Just recently, i was tasked with acquiring an image out of some servers and computers.
A simple task really, an interview with the IT guy, and he pointed me out to all of the servers, and a NAS too.
The the NAS was placed in a secluded and closed space, different from the server. Long story short, I got all I need.
That got me thinking, had the IT guy doesn't point me out to the NAS, I would've miss that NAS.
First I thought, a simple scan with nmap would do the trick, It'll find all alive host, then no NAS nor server would be overlooked.
But then I realized there are probably a lot of subnets. And without knowing those subnets, it'll be impossible to scan them. My point is if the IT guy doesn't cooperate (not like my paragraph before), and the NAS is in diffrent subnet than the server.
How do I now all alive host in all those different subnets.
then I thought I'll just do tracert from one of the users, then tried scanning each hops.
But it is possible that the NAS, is placed from a place not included in my hops.
That lead me to the question,
Is there any method of doing a scan of all the network, all of the subnets.
I really appreciate all the answer, and thank you in advance.
ps. or just point me to the right direction, I'm ready to learn.
pps. I've tried nmap and the dudes, both can just acknowledge their own subnets. It's impossible to scan other subnet, if I don't know the address.
Is there any method of doing a scan of all the network, all of the subnets.
Not really. In any network, there could easily be firewalls or other network-separating devices that simply won't let you through unless you come from the right IP address, or if you can show the right credentials. In highly security-concscious networks, the switch might not let your traffic through, unless you have the right credentials.
Someone who has a lot of time may be able to do something clever with firewalking or the more abstruse scanning methods. But that kind of job is usually left to security testers.
And even if you do find a NAS … will you be able to identify it? Or will nmap just say something about embedded Linux? Or perhaps identify the OEM platform, and completely miss the brand name that is on the front and that everyone uses in daily business?
And it might not be a NAS … what if it's ATA-over-Ethernet or some other SAN tehcnology? Will you find it?
You will also probably have to explain and perhaps even defend your collection methodology at some point or another. As long as you have good explanation why you decided to not ask the local experts to ensure you really collected everything, you'll probably be fine.
That got me thinking, had the IT guy doesn't point me out to the NAS, I would've miss that NAS.
And even if you do find a NAS … will you be able to identify it?
I think it might also be an issue to physically identify the device even if it did appear "obviously" in network scans. As you pointed out it was essentially hidden and just having an IP address doesn't map it to a physical location. Sure you could ask about the device but then its still up to the IT Admin to reveal it to you.
Greetings, again, and sorry for the disappearence. -)
@jtingkir Actually, while making sure you have the cooperation of the "IT guy" (admin, network engineer etc.) SHOULD always be one of your primary endeavours, it should not be taken for granted, as such.
I have so far found that their cooperation largely revolved around how deep into trouble they will get for revealing/not revealing information.
In cases where the legal system is not directly involved, the IT person will act in the best interest of their company/organisation and may or may not be allowed to disclose information that "they" (the IT person or their company/organisation) feel is necessary, no matter what you yourself may feel.
In cases where the legal system is directly involved (eg. when you are acting as an expert witness for the court), and the case is a high-profile one or involves seriously illegal material, the game changes because of the pressure your "official" presence puts them under.
However, if a case is a low-profile or doesn't include nasty stuff, they feel a bit more confident.
As a general rule, prepare a number of possible initial questions you want to ask them, be nice and polite and try to put them at ease regarding your role in the investigation (don't appear to be threatening). However, keep track of what they say, how they say it and how they look like when they are saying it. In some cases, they may try to mislead you if they either feel like they will "take the blame for it" or if they are "in it up to their necks as well".
Also, while some people may disagree on this, I have found it never really hurts to keep a Backtrack/Kali CD/DVD/USB-drive in your case and combine some penetration-testing methodologies with your standard DF aquisition ones. It may not give you much in the way of concrete information (or the actual product, although it can get pretty darn close to doing so, if you keep your toolkit current), but it CAN give you a pointer as to why your "spider-sense is tingling".
For example, in a case I've had, I was assured by the IT admin that there were no WiFi networks in the building, despite noticing a "Free WiFi" sign discreetly posted at the entrance to the building I was walking into. Whipped out my on-site laptop, loaded my BackTrack CD, ran airmon-ng and airodump-ng, and there they were (all 6 of them (2 free, 4 internal)). A brief war-walk running kismet later, and there were the APs too!!! -)
Mind you, as athulin correctly pointed out, you may be asked/questioned about this later, so keep a VERY good record of everything you do do in your contemporaneous notes, and be prepared to be grilled about any such actions and their impact.