3

I would like to scan my DMZ for hosts that are bridged between subnets and have routing enabled. Since I have everything from VMWare servers, to load balancers on the DMZ I'm unsure if every host is configured correctly.

What IP, ICMP, or SNMP (etc) tricks can I use to poll the hosts and determine if the host is acting as a router?

I'm assuming this test would presume I know the target IP, but in a large network with many subnets, I'd have to test many different combinations of networks and see if I get success. Here is one example (ping):

  1. For each IP in the DMZ, arp for the host MAC
  2. Send a ICMP reply message to that host directed at an online host on each subnet

I think that there is a more optimal way to get the information, namely from within ICMP/IP itself, but I'm not sure what low level bits to look for.

I would also be interested if it's possible to determine the "router" status without knowing the subnets that the host may be connected to. This would be useful to know when improving our security posture.

makerofthings7
  • 8,911
  • 34
  • 121
  • 197

1 Answers1

2

Look for Ethernet hardware addresses that are sourcing packets with different TTLs. For a pure end host, all packets that originate from that host's MAC address should have the same TTL.

David Schwartz
  • 31,449
  • 2
  • 55
  • 84
  • Nice trick. How would you scan and report on this? – makerofthings7 Oct 21 '12 at 03:52
  • 1
    This is just like any administration task. Everyone has their own way. Personally, I'd hack something together with `tcpdump` and `cut`/`sort`. But if you're the `perl` type or `sed`/`awk` type, that works too. – David Schwartz Oct 21 '12 at 04:00
  • 1
    @DavidSchwartz You just captured why I prefer Linux to Windows (for servers) in the most beautiful nutshell possible... – Soviero Oct 21 '12 at 04:49