Posted on by Glenn

Using BackTrack 4: Information Gathering: Route: netmask

netmask

Opening Instructions:

Usage: netmask spec [spec …]
-h, –help                    Print a summary of the options
-v, –version                 Print the version number
-d, –debug                   Print status/progress information
-s, –standard                Output address/netmask pairs
-c, –cidr                    Output CIDR format address lists
-i, –cisco                   Output Cisco style address lists
-r, –range                   Output ip address ranges
-x, –hex                     Output address/netmask pairs in hex
-o, –octal                   Output address/netmask pairs in octal
-b, –binary                  Output address/netmask pairs in binary
-n, –nodns                   Disable DNS lookups for addresses
Definitions:
a spec can be any of:
address
address:address
address:+address
address/mask
an address can be any of:
N           decimal number
0N          octal number
0xN         hex number
N.N.N.N     dotted quad
hostname    dns domain name
a mask is the number of bits set to one from the left

 

Purpose:

Netmask makes a polite ICMP netmask request of a given host, by IP address or hostname. The host will reply to this perfectly normal request with its subnet mask.

This is not insignificant: knowing the subnet mask of an internal network is critical to communicating with the hosts within that net.

Clever devils will use non-standard subnet masks to obfuscate their networks. If my target’s internal address is 192.168.2.14 and its netmask is /23, how long am I going to struggle to penetrate the target if I expect its netmask is the default /24? Not very long, if I get smart fast and use a tool like netmask.

One interesting note about subnet masks: everyone assumes the formal specification requires a continuous row of ones. Formally, it doesn’t, it’s just good practice. But consider the consequences of a single zero in the middle of the ones: You’d have a discontiguous address space! That means some hosts might have addresses like 192.168.0.14, while others could have addresses like 192.168.16.24. You would have an awfully hard time finding one or the other groups of host IPs.

I am not making this up; it was pointed out to me by a Top Secret network administrator. However, I cannot confirm actual networks using this method of obfuscation. Will this utility detect such a subnet mask? Good question….

Stage:

Information Gathering

Tutorial:

http://www.question-defense.com/2010/06/02/backtrack-4-information-gathering-route-netmask-an-address-netmask-generation-utility