible to get the kernel version of the linux-sever they are using?
Also,i already nmapped it,it is saying the kernel version is from 2.4-2.6 kernel,I need to know exact version of kernel ,what should i do?
-- Again, by hacking the website you can in some scenarios run commands directly on the server, e.g. via LFI, RFI, RCE and in some cases SQLi. On linux a simple "uname -a" will tell you what you need, but you need to find a way to get remote code execution which can also be done with Social Engineering and bruteforcing too. (FTP, SSH, website and perhaps their e-mails too.)
The same question arises in my mind,what to do it is a non-web server?
And is there any ways to identify a kernel based on it's behaviour?
Like it's difference in response and error to different stuff like ping,errors or any other things?
Is there any documents or papers out there regarding behaviour of each kernels?
Also i seen some smtp and pop3 services on the cisco firewalls/routers,
This looks strange to me,why a router/firewall is running smtp/pop3 services?
-- Probably "port forwarded" services. (They typically use the same IP as the router.)
NO ,They are not NATE'D
And i want to make sure one thing
If a fire-wall with a ip of 208.xxx.xxx.xxx acts a firewall for the following 4 web-servers with ip's 208.1xx.xxx.xxx,208.2xx.xxx.xxx,208.3xx.xxx.xxx,
208.4xx.xxx.xxx and they have smtp enabled on all of them,and like you said they have enabled port -forwarding on the router/firewall,
but why it is acting as an open port?(if i am noobish i am sorry)
and can all the 4 servers use the same port on the firewall?
Because it is not an NAT'd ,so using like this will cause any issues for them?
want to finger print the web-Application firewall being used on the target,how can i do it?
-- Not exactly sure, are you certain there is one? In many cases there isn't though I have seen many companies use IDS's and IPS's where the last is kinda the same as a WAF. Input / Output checking is one way to check this in some cases though the problem is that it could also be the actual web application doing this.
Yes there are such one,i had read some thing that it can be detected ,
based on the cookies,it's special behaviour in blocking certain things like that,As a expert hope u know,and also if possible can u link me to some nice articles related to those,and also i seen in defcon 2008,one guys is doing a presentation on this..
And what about the traffic passing through 4 firewalls sir?
and why they have separate firewalls for filtering dns traffic and web-traffic?
any guesses sir?
I Hope i can get some more useful advice from you....
Hope u willl...