I would like to scan my DMZ for hosts that are bridged between subnets and have routing enabled. Since I have everything from VMWare servers, to load balancers on the DMZ I'm unsure if every host is configured correctly.
What IP, ICMP, or SNMP (etc) tricks can I use to poll the hosts and determine if the host is acting as a router?
I'm assuming this test would presume I know the target IP, but in a large network with many subnets, I'd have to test many different combinations of networks and see if I get success. Here is one example (ping):
For each IP in the DMZ, arp for the host MAC
Send a ICMP reply message to that host directed at an online host on each subnet
I think that there is a more optimal way to get the information, namely from within ICMP/IP itself, but I'm not sure what low level bits to look for.
I would also be interested if it's possible to determine the "router" status without knowing the subnets that the host may be connected to. This would be useful to know when improving our security posture.