Home > Articles

This chapter is from the book

This chapter is from the book

Certified Ethical Hacker (CEH) Version 10 Cert Guide, 3rd EditionCertified Ethical Hacker (CEH) Version 10 Cert Guide, 3rd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

Certified Ethical Hacker (CEH) Version 10 Cert Guide, 3rd EditionCertified Ethical Hacker (CEH) Version 10 Cert Guide, 3rd Edition

Learn More Buy

Determining the Network Range

Now that the pen test team has been able to locate names, phone numbers, addresses, some server names, and IP addresses, it’s important to find out what IP addresses are available for scanning and further enumeration. If you take the IP address of a web server discovered earlier and enter it into the Whois lookup at https://www.arin.net, you can determine the network’s range. For example, 192.17.170.17 was entered into the ARIN Whois, and the following information was received:

OrgName:                     target network
OrgID:                       Target-2
Address:                     1313 Mockingbird Road
City:                        Anytown
StateProv:                   Tx
PostalCode:                  72341
Country:                     US
ReferralServer:              rwhois://rwhois.exodus.net:4321/
NetRange:                    192.17.12.0 - 192.17.12.255
CIDR:                        192.17.0.0/24
NetName:                     SAVVIS
NetHandle                    NET-192-17-12-0-1
Parent:                      NET-192-0-0-0-0

This means that the target network has 254 total addresses. The attacker can now focus his efforts on the range from 192.17.12.1 to 192.17.12.254/24. If these results don’t prove satisfactory, the attacker can use traceroute for additional mapping.

SUBNETTING’S ROLE IN MAPPING NETWORKS

Some of the items you may see on the exam but are not included in any of the official courseware include subnetting. Subnetting also allows the creation of many logical networks that exist within a single Class A, B, or C network. Subnetting is important in that it helps pen testers identify what systems are part of which specific network.

To subnet a network, you must extend the natural mask with some of the bits from the host ID portion of the address. For example, if you had a Class C network of 192.168.5.0, which has a natural mask of 255.255.255.0, you can create subnets in this manner:

192.168.5.0 -11001100.10101000.00000101.00000000
255.255.255.224 - 11111111.11111111.11111111.11100000
------------------------------------------------|subnet|----

By extending the mask from 255.255.255.0 to 255.255.255.224, you have taken 3 bits from the original host portion of the address and used them to make subnets. By bor-rowing 3 bits, it is possible to create eight subnets. The remaining 5 bits can provide for up to 32 host addresses, 30 of which can actually be assigned to a device because host addresses with all zeros and all ones are not assigned to specific devices. Here is a breakdown of the subnets and their address ranges:

Subnet

Host Range

192.168.5.0 255.255.255.224

host address range 1 to 30

192.168.5.32 255.255.255.224

host address range 33 to 62

192.168.5.64 255.255.255.224

host address range 65 to 94

192.168.5.96 255.255.255.224

host address range 97 to 126

192.168.5.128 255.255.255.224

host address range 129 to 158

192.168.5.160 255.255.255.224

host address range 161 to 190

192.168.5.192 255.255.255.224

host address range 193 to 222

192.168.5.224 255.255.255.224

host address range 225 to 254

The more host bits you use for a subnet mask, the more subnets you have avail-able. However, the more subnets that are available, the fewer host addresses that are available per subnet.

Traceroute

It’s advisable to check out more than one version of traceroute if you don’t get the required results. Some techniques can also be used to try to slip traceroute past a firewall or filtering device. When UDP and ICMP are not allowed on the remote gateway, you can use TCPtraceroute. Another unique technique was developed by Michael Schiffman, who created a patch called traceroute.diff that allows you to specify the port that traceroute will use. With this handy tool, you could easily direct traceroute to use UDP port 53. Because that port is used for DNS queries, there’s a good chance that it could be used to slip past the firewall. If you’re looking for a graphical user interface (GUI) program to perform traceroute with, several are available, as described here:

  • LoriotPro: LoriotPro (see Figure 3-7) is a professional and scalable SNMP manager and network monitoring solution that enables availability and performance control of your networks, systems, and smart infrastructures. The graphical display shows you the route between you and the remote site, including all intermediate nodes and their registrant information.

FIGURE 3-7

Figure 3-7 LoriotPro

  • Trout: Trout is another visual traceroute and Whois program. What’s great about this program is its speed. Unlike traditional traceroute programs, Trout performs parallel pinging. By sending packets with more than one TTL at a time, it can quickly determine the path to a targeted device.

  • VisualRoute: VisualRoute is another graphical traceroute for Windows. VisualRoute not only shows a graphical world map that displays the path packets are taking, but also lists information for each hop, including IP address, node name, and geographic location. This tool is commercial and must be purchased.

TIP

Traceroute and ping are useful tools for identifying active systems, mapping their location, and learning more about their location. Just keep in mind that these tools are limited by what they can see; if these services are blocked by a firewall, you may get no useful data returned.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.