Return to site
Return to site

Spot Maps 1 3 2 – Map Your Network

broken image


  1. Spot Maps 1 3 2 – Map Your Network Address
  2. 1/3 Squared
  3. Spot Maps 1 3 2 – Map Your Network Ip

Introduction

Occasionally clients require that all network and system discovery is done completely blind during internal pentests (meaning no IP addresses are provided). I know that a lot of people have been exposed to ping and port scan discovery techniques, but on large networks those methods alone can be pretty time consuming. So in this blog I thought I would provide some time saving options that can be used in conjunction with the traditional methods. This blog should be interesting to network administrators, security professionals, and anyone else who wants to learn a few more ways to blindly discover live subnets and systems. I realize that there are many methods that can be used to discover active networks and systems, but I won't be able to cover all of them here. I'm actually perfectly sure that I don't know them all anyways. Regardless, what I will cover are the 10 common discovery techniques listed below. They should build on each other in way that hopefully starts to make sense as you walk through the process.

Find local businesses, view maps and get driving directions in Google Maps. Discover the world with Google Maps. Experience Street View, 3D Mapping, turn-by-turn directions, indoor maps and more across your devices.

  1. DHCP Information
  2. Sniffing Network Traffic
  3. ARP Broadcasting
  4. Net View
  5. DNS Zone Transfer
  6. DNS Lookups
  7. Domain Computer Accounts
  8. Trace Route
  9. Ping Scan Known Subnets
  10. Port Scans Known Subnets

Before We Start

  1. In Google Maps, you can create a list of places, like your favorite places or places you want to visit. Make a new list. On your computer, open Google Maps. Click Menu Your places Saved. In the bottom right, click Add. Enter a name and description. Save a place to a list. Search for a place or click it on the map.
  2. The router, itself, is 192.168.1.1, and my repeaters are 192.168.1.10 and 20. My printer is manually assigned 192.168.1.254 – the last available IP (.255 is the network broadcast address) because printing is the last thing I want to do, and it's pretty easy to remember.

I recommend maintaining two lists as you walk through the discovery methods below – one for live subnets and one for live systems. Ideally the live systems list should include the IP address and the host name for each live system. You may have to do a little parsing of the hosts to get a full list of the subnets, but it shouldn't be too hard to script. When you finally get to the trace route and scanning techniques you'll be able to leverage the lists as targets for further discovery.

Blind Discovery

Affinity photo 1 8 17. Okey dokey, here we go…

DHCP Information

If DHCP is configured, it can provide a few pieces of information that are helpful when mapping the network. DHCP information can be viewed with IPCONFIG in Windows. You should be able to glean the following information.

  • IP address The DHCP IP address will give you at least one active subnet that can be used later to identify live systems and services via different scanning techniques.
  • Gateway IP Address The gateway IP address on your subnet is most likely addressed the same way on all of the subnets across the environment Combined with some basic ping scans this can be very useful for quickly enumerating live networks. For example, if your gateway is 192.168.72.3, then you may be able to identify other subnets by pinging 192.168.71.3, 192.168.70.3, etc.
  • DNS Server IP Address Similar to the gateway IP addresses, the DNS server IP addresses are commonly addresses the same way across all subnets.
  • Domain Name The domain is important, because it will help us quickly leverage DNS records and Active Directory computer accounts in later steps. If you're interested in more ways to enumerate active domains I've provided 5 methods in a previously blog called Introduction to Windows Dictionary Attacks.

Sniffing Network Traffic

Sniffing is a great passive method for mapping networks and systems. Typically, you'll see a lot of broadcast traffic such as DNS, NBNS, BROWSER, and Cisco protocols that reveal hostnames, active subnets, VLANS, and domain names. Also, sniffing can be a handy way to find a valid IP address if DHCP is not configured on the network. Usually after watching traffic patterns for a little bit you can determine a gateway and a subnet. Then, after a little trial and error, you should be able to assign yourself a static IP address that will allow you to conduct more active network mapping. Of course there are quite of few sniffing tools that can be used, but on Windows I like Wireshark, Network Miner, and Cain. Also, TCPDump and Tshark can be handy for scripting on both Windows and Linux. Regardless of the OS or tool you choose, make sure to sniff in promiscuous mode to help ensure that you don't miss any network traffic. Below are basic examples for starting Tshark and TCPDump and writing the output to a file.

  • tcpdump -i eth1 -nnvvXS -w outputfile
  • tshark -i 1 -VV -w outputfile

ARP Broadcasting

Since we are on the general topic of broadcast traffic I think it makes sense to touch on ARP broadcasting briefly. Basically, sending out ARP requests for each IP address on a subnet and sniffing the responses is a quick way to determine live hosts. Microsoft word 2019 16 24 volt. Checkbook 2 6 2 – manage personal checking accounts manager. I like using Cain for this, but I'm sure there are other great tools out there as well. If you have one that you really like let me know and I'll update this blog.

Net View

Net view is a native Windows command that can be used to quickly enumerate other Windows systems within your broadcast domain. Below are a few variations of the command.

  • net view
  • net view /ALL /Domain:demo.com

Note: Don't forget to ping the hostnames for IP addresses and subnets. Also, keep in mind that sometimes you will need to ping the systems using their fully qualified domain names if you're not on a domain system.

DNS Zone Transfer

A DNS zone transfer essentially allows a client system to obtain a copy of the DNS database for the target domain. For the sake of clarity, that means all of the IP address and DNS name mappings. Below are a few examples of zone transfer commands.

  • dig axfr Domain.com
  • dig @serverip axfr Domain.com
Spot Maps 1 3 2 – Map Your Network

Note: Don't forget to add the results to your system and network lists.

DNS SRV Queries

Even if you are not able to get a zone transfer to work there are often other DNS lookup options available. You should lookup all of the standard DNS records for completeness, but for quick results I like targeting SRV records. One example for quickly automating SRV record lookups has been listed below. Note: The 'services.txt' file is just a list of service names pulled from the 'C:windowsSystem32driversetcservices' file in Windows.

  • for /f 'tokens=*' %i in (‘type services.txt') do nslookup -type=SRV _%i._tcp.domain.com | grep -v 'Server:' | grep -v 'Address:' | grep -v '^$'>> servers.txt

Domain Computer Accounts

Every computer attached to a Windows domain has a computer account that is registered with Active Directory. Each of those active directory computer accounts is named after the computername and appended with a '$'. So for example, if the computer name is 'Workstation01', then the associated computer account would be named 'Workstation01$'. Thanks to this convenient naming convention we can get a list of systems and subnets associated with the domain. There are a number of ways to accomplish this goal, but I'm only going to provide one, because it's usually the most successful.

  • Grab list of domain controllers from last step for each domain.
    • nslookup -type=SRV _ldap._tcp.
  • Create null session to each domain controller
    • Net use ipc$ '' /user:''
  • Enumerate all domain user accounts.
    • ruby c:metasploitmsf3msfcli auxiliary/scanner/smb/smb_lookupsid SMBDomain=. MaxRID=10000 RHOSTS= E > domain_users.txt
  • Parse for users with $ at the end of their name, most if not all will be computer accounts.
    • grep -i 'user=' domain_users.txt | gawk -F ' ' '{print $3}' | gawk -F 'USER=' '{print $2}' | grep -i '$' | gawk -F '$' '{print $1}' | sort | uniq 2>nul 1> domain_users_clean.txt
  • Ping systems using fully qualified domain names to get IP Addresses. Where domainname.com is the target domain.
    • For /F 'tokens=*' %i in (type ‘domain_users_clean.txt) do ping %i.domainname.com
  • Once again be sure to parse out the subnets for the upcoming steps.

Traceroute

The next objective is to identify live networks that exist between you and the subnets you've identified so far. To do that we'll use traceroute. Traceroute is a diagnostic tool that can provide route information using ICMP. In Linux the tools is called traceroute in Windows its call tracert. I recommend simply tracerouting to the gateway or DNS server for each network instead of tracerouting every system. Either way, make sure to add the newly identified networks to that list of subnets you've been collecting. Below is another quick and dirty script example. Note: This can take a while, especially if you have a long list of networks to trace. I typically I limit the number of hops to 10 for most networks to save some time.

  • for /F ' ' %i in (‘type gateways.txt') do tracert -h 10 %i | grep -v 'out' | gawk -F ' ' ' {print $8}' | sort

Spot Maps 1 3 2 – Map Your Network Address

Ping Scan Known Subnets

Now that we have a larger list of networks we can start enumerating some systems. Feel free to dust of nmap for some ping scanning.

  • Nmap –sP –iL networks.txt –oA livesystems_icmp

Port Scans Known Subnets

In some cases, live systems are configured to ignore ICMP requests. For that reason it's important to also perform some basic discovery scans. Targeting a handful of common services will usually do the trick. Below is a quick nmap example.

  • Nmap –sS –Pn –p21,22,23,25,80,110,443,513,3389,6000 –iL networks.txt –oA livesystems_disco

Conclusion

Now you should have a nice group of targets for your penetration test. Alone, each technique can be handy, but together they are much most effective. Hopefully this blog helped someone do something.  Have fun and don't forget to Hack Responsibly!

1/3 Squared

References

  • http://nmap.org/
  • http://www.metasploit.com/
  • http://linux.about.com/od/commands/l/blcmdl1_dig.htm
  • http://en.wikipedia.org/wiki/Traceroute
  • http://unxutils.sourceforge.net/
  • http://www.oxid.it/cain.html

Map a network drive to get to it from File Explorer in Windows without having to look for it or type its network address each time.

1. Open File Explorer from the taskbar or the Start menu, or press the Windows logo key + E.

2. Select This PC from the left pane. Then, on the Computer tab, select Map network drive.

3. In the Drive list, select a drive letter. (Any available letter will do.)

4. In the Folder box, type the path of the folder or computer, or select Browse to find the folder or computer. To connect every time you log on to your PC, select the Reconnect at sign-in check box.

5. Select Finish.

Spot Maps 1 3 2 – Map Your Network Ip

Note: If you can't connect to a network drive or folder, the computer you're trying to connect to might be turned off, or you might not have the correct permissions. Try contacting your network administrator.





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save