Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Multiple IP on the same server howo to idenfity

From: Andrew A. Vladimirov (mlistsarhont.com)
Date: Thu Jun 10 2004 - 19:34:56 CDT

Yonatan Bokovza wrote:
>>-----Original Message-----
>>From: NetExpress [mailto:NetExpressinfogroup.it]
>>Sent: Thursday, June 10, 2004 13:13
>>To: pen-testsecurityfocus.org
>>Subject: Multiple IP on the same server howo to idenfity
>>Hi, the problem is, if I am doing a penetration test from internte to
>>many servers, probably there should be some IP ont the same server o
>>network adapter like load balancer.
>>In a report, and to avoid false positive, should be usefull
>>to identify
>>which IPs are on the same server, but how?
>>If I should be in the internal network I am testing I'll use
>>arp to find
>>the MAC address of each IP and I should have solved, but from
>>Internet I
>>cannot use arp.
>> From Internet I could use the banner, but this is not sure, I could
>>have more then one application server on the same server with n-IP on
>>application server A and m-IP on the application server B getting the
>>banner should not be the right choise especialy with proxy.
>>Any idea?
> You could use the TCP Timestamp option to see the uptime of both
> servers. If it is similar enough, there is a good chance it is the same
> server. (unless the loadbalancer changes the Timestamp...)
> See section 3.2 here:
> http://www.faqs.org/rfcs/rfc1323.html
> Regards,
> Yonatan Bokovza
> IT Security Consultant
> Xpert Systems

Yep, TCP timestamps, TCP sequence numbers and IP ID's. Plus, of course,
OS fingerprinting and banner grabbing. ISNprober, hping2, nmap and both
xprobes will do the job.