Interpreting Network Results

Interpreting Network Results

Introduction
For the purposes of course structure Active Information Gathering and
Target Mapping have been separated. It should be noted, however, that
in practice the process of scanning and mapping is iterative. As such,
this module will re-visit some of the techniques discussed previously
while applying them to the results we have gathered thus far.
Live Hosts
Our various ping package results should have given us information
regarding live hosts visible on the target network. These results will
often be incomplete due to filtering of ICMP, as discussed. We must
therefore combine the results of our standard ping probes with those of
our port probes for specific services.
It may be that seemingly new hosts detected through a service probe
are in fact NAT addresses projected by the Firewall to obscure the true
identity of the public servers; this should become apparent in the host
scanning phase of the assessment.
Traceroute
We have already mentioned that traceroute results may reveal
information about upstream devices, at least their IP’s and possibly
revealing names.



Traceroute results

glyng@anon [~] $ traceroute x.82.84.33
traceroute to x.82.84.33 (x.82.84.33), 64 hops max, 40 byte packets
1 cohost-gw.liberator.anon.dom.uk (x.13.212.254) 1.373 ms 1.123 ms 1.280 ms
2 x.13.y.21 (x.13.y.21) 3.680 ms 3.506 ms 4.583 ms
3 borggw-enterprise.anon.dom.uk (x.13.y.17) 127.189 ms 257.404 ms 208.484 ms
4 anondom-peering-gw.network.dom (y.93.144.89) 471.68 ms 376.875 ms 228.286 ms
5 fe5-0.linx1.nacamar.dom.uk (y.162.231.225) 2.961 ms 3.852 ms 2.974 ms
6 fe0-0.lon0.nacamar.dom.uk (y.162.231.234) 3.979 ms 3.243 ms 4.370 ms
7 x.172.154.5 (x.172.154.5) 11.454 ms 4.221 ms 3.333 ms
8 gw.linx.ja.dom (y.66.224.15) 5.392 ms 3.348 ms 3.199 ms
9 london-gw.ja.dom (z.86.1.14) 155.39 ms 156.912 ms 6.890 ms
10 atmr-ulcc.lmn.dom.uk (z.97.255.66) 7.327 ms 8.427 ms 10.88 ms
11 middlesex.lmn.dom.uk (y.83.101.210) 9.x ms 11.737 ms 11.680 ms
12 z.94.242.2 (z.94.242.2) 10.371 ms 9.911 ms 10.754 ms
13 z.94.80.2 (z.94.80.2) 14.586 ms * 16.1 ms
14 z.94.81.1 (z.94.81.1) 14.664 ms 16.816 ms 19.552 ms
15 * * *
16 z.94.81.1 (z.94.81.1) 46.86 ms 15.872 ms *
17 * * *





Our first four hops (co-host to annonet-peering-gw) are the packet’s exit
from our service provider. The packet then proceeds across various
back bone routers (fe5-0.linx1 to london-gw) before reaching the target
ISP’s network.
Although the traceroute then proceeds to time out, we can assume that
the z.94.81.1 hop is possibly the last before our target (perhaps the near
end of a serial/ISDN link to the router, or a local router before the
Firewall).
We would therefore include both the z.94.81.1 and y.83.101.210 in our
study, as vulnerabilities in these routers could allow us to source route
packets in an attack, or redirect traffic intended for the site to an
alternative destination (for example a competitor, hoax site or simply a
void).