.

Host Discovery Help

<<

sgtsteamy

Newbie
Newbie

Posts: 5

Joined: Thu Jun 16, 2011 10:21 am

Post Thu Jun 16, 2011 10:37 am

Host Discovery Help

Hello,

I typically won't post these types of topics unless I'm really desperate, which is the case. I have done much research by myself but still need some assistance and the clock is ticking :/

I am a whitehat that was employed by an organization [sorry I probably shouldn't say by whom] that hired me for my mitm, arp posioning, and packet injection skills. Quite honestly I'm not near as experienced as the majority of the users on here but they seemed to think I could do the job.

The only problem is they seem to have me doing everything outside of my expertise and have me scanning the ol WAN for external host discovery.

Only problem is that the firewall seems pretty resilient [or I'm just pathetic] and I am not getting any hosts returned on my external scans.... At all. One range I scanned let's say just for example 192.168.0.0/24 [obviously just a local example, not the real range I'm scanning]. And I get 30 some on hosts on the internal scan. Okay great. I hop outside of the network and start doing external scans. Nothing. I can't get ANYTHING!

I'll be honest. I'm no nmap guru. I've read through the "Nmap Network Scanning" book by Gordon Lyon and used a few of his suggested methods and still, nothing.

My first attempts I tried mixing various types of SYN an ACK probes and still can't seem to achieve any king of success.

An example of one of my attempts:
-PE -PA -PS21-25,80,113,31339 -PA80,113,443,10042 -g 53

I'm not asking anyone to do my homework for me. Maybe just point me in the right direction. Again I hate to ask for any help but I have to report on SOMETHING. Haha thanks in advance for any advice.

Oh and I wish I could disclose more information on the network but don't think that would be a good idea.
<<

Ignatius

Jr. Member
Jr. Member

Posts: 91

Joined: Sun Mar 22, 2009 9:51 am

Post Thu Jun 16, 2011 11:24 am

Re: Host Discovery Help

I'm far from an expert myself, but a few thoughts came into my head:

Why did they engage you if they knew the level of your skills and they wanted more than you could offer?

Why did you accept the engagement if the written agreement (you do have one, don't you?) indicated that you would be expected to undertake work that you knew was beyond you?

If they have changed the goal post, I would be inclined to reiterate that you do not have the appropriate skills, then point them in the direction of someone, or a company, that would fulfil their requirements.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jun 16, 2011 11:31 am

Re: Host Discovery Help

Did they give you the block of external IP's to test or is this a black box scenario?

If this is the block they gave you, you might want to slow down your nmap scans. It's possible the FW knows you're slamming it with nmap scans and is just dropping your traffic. It's also possible they spotted you and are dropping all traffic from your IP.

I would try the -t (i think) flag in nmap to change the interval so that it slows your scans WAY down. I would probably also try from a different server with a different public IP just in case they blocked your IP as a matter of Incident Response.

-C
<<

sgtsteamy

Newbie
Newbie

Posts: 5

Joined: Thu Jun 16, 2011 10:21 am

Post Thu Jun 16, 2011 11:38 am

Re: Host Discovery Help

Ignatius wrote:I'm far from an expert myself, but a few thoughts came into my head:

Why did they engage you if they knew the level of your skills and they wanted more than you could offer?

Why did you accept the engagement if the written agreement (you do have one, don't you?) indicated that you would be expected to undertake work that you knew was beyond you?

If they have changed the goal post, I would be inclined to reiterate that you do not have the appropriate skills, then point them in the direction of someone, or a company, that would fulfil their requirements.



I'm very young [21] and so are the 3 other guys on my team [later 20s]. They wanted a group of "outsiders" who were young and willing to learn and knew a few things about the "hacker culture." The job pays extremely well and they said I could work from home so why not? There was no specifics listed in the signed agreement on what they'd be having me do. Only just a few documents to protect me from any legal actions and that type of thing. I've never felt like I had the skills to do my job properly but i just go in and do my best :/

cd1zz wrote:Did they give you the block of external IP's to test or is this a black box scenario?

If this is the block they gave you, you might want to slow down your nmap scans. It's possible the FW knows you're slamming it with nmap scans and is just dropping your traffic. It's also possible they spotted you and are dropping all traffic from your IP.

I would try the -t (i think) flag in nmap to change the interval so that it slows your scans WAY down. I would probably also try from a different server with a different public IP just in case they blocked your IP as a matter of Incident Response.

-C


The list of subnets is astounding. The network is huge. But yes I have a list. I think they want me to black box it but at this point I'm just looking for some success so I know my scans are at least catching something. I ought to go sit down at a starbucks and run a few very slow scans. Would you suggest I run the same one I was before just with the "-t?"

So something like

-PE -PA -T2 -PS21-25,80,113,31339 -PA80,113,443,10042 -g 53

?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jun 16, 2011 11:44 am

Re: Host Discovery Help

Sounds like you need to do a bit of recon before you hit such a wide range of IPs. For example, ping their webserver. Does that IP fall into one of the blocks they gave you?

If so, scan that so you can be sure you're getting some results back.

Recon and info gathering is a critical first step.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jun 16, 2011 11:47 am

Re: Host Discovery Help

Another thought I had - you might want to look into unicornscan instead of nmap.
<<

sgtsteamy

Newbie
Newbie

Posts: 5

Joined: Thu Jun 16, 2011 10:21 am

Post Thu Jun 16, 2011 11:59 am

Re: Host Discovery Help

cd1zz wrote:Sounds like you need to do a bit of recon before you hit such a wide range of IPs. For example, ping their webserver. Does that IP fall into one of the blocks they gave you?

If so, scan that so you can be sure you're getting some results back.

Recon and info gathering is a critical first step.


When I "whois" their domain I get the NetRange that includes all the IP ranges and address they have handed me. So they're all there. But it's really, really, really big XD

cd1zz wrote:Another thought I had - you might want to look into unicornscan instead of nmap.


Done. I'm trying to install now. At first I thought you were messing with me... Like when you hand your little brother the controller when it's not plugged in... Just to keep him busy. Bahaha I feel like such a noob.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Jun 19, 2011 9:37 pm

Re: Host Discovery Help

I agree with the recon most decent firewalls will immediately drop your scan packets so you need to get a bit smarter than the FWs.  Recon some targets, web servers, email servers, any type of forward facing system will do.  There is no sense to scan an entire range of the most obvious targets have an opening. 

Then again if they have a very large range of public IPs, then that might mean they are one-to-one NATting the internal systems and perhaps some workstations might be present.  Doubtful, but hey you never know.

So did they engage you to do a pen test??  There are no terms for this engagement?  In the future when you get some experience under your belt, do yourself a favor and get a more specific list of deliverables.  No sense doing additional work if it is out of scope.  And you want to make sure you are cleared for compromising a system and that it is in writing so you don't get burned. 

Also who hired you to do the work?  Was it someone that has the proper authorization?  Typically the person setting up the engagement needs the written authorization from the owner/President/CEO of the company to engage in such activities.  That way all are aware that this is going on.  Don't want to get wrapped up in some internal power struggle only to find out you are the scape goat.

Good luck!!
Certs: GCWN
(@)Dewser

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software