getting information (Router)

How would one successfully gather information of a computer behind a router. Would I need to telnet in but then I am guessing I would have to be local. So could I spoof the mac and telnet into router. The IP I captured doesnt seem to ping and the server is behind a router. So I am guessing it is the IP given by the router. What would the next step virtually be.

Fingerprint the router. Scan the router incrementally over a period of time. Attempt to pass the router through firewalking (extra TTL on your packets… hping is good for this). Think of the router as a doorway to the internal network's services, not as a barrier.

All right, thats for the tips so far. I am taking a look into these. I have heard of fingerprinting but I have never really researched of it. I am going to google info on it. Thanks.

Hping2 is a nice tool. It wont return any ports however I got a mac address from it. Not that I am going to need it. Is fingerprinting classified as win fingerprint, finger.. etc. Most search results are about fingerprinting thumb scanning and such.

Zephyr_Pure wrote: …Attempt to pass the router through firewalking…

I never heard of the term firewalking, so I just read the white paper on it. I understand the concepts.. but how do you expect to apply it in this scenario? For firewalking you need to have an IP of a host that is behind the router/firewall… typically routers connected to the internet would assign local ip addresses to all the computers it is routing… I don't see how it would work in this case. Computers behind a router that directly connects to the internet wouldn't normally have external IP addresses.

You can tell what gets through/what gets blocked by the number of hops a ping returns. You can then build up a 'map' of the firewall rules. Im surprised nobody has written a nice GUI tool that does this already.

chronicburst wrote: Hping2 is a nice tool. It wont return any ports however I got a mac address from it. Not that I am going to need it. Is fingerprinting classified as win fingerprint, finger.. etc. Most search results are about fingerprinting thumb scanning and such.

Yes, it is a nice tool… it's not intended to be a port scanner, but can barely be used as an adequate one (see here: http://www.hping.org/download.html). It is a more precise ping tool, which you can use to extend the TTL of a packet in an attempt to catch the router slipping (so to speak). Not a guaranteed idea, but worth a shot.

Fingerprinting is determining the OS present on a piece of hardware; this works for both computers and routers, as well as WAPs possibly. Nmap / Amap both do fingerprinting by reading the banner of running services and also by alternative analysis of the target, I believe; Google up "Nmap OS fingerprinting", and you'll get a good bit on how they do theirs.

Chinchilla3k wrote: I never heard of the term firewalking, so I just read the white paper on it. I understand the concepts.. but how do you expect to apply it in this scenario? For firewalking you need to have an IP of a host that is behind the router/firewall… typically routers connected to the internet would assign local ip addresses to all the computers it is routing… I don't see how it would work in this case. Computers behind a router that directly connects to the internet wouldn't normally have external IP addresses.

You use extended TTL packets to attempt to enumerate internal hosts (which has less chance of success in NAT situations), and a port scan to attempt to enumerate open ports. By the open ports, you have an idea of what services are potentially running on the internal network and being served to the outside world.

Firewalking, in its simplest definition, is simply the act of bypassing a border network device by using a non-conventional ICMP packet. There's no need for an internal IP… most of the time, you're using it to see if you can get exactly that (or more).

Here's a whitepaper on the topic (probably the same one you read), but it doesn't explain the concepts from a modern approach:

http://www.packetfactory.net/firewalk/firewalk-final.pdf

I will attempt to find a more up-to-date explanation of firewalking for reference.

Zephyr_Pure wrote: Stuff

Yep, that's the one I read. I was under the assumption that most modern routers use NAT so the network can use internal IPs.. of course there is the chance that NAT isn't being used at all… in which case firewalking would be very useful.

With NAT I would imagine that the best you can do is confirm that it is a router and there is a host behind the router (not actually enumerate the hosts behind the router.. well maybe how many hops it take to get to the host running the service in the internal network).. Depending on the router.. when a TTL ends at it's point it will either choose to ignore it or pass it on to the host.. when the host gets it and the TTL end it will send an ICMP reply back.. but it won't reply with it's own internal IP address cause the NAT will change the source address to the external one it owns. I'm not entirely sure but I'll probably test it later.

Also, firewalking is not about sending non-conventional ICMP packet.. it's about sending any packet that uses an IP header (UDP, TCP, w/e) and modifying the TTL in the IP header to see how many time the packet hops. When the TTL ends it will send a legitimate ICMP back regardless of whichever protocol was used to send the packet.

edit: I realize now that you didn't say 'sending a non-conventional icmp packet'. Regardless, I provide my explanation for clarity.

Chinchilla3k wrote: Repeat Yeah, by "non-conventional", I meant that a ICMP packet of a type not normally used in pinging (echo request) is used to evade routers that typically drop ping attempts.

The rest of the things that you said were quite intelligent and, for the contradiction concerning "non-conventional"… we ended up saying the same thing. We just argued different points.

Still, your responses give me some hope that people are still capable of being knowledge and deliberate on this site. Thank you.