OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Multiple IP on the same server howo to idenfity

From: Andrew A. Vladimirov (mlistsarhont.com)
Date: Thu Jun 10 2004 - 19:34:56 CDT


Yonatan Bokovza wrote:
>>-----Original Message-----
>>From: NetExpress [mailto:NetExpressinfogroup.it]
>>Sent: Thursday, June 10, 2004 13:13
>>To: pen-testsecurityfocus.org
>>Subject: Multiple IP on the same server howo to idenfity
>>
>>
>>Hi, the problem is, if I am doing a penetration test from internte to
>>many servers, probably there should be some IP ont the same server o
>>network adapter like load balancer.
>>In a report, and to avoid false positive, should be usefull
>>to identify
>>which IPs are on the same server, but how?
>>If I should be in the internal network I am testing I'll use
>>arp to find
>>the MAC address of each IP and I should have solved, but from
>>Internet I
>>cannot use arp.
>>
>> From Internet I could use the banner, but this is not sure, I could
>>have more then one application server on the same server with n-IP on
>>application server A and m-IP on the application server B getting the
>>banner should not be the right choise especialy with proxy.
>>
>>Any idea?
>
>
> You could use the TCP Timestamp option to see the uptime of both
> servers. If it is similar enough, there is a good chance it is the same
> server. (unless the loadbalancer changes the Timestamp...)
> See section 3.2 here:
> http://www.faqs.org/rfcs/rfc1323.html
>
> Regards,
> Yonatan Bokovza
> IT Security Consultant
> Xpert Systems

Yep, TCP timestamps, TCP sequence numbers and IP ID's. Plus, of course,
OS fingerprinting and banner grabbing. ISNprober, hping2, nmap and both
xprobes will do the job.

Cheers,
Andrew