Backtrack 4: Information Gathering: Route: 0trace – Traceroute Firewall Bypass Tool
This is the first in a series of Backtrack 4 articles I will be writing regarding the tools available within Backtrack 4. I am fairly new to Backtrack so please comment, teach me, ask questions, or whatever you prefer in the comments section below. I am going to try to go down the list of every single Backtrack 4 tool and write a complete description including instructions on how to use the tools. This first article is on 0trace (0trace.sh) which allows you to perform a traceroute from within an established TCP connection such as HTTP which will be demonstrated below.
Ever attempted to traceroute to a server such as cnn.com because you wanted to understand the entire path to some form of network device? Well 0trace allows you to get past pretty much any form of stateful packet inspection firewall that blocks such requests today. The 0trace application does this by setting up a listener and waiting for you to receive some form of approved connection to that device such as HTTP and then performs a traceroute within the already “approved” and “established” TCP connection. Below I demonstrate what you would normally see/understand from a network device using ping and traceroute followed by how you can find out more information using the 0trace command.
Obtain Network Route/Path Information About Target:
First we ping a domain name such as cnn.com to obtain the IP address of in this case a web server we would visit by opening the site in our browser. If you already have the IP address of the target then simply skip to the traceroute command.
Ping Target Network Device To Obtain IP Address:
root@bt:~/# ping cnn.com PING cnn.com (188.8.131.52) 56(84) bytes of data. --- cnn.com ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1008ms root@bt:~/#
As you can see the IP address of the web server is 184.108.40.206 so with this information we will issue the traceroute command in an attempt to obtain the entire path from our location (client PC) to the CNN.com web site.
Traceroute Target IP Address To Obtain Route From Client To Target:
root@bt:~/posts/2010-May# traceroute 220.127.116.11 traceroute to 18.104.22.168 (22.214.171.124), 30 hops max, 40 byte packets 1 router (192.168.1.1) 2.154 ms 2.587 ms 3.111 ms 2 74-133-211-1.dhcp.insight.com (126.96.36.199) 24.118 ms 25.002 ms 25.155 ms 3 74-133-33-29.dhcp.insight.com (188.8.131.52) 25.571 ms 25.920 ms 26.459 ms 4 184.108.40.206 (220.127.116.11) 34.265 ms 34.599 ms 40.150 ms 5 xe-8-1-0.edge4.Atlanta2.Level3.net (18.104.22.168) 65.191 ms 66.506 ms 66.840 ms 6 ae-21-52.car1.Atlanta1.Level3.net (22.214.171.124) 67.296 ms ae-11-51.car1.Atlanta1.Level3.net (126.96.36.199) 20.669 ms 19.962 ms 7 * * * 8 * * * .... 29 * * * 30 * * *
In the above traceroute I saved you from having to view the entire 24 lines of failed hops indicated by the “* * *” but as you can see once we get six hops into the traceroute things go dark and we are not able to verify the entire route to the web server. This is where 0trace comes in by easily allowing you to obtain the entire route to the device. Below are the details of how you could for instance obtain the entire route to the CNN.com web server your client PC would be visiting. Keep in mind that this could be used in many different scenarios not only for web servers but also other network devices that will accept various forms of established TCP connections from client PC’s.
The 0trace application is run using 0trace.sh located in the /usr/local/bin directory. In the below example you would need to change “wlan0″ to whatever network interface on the client PC you want to listen and then change the IP address to the network device you are attempting to gain full network route information from. Again in the example we are using one of the CNN.com web servers.
Configure Listener On Client PC Using 0trace:
root@bt:~# /usr/local/sbin/0trace.sh wlan0 188.8.131.52 0trace v0.01 PoC by <firstname.lastname@example.org> [+] Waiting for traffic from target on wlan0...
So in the example above we are now listening on wlan0 (wireless network interface) for an established TCP connection from 184.108.40.206 (CNN.com web server). After activating the listener you should work towards establishing the needed TCP connection in another shell window by doing something similar to the below depending on what the network device you are attempting to gain the entire route for. In the example below we will use telnet to open a connection to port 80 of the target IP address and then we will enter a command on the established connection that will generate some target/client traffic so we can accomplish our goal of obtaining the entire route.
Create Established TCP Connection To Target Device:
root@bt:~/# telnet 220.127.116.11 80 Trying 18.104.22.168... Connected to 22.214.171.124. Escape character is '^]'. GET / HTTP / 1.0 telnet> quit Connection closed. root@bt:~/#
As you see above we first connected to port 80 via telnet which we followed with typing ‘GET / HTTP / 1.0′ and then hit enter twice a couple seconds apart. This should generate enough traffic to obtain the complete route information we wanted which is seen in the below example of our other shell window that is running the 0trace listener.
0trace Displaying Entire Route Info From Client To Target Device:
root@bt:~# /usr/local/sbin/0trace.sh wlan0 126.96.36.199 0trace v0.01 PoC by <email@example.com> [+] Waiting for traffic from target on wlan0... [+] Traffic acquired, waiting for a gap... [+] Target acquired: 192.168.1.99:39544 -> 188.8.131.52:80 (2048829642/3092775968). [+] Setting up a sniffer... [+] Sending probes... TRACE RESULTS ------------- 1 192.168.1.1 2 184.108.40.206 3 220.127.116.11 4 18.104.22.168 5 22.214.171.124 6 126.96.36.199 7 188.8.131.52 Target reached. root@bt:~#
A quick explanation of the above shell output from 0trace. As displayed in one of the earlier shell outputs 0trace first sets up a listener waiting for an established TCP connection from the IP address of a target device. Once a TCP connection such as the telnet to port 80 of the target and some traffic is generated 0trace notes “Traffic aquired”. It doesn’t take a lot of time but the TCP connection must be established for at least a couple seconds and then 0trace will note the target is aquired and this is where the magic happens. 0trace will do its thing and provide the entire route from client to target IP address. If 0trace is successful in locating the entire route to the network device then “Target reached” will be displayed but if it is not then it will instead note “Probe rejected by target”. If you get the “Probe rejected by target” then you do not have a guarantee of the entire route to the target device even though numerous network hops may have been obtained.
Thats really it, 0trace is a simple yet very effective tool to obtain route information about network devices being protected by stateful firewalls and other such devices. I believe the tool was written by Michal Zalewski in 2007 so many thanks to him for a slick tool.