I wrote this because I couldn’t find anything that could work out a remote subnet mask which is useful during the discovery phase of a penetration test. I noticed that sometimes people were missing some of the IP addresses on a router/firewall when port scanning a host.
As you can see in the diagram above, if somebody were to do a blind penetration test and they were to run a port scan against the web site’s IP(188.8.131.52) after discovering the web site they would only come across 2 open ports. If they were to run maskfind against the websites IP after discovering the web site they would discover that the firewall actually has a /29 block assigned and then after port scanning all of the IP’s they would be able to discover 4 open ports.
Works out if a remote host interface has additional IP’s assigned to it
Run maskfind against a host before portscanning to ensure you scan everything
This will give accurate results providing ICMP is enabled on the second
to last hop. Host must be at least two hops away
Usage: maskfind.py [-h]elp [-v]erbose destination
Download latest Version : Jmaskfind.py (2.9 kB)