Quickest way to search for routers in a local network
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
Let's say I'm performing a discovery and mapping task in a local network for a new customer, and they have no maps nor can provide any details of their own infrastructure.
Of course I'll use configurations from their routers, switches, servers, etc to reverse what has been done for years by the lazy-sysadmin-who-had-no-time-to-write-anything-about-what-he-did-at-work.
I want to scan their local network(s) for alive hosts too, and I would do this with nmap, both relying on replies to ICMP and TCP/Syn packets. Once I get a list of alive hosts based on this, I'd like to perform some checks on each one. One of this checks would be to prove or exclude if the alive host is actually a router. Please note that a device in such case could be a router to another network, not necessarily a router to The Public Network.
If I was sure it is routing to the public network, I would script something to add a route for a known good public IP through the host beeing tested, and then try to send the packet through this route.
But this would fail in at least two cases:
- If it is forwarding packets to a non public network.
- If it is forwarding packets to the Internet, but the output is somehow filtered and my testing packet could thus be filtered in its route to or back from the Internet host.
In such situation, what would be the best way to scan for routers using Linux?
Please avoid answers based on:
- Scanning for common routers management interfaces, such as web panels, ssh ports, port banners, etc, this would fail to find any PC/Server configured (or hacked) for routing packets, and would fail if ACLs have been configured to access the router's management interfaces.
- Walking around the customer's and seeking ethernet cables around is not an option as most of the areas have access restricted or forbidden due to the type of work they do.
- Relying on what is configured on the customer's routers, Servers, PCs, as this might fail to intercept anything that was added by someone malicious, or anything put there with the intention to be hidden to the users.
-Edit #1 after @Sato's comment:
Please don't focus on the physical access to the network. The customer said that the previous sysadmin has had the ability to walk all around their sites, alone, for hours, and the contract states that I should be granted the same access level as his in order to accomplish my tasks. But in this phase of the analysis I still can't and so please imagine this as a challenge to gather all possible informations before getting physically there. I think I already know almost any information I can remotely gather from an IP network, With this question I was just wondering if there is a quick way to find if an IP device has routing enabled.
linux networking security
asked Oct 2 '17 at 3:43
Marco
17919
add a comment |Â
up vote
0
down vote
favorite
Let's say I'm performing a discovery and mapping task in a local network for a new customer, and they have no maps nor can provide any details of their own infrastructure.
Of course I'll use configurations from their routers, switches, servers, etc to reverse what has been done for years by the lazy-sysadmin-who-had-no-time-to-write-anything-about-what-he-did-at-work.
I want to scan their local network(s) for alive hosts too, and I would do this with nmap, both relying on replies to ICMP and TCP/Syn packets. Once I get a list of alive hosts based on this, I'd like to perform some checks on each one. One of this checks would be to prove or exclude if the alive host is actually a router. Please note that a device in such case could be a router to another network, not necessarily a router to The Public Network.
If I was sure it is routing to the public network, I would script something to add a route for a known good public IP through the host beeing tested, and then try to send the packet through this route.
But this would fail in at least two cases:
- If it is forwarding packets to a non public network.
- If it is forwarding packets to the Internet, but the output is somehow filtered and my testing packet could thus be filtered in its route to or back from the Internet host.
In such situation, what would be the best way to scan for routers using Linux?
Please avoid answers based on:
- Scanning for common routers management interfaces, such as web panels, ssh ports, port banners, etc, this would fail to find any PC/Server configured (or hacked) for routing packets, and would fail if ACLs have been configured to access the router's management interfaces.
- Walking around the customer's and seeking ethernet cables around is not an option as most of the areas have access restricted or forbidden due to the type of work they do.
- Relying on what is configured on the customer's routers, Servers, PCs, as this might fail to intercept anything that was added by someone malicious, or anything put there with the intention to be hidden to the users.
-Edit #1 after @Sato's comment:
Please don't focus on the physical access to the network. The customer said that the previous sysadmin has had the ability to walk all around their sites, alone, for hours, and the contract states that I should be granted the same access level as his in order to accomplish my tasks. But in this phase of the analysis I still can't and so please imagine this as a challenge to gather all possible informations before getting physically there. I think I already know almost any information I can remotely gather from an IP network, With this question I was just wondering if there is a quick way to find if an IP device has routing enabled.
linux networking security
asked Oct 2 '17 at 3:43
Marco
17919
Your best bet is probably to get them to draw a scheme of their physical infrastructure. But if they don't allow you to wander around to look at cables and still didn't keep basic docs you should probably consider cutting your losses and give up on this job. That's an epic failure of their management, not of their former sysadmins.
– SatÅ Katsura
Oct 2 '17 at 4:15
I agree. I've agreed to take this job after establishing and hourly fee with the customer. ;)
– Marco
Oct 2 '17 at 4:18
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
Let's say I'm performing a discovery and mapping task in a local network for a new customer, and they have no maps nor can provide any details of their own infrastructure.
Of course I'll use configurations from their routers, switches, servers, etc to reverse what has been done for years by the lazy-sysadmin-who-had-no-time-to-write-anything-about-what-he-did-at-work.
I want to scan their local network(s) for alive hosts too, and I would do this with nmap, both relying on replies to ICMP and TCP/Syn packets. Once I get a list of alive hosts based on this, I'd like to perform some checks on each one. One of this checks would be to prove or exclude if the alive host is actually a router. Please note that a device in such case could be a router to another network, not necessarily a router to The Public Network.
If I was sure it is routing to the public network, I would script something to add a route for a known good public IP through the host beeing tested, and then try to send the packet through this route.
But this would fail in at least two cases:
- If it is forwarding packets to a non public network.
- If it is forwarding packets to the Internet, but the output is somehow filtered and my testing packet could thus be filtered in its route to or back from the Internet host.
In such situation, what would be the best way to scan for routers using Linux?
Please avoid answers based on:
- Scanning for common routers management interfaces, such as web panels, ssh ports, port banners, etc, this would fail to find any PC/Server configured (or hacked) for routing packets, and would fail if ACLs have been configured to access the router's management interfaces.
- Walking around the customer's and seeking ethernet cables around is not an option as most of the areas have access restricted or forbidden due to the type of work they do.
- Relying on what is configured on the customer's routers, Servers, PCs, as this might fail to intercept anything that was added by someone malicious, or anything put there with the intention to be hidden to the users.
-Edit #1 after @Sato's comment:
Please don't focus on the physical access to the network. The customer said that the previous sysadmin has had the ability to walk all around their sites, alone, for hours, and the contract states that I should be granted the same access level as his in order to accomplish my tasks. But in this phase of the analysis I still can't and so please imagine this as a challenge to gather all possible informations before getting physically there. I think I already know almost any information I can remotely gather from an IP network, With this question I was just wondering if there is a quick way to find if an IP device has routing enabled.
linux networking security
asked Oct 2 '17 at 3:43
Marco
17919
Let's say I'm performing a discovery and mapping task in a local network for a new customer, and they have no maps nor can provide any details of their own infrastructure.
Of course I'll use configurations from their routers, switches, servers, etc to reverse what has been done for years by the lazy-sysadmin-who-had-no-time-to-write-anything-about-what-he-did-at-work.
I want to scan their local network(s) for alive hosts too, and I would do this with nmap, both relying on replies to ICMP and TCP/Syn packets. Once I get a list of alive hosts based on this, I'd like to perform some checks on each one. One of this checks would be to prove or exclude if the alive host is actually a router. Please note that a device in such case could be a router to another network, not necessarily a router to The Public Network.
If I was sure it is routing to the public network, I would script something to add a route for a known good public IP through the host beeing tested, and then try to send the packet through this route.
But this would fail in at least two cases:
- If it is forwarding packets to a non public network.
- If it is forwarding packets to the Internet, but the output is somehow filtered and my testing packet could thus be filtered in its route to or back from the Internet host.
In such situation, what would be the best way to scan for routers using Linux?
Please avoid answers based on:
- Scanning for common routers management interfaces, such as web panels, ssh ports, port banners, etc, this would fail to find any PC/Server configured (or hacked) for routing packets, and would fail if ACLs have been configured to access the router's management interfaces.
- Walking around the customer's and seeking ethernet cables around is not an option as most of the areas have access restricted or forbidden due to the type of work they do.
- Relying on what is configured on the customer's routers, Servers, PCs, as this might fail to intercept anything that was added by someone malicious, or anything put there with the intention to be hidden to the users.
-Edit #1 after @Sato's comment:
Please don't focus on the physical access to the network. The customer said that the previous sysadmin has had the ability to walk all around their sites, alone, for hours, and the contract states that I should be granted the same access level as his in order to accomplish my tasks. But in this phase of the analysis I still can't and so please imagine this as a challenge to gather all possible informations before getting physically there. I think I already know almost any information I can remotely gather from an IP network, With this question I was just wondering if there is a quick way to find if an IP device has routing enabled.
linux networking security
linux networking security
asked Oct 2 '17 at 3:43
Marco
17919
asked Oct 2 '17 at 3:43
Marco
17919
edited Oct 2 '17 at 6:53
asked Oct 2 '17 at 3:43
Marco
17919
asked Oct 2 '17 at 3:43
Marco
17919
asked Oct 2 '17 at 3:43
Marco
17919
17919
Your best bet is probably to get them to draw a scheme of their physical infrastructure. But if they don't allow you to wander around to look at cables and still didn't keep basic docs you should probably consider cutting your losses and give up on this job. That's an epic failure of their management, not of their former sysadmins.
– SatÅ Katsura
Oct 2 '17 at 4:15
I agree. I've agreed to take this job after establishing and hourly fee with the customer. ;)
– Marco
Oct 2 '17 at 4:18
add a comment |Â
Your best bet is probably to get them to draw a scheme of their physical infrastructure. But if they don't allow you to wander around to look at cables and still didn't keep basic docs you should probably consider cutting your losses and give up on this job. That's an epic failure of their management, not of their former sysadmins.
– SatÅ Katsura
Oct 2 '17 at 4:15
I agree. I've agreed to take this job after establishing and hourly fee with the customer. ;)
– Marco
Oct 2 '17 at 4:18
Your best bet is probably to get them to draw a scheme of their physical infrastructure. But if they don't allow you to wander around to look at cables and still didn't keep basic docs you should probably consider cutting your losses and give up on this job. That's an epic failure of their management, not of their former sysadmins.
– SatÅ Katsura
Oct 2 '17 at 4:15
Your best bet is probably to get them to draw a scheme of their physical infrastructure. But if they don't allow you to wander around to look at cables and still didn't keep basic docs you should probably consider cutting your losses and give up on this job. That's an epic failure of their management, not of their former sysadmins.
– SatÅ Katsura
Oct 2 '17 at 4:15
I agree. I've agreed to take this job after establishing and hourly fee with the customer. ;)
– Marco
Oct 2 '17 at 4:18
I agree. I've agreed to take this job after establishing and hourly fee with the customer. ;)
– Marco
Oct 2 '17 at 4:18
add a comment |Â
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f395553%2fquickest-way-to-search-for-routers-in-a-local-network%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Your best bet is probably to get them to draw a scheme of their physical infrastructure. But if they don't allow you to wander around to look at cables and still didn't keep basic docs you should probably consider cutting your losses and give up on this job. That's an epic failure of their management, not of their former sysadmins.
– SatÅ Katsura
Oct 2 '17 at 4:15
I agree. I've agreed to take this job after establishing and hourly fee with the customer. ;)
– Marco
Oct 2 '17 at 4:18