RE: Traceroute

• Previous message: mc: "Re: Traceroute"
• In reply to: Chris: "Traceroute"
• Next in thread: John Galt: "Re: Traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 24 Feb 2005 19:42:29 -0600
To: pen-test@securityfocus.com

Hi, Chris

> -----Original Message-----
> From: Chris [mailto:uid0@free.fr]
> I've just got a little question which isn't really linked to
> pen-testing: do you know any alternative to the normal UDP/TCP/ICMP
> traceroute to trace the route of a packet? I'm already aware of the IP
> Record Route option, but is there any other hack that you guys would be
> aware of?

Plain IP packets, and actually anything that travels over IP or with an IP
header (and of course over UDP/TCP), like OSPF, RIP or BGP. Tracerouting is
done by sending a sequence of packets where the Time to Live Field (TTL) is
incremented. You most probably know the rest of the story (TTL is
decremented at each hop and elicits an ICMP time exceeded when reaching 0
...).

Using other protocols, even if they run over TCP/UDP, might yield successful
results even if other type of TCP/UDP traffic is discarded. Plain IP packets
are usually blocked by firewalls but are still worth trying (you can add
garbage after the IP header and play with the protocol field in the IP
header to confuse some filters).

The best defense against tracerouting is an egress filter for the ICMP time
exceeded packets because this breaks the protocol response (ingress filters
for ICMP and UDP packets used by standard traceroute tools use are easily
evaded by using other protocols). If this egress filter is in place you
won't be able to traceroute... that is, unless your chosen protocol is able
to elicit some other kind of response from the middle hops and/or the target
:-) and reach them.

If you can't find a specific traceroute tool for some protocol you could
easily script it with Perl and some net modules, with C and libnet and
libpcap or with packet building tools like hping, packit or nemesis.

This link might helpful: http://www.networksorcery.com/enp/default0701.htm

Cheers,

Omar Herrera

• Previous message: mc: "Re: Traceroute"
• In reply to: Chris: "Traceroute"
• Next in thread: John Galt: "Re: Traceroute"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: icmp type 11 not go via nat POSTROUTING table ... everthing is working as it "should", there is no reason for a "ICMP ... I generated two test icmp packets ... This is how traceroute knows the IP of the ... If x.y.z.t is a private IP address, it cannot be tracerouted anyway, so ... (comp.os.linux.networking) Why some hosts in Internet not prefer to be traceroute-d ? ... i.e. not to send a TTL exceeded ICMP packet back to the host. ... like dropping TTL exceeded ICMP packets (dropping such packets in ... I used to traceroute in unprivileged user mode, ... What's the difference between a router and a endpoint host from ... (comp.os.linux.networking) Re: AOL Servers Probing ??? ... > Traceroute before on another IP. ... My first hop appears to be going to an SBC DSL user; ... Those AOL proxies ... one has to be an AOL proxy, it is sending packets back to me with an RFC ... (microsoft.public.security) Re: PF + scrub + traceroute: ttl problem :( ... >like packets with ttl under 64, despite traceroute packets. ... >So the packets leaving my PC1 would have ttl 63 and i decided to use scrub ... (comp.unix.bsd.freebsd.misc) Re: Strange web site loading/DNS problem ... If the site sends out packets of 1500 bytes, and there is a router between ... When I can't get to the site, I get the typical traceroute: ... I have also changed the DNS server info in my router, ... (microsoft.public.windows.server.dns)