Follow us on Twitter!
Understanding is the answer, hatred is the problem, and hackers are the slaves abused and destroyed in the process of peace online - Deshouleres
Thursday, April 24, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 26
Guests Online: 20
Members Online: 6

Registered Members: 82895
Newest Member: kevy90
Latest Articles
View Thread

HellBound Hackers | HellBound Hackers | Questions

Author

getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-09-08 03:50
How would one successfully gather information of a computer behind a router. Would I need to telnet in but then I am guessing I would have to be local. So could I spoof the mac and telnet into router. The IP I captured doesnt seem to ping and the server is behind a router. So I am guessing it is the IP given by the router. What would the next step virtually be.


Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-09-08 04:17
Fingerprint the router. Scan the router incrementally over a period of time. Attempt to pass the router through firewalking (extra TTL on your packets... hping is good for this). Think of the router as a doorway to the internal network's services, not as a barrier.


Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-09-08 04:22
All right, thats for the tips so far. I am taking a look into these. I have heard of fingerprinting but I have never really researched of it. I am going to google info on it. Thanks.

Hping2 is a nice tool. It wont return any ports however I got a mac address from it. Not that I am going to need it.
Is fingerprinting classified as win fingerprint, finger.. etc. Most search results are about fingerprinting thumb scanning and such.




Edited by on 11-09-08 04:38
Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-09-08 05:06
Zephyr_Pure wrote:
...Attempt to pass the router through firewalking...


I never heard of the term firewalking, so I just read the white paper on it. I understand the concepts.. but how do you expect to apply it in this scenario? For firewalking you need to have an IP of a host that is behind the router/firewall... typically routers connected to the internet would assign local ip addresses to all the computers it is routing... I don't see how it would work in this case. Computers behind a router that directly connects to the internet wouldn't normally have external IP addresses.
Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-09-08 11:49
You can tell what gets through/what gets blocked by the number of hops a ping returns. You can then build up a 'map' of the firewall rules. Im surprised nobody has written a nice GUI tool that does this already.


Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 11-09-08 13:18
chronicburst wrote:
Hping2 is a nice tool. It wont return any ports however I got a mac address from it. Not that I am going to need it.
Is fingerprinting classified as win fingerprint, finger.. etc. Most search results are about fingerprinting thumb scanning and such.


Yes, it is a nice tool... it's not intended to be a port scanner, but can barely be used as an adequate one (see here: http://www.hping.. . .nload.html). It is a more precise ping tool, which you can use to extend the TTL of a packet in an attempt to catch the router slipping (so to speak). Not a guaranteed idea, but worth a shot.

Fingerprinting is determining the OS present on a piece of hardware; this works for both computers and routers, as well as WAPs possibly. Nmap / Amap both do fingerprinting by reading the banner of running services and also by alternative analysis of the target, I believe; Google up "Nmap OS fingerprinting", and you'll get a good bit on how they do theirs.

Chinchilla3k wrote:
I never heard of the term firewalking, so I just read the white paper on it. I understand the concepts.. but how do you expect to apply it in this scenario? For firewalking you need to have an IP of a host that is behind the router/firewall... typically routers connected to the internet would assign local ip addresses to all the computers it is routing... I don't see how it would work in this case. Computers behind a router that directly connects to the internet wouldn't normally have external IP addresses.


You use extended TTL packets to attempt to enumerate internal hosts (which has less chance of success in NAT situations), and a port scan to attempt to enumerate open ports. By the open ports, you have an idea of what services are potentially running on the internal network and being served to the outside world.

Firewalking, in its simplest definition, is simply the act of bypassing a border network device by using a non-conventional ICMP packet. There's no need for an internal IP... most of the time, you're using it to see if you can get exactly that (or more).

Here's a whitepaper on the topic (probably the same one you read), but it doesn't explain the concepts from a modern approach:

http://www.packet. . .-final.pdf

I will attempt to find a more up-to-date explanation of firewalking for reference.


Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-09-08 02:05
Zephyr_Pure wrote:
Stuff


Yep, that's the one I read. I was under the assumption that most modern routers use NAT so the network can use internal IPs.. of course there is the chance that NAT isn't being used at all... in which case firewalking would be very useful.

With NAT I would imagine that the best you can do is confirm that it is a router and there is a host behind the router (not actually enumerate the hosts behind the router.. well maybe how many hops it take to get to the host running the service in the internal network).. Depending on the router.. when a TTL ends at it's point it will either choose to ignore it or pass it on to the host.. when the host gets it and the TTL end it will send an ICMP reply back.. but it won't reply with it's own internal IP address cause the NAT will change the source address to the external one it owns. I'm not entirely sure but I'll probably test it later.

Also, firewalking is not about sending non-conventional ICMP packet.. it's about sending any packet that uses an IP header (UDP, TCP, w/e) and modifying the TTL in the IP header to see how many time the packet hops. When the TTL ends it will send a legitimate ICMP back regardless of whichever protocol was used to send the packet.

edit: I realize now that you didn't say 'sending a non-conventional icmp packet'. Regardless, I provide my explanation for clarity.

Edited by on 12-09-08 02:09
Author

RE: getting information (Router)


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 12-09-08 03:44
Chinchilla3k wrote:
Repeat

Yeah, by "non-conventional", I meant that a ICMP packet of a type not normally used in pinging (echo request) is used to evade routers that typically drop ping attempts.

The rest of the things that you said were quite intelligent and, for the contradiction concerning "non-conventional"... we ended up saying the same thing. We just argued different points.

Still, your responses give me some hope that people are still capable of being knowledge and deliberate on this site. Thank you.