[liam1_y2k]

Hi,

I have recently finished a course in Ethical hacking, and I have my first pen test. The task is to join my machine to the lan and basically find out as much information as I can.

I have ran a local subnet scan, found a few vulnerabilities and managed to retrieve some password....happy with that.

One thing I am struggling with is trying to identify what additional subnets are possible associated wth the company.

I am on a 10.1.1.0 subnet and I know there are additional subnets (for each office).......but how do I find them? I have looked for tools that can enumerate that information but I havent been able to produce anything other than data for the lan I am already on. I used a trial of LanGuard thinking that may find them but I havent had any joy.

Any information on this would be a tremendous.

Many thanks,
Liam

[Syperus]

Nmap my friend. This is a phenomenal scanning tool that has so many awesome features. I highly recommend checking it out. I'm surprised you haven't heard about this if you went through an Ethical Hacking pen test course. Since your scanning within a LAN you can do an ARP scan. Check out this guide: http://nmap.org/book/man-host-discovery.html. Hope this helps.