Backtrack 4: Information Gathering: Route: Tcptraceroute

The next tool up for review in the information gathering section is tcptraceroute. tcptraceroute is a traceroute implementation using TCP packets. The more traditional traceroute sends out either UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets are taking to reach the destination. The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.

Lets take a look at the options availbale:

bash

  1. root@666:~# tcptraceroute -h
  2.  
  3. tcptraceroute 1.5beta7
  4. Copyright (c) 2001-2006 Michael C. Toren <mct@toren.net>
  5. Updates are available from http://michael.toren.net/code/tcptraceroute/
  6.  
  7. Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
  8.        [-l <packet length>] [-q <number of queries>] [-t <tos>]
  9.        [-m <max ttl>] [-pP] <source port>] [-s <source address>]
  10.        [-w <wait time>] <host> [destination port] [packet length]

I dont usually say this about a tool but I think this one is pretty dated. It hasn’t been updated since 2006. I was not able to get it to work in any of the examples shown below. I am actually going to flag this tool from removal in Backtrack.

For the following example I simply took these from the example.txt file which comes with the tools.

A classic firewalled webserver using plain old traceroute:

bash

  1. [mct@quint ~]$ traceroute -w2 -q1 -f 5 pages.ebay.com
  2.     traceroute to pages.ebay.com (216.32.120.133), 30 hops max, 38 byte packets
  3.      5  core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130)  10.390 ms
  4.      6  core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101)  14.310 ms
  5.      7  core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28)  9.935 ms
  6.      8  250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25)  14.727 ms
  7.      9  0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118)  18.766 ms
  8.     10  0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86)  22.659 ms
  9.     11  0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97)  15.002 ms
  10.     12  121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178)  120.593 ms
  11.     13  297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5)  123.571 ms
  12.     14  191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245)  130.606 ms
  13.     15  *
  14.     16  *
  15.     17  *

The same webserver using tcptraceroute:

bash

  1. [mct@quint ~]$ tcptraceroute -f 5 pages.ebay.com
  2.     Selected device eth0, address 207.8.132.210, port 1056 for outgoing packets
  3.     Tracing the path to pages.ebay.com (216.32.120.133) on TCP port 80 (www), 30 hops max
  4.      5  core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130)  10.849 ms
  5.      6  core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101)  105.601 ms
  6.      7  core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28)  19.929 ms
  7.      8  250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25)  16.123 ms
  8.      9  0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118)  14.717 ms
  9.     10  0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86)  22.183 ms
  10.     11  0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97)  18.194 ms
  11.     12  121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178)  101.491 ms
  12.     13  297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5)  110.817 ms
  13.     14  191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245)  113.841 ms
  14.     15  ebay-oc12-gw.customer.alter.net (157.130.209.10)  121.632 ms
  15.     16  10.128.1.42 (10.128.1.42)  109.132 ms
  16.     17  pages.ebay.com (216.32.120.133) [open]  115.378 ms

If you are interested in some more examples here is the examples.txt that comes with the tool:

bash

  1. root@666:~/tcptraceroute-1.5beta7# cat examples.txt
  2. A few real world examples of using tcptraceroute to trace through
  3. firewalls that traceroute(8) has trouble with.  These are all sites
  4. that pass TCP SYN packets on to hosts sitting on the clean side of the
  5. firewall, and which don't filter ICMP time exceeded messages leaving
  6. their network.  All examples listed below were captured on July 1st.
  7.  
  8. -- Michael C. Toren <mct@toren.net>  Sun,  1 Jul 2001 21:25:26 -0400
  9.  
  10. pages.ebay.com, a classic firewalled webserver:
  11.  
  12.    [mct@quint ~]$ traceroute -w2 -q1 -f 5 pages.ebay.com
  13.    traceroute to pages.ebay.com (216.32.120.133), 30 hops max, 38 byte packets
  14.     5  core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130)  10.390 ms
  15.     6  core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101)  14.310 ms
  16.     7  core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28)  9.935 ms
  17.     8  250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25)  14.727 ms
  18.     9  0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118)  18.766 ms
  19.    10  0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86)  22.659 ms
  20.    11  0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97)  15.002 ms
  21.    12  121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178)  120.593 ms
  22.    13  297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5)  123.571 ms
  23.    14  191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245)  130.606 ms
  24.    15  *
  25.    16  *
  26.    17  *
  27.  
  28.    [mct@quint ~]$ tcptraceroute -f 5 pages.ebay.com
  29.    Selected device eth0, address 207.8.132.210, port 1056 for outgoing packets
  30.    Tracing the path to pages.ebay.com (216.32.120.133) on TCP port 80 (www), 30 hops max
  31.     5  core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130)  10.849 ms
  32.     6  core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101)  105.601 ms
  33.     7  core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28)  19.929 ms
  34.     8  250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25)  16.123 ms
  35.     9  0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118)  14.717 ms
  36.    10  0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86)  22.183 ms
  37.    11  0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97)  18.194 ms
  38.    12  121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178)  101.491 ms
  39.    13  297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5)  110.817 ms
  40.    14  191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245)  113.841 ms
  41.    15  ebay-oc12-gw.customer.alter.net (157.130.209.10)  121.632 ms
  42.    16  10.128.1.42 (10.128.1.42)  109.132 ms
  43.    17  pages.ebay.com (216.32.120.133) [open]  115.378 ms
  44.  
  45. www.microsoft.com, another classic firewalled webserver:
  46.  
  47.    [mct@quint ~]$ traceroute -w2 -q1 -f 5 www.microsoft.com
  48.    traceroute: Warning: www.microsoft.com has multiple addresses; using 207.46.197.100
  49.    traceroute to www.microsoft.akadns.net (207.46.197.100), 30 hops max, 38 byte packets
  50.     5  baltimore.balt-core.h0-0-45M.netaxs.net (207.106.2.18)  17.560 ms
  51.     6  blt-dc.dc-core.h5-0-45M.netaxs.net (207.106.2.2)  27.769 ms
  52.     7  core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28)  28.802 ms
  53.     8  250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25)  27.934 ms
  54.     9  0.so-3-1-0.XL2.DCA6.ALTER.NET (152.63.38.122)  24.210 ms
  55.    10  0.so-0-0-0.XR2.DCA6.ALTER.NET (152.63.35.117)  35.693 ms
  56.    11  0.so-4-0-0.TR2.DCA6.ALTER.NET (152.63.11.93)  22.170 ms
  57.    12  121.at-1-1-0.TR2.SEA1.ALTER.NET (146.188.140.78)  94.099 ms
  58.    13  0.so-1-0-0.XL2.SEA1.ALTER.NET (152.63.106.237)  101.325 ms
  59.    14  POS7-0.GW4.SEA1.ALTER.NET (146.188.201.53)  91.887 ms
  60.    15  microsoftoc48-gw.customer.alter.net (157.130.184.26)  89.536 ms
  61.    16  *
  62.    17  *
  63.    18  *
  64.  
  65.    [mct@quint ~]$ tcptraceroute -f 5 207.46.197.100
  66.    Selected device eth0, address 207.8.132.210, port 1058 for outgoing packets
  67.    Tracing the path to 207.46.197.100 on TCP port 80 (www), 30 hops max
  68.     5  baltimore.balt-core.h0-0-45M.netaxs.net (207.106.2.18)  9.430 ms
  69.     6  blt-dc.dc-core.h5-0-45M.netaxs.net (207.106.2.2)  17.514 ms
  70.     7  core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28)  23.256 ms
  71.     8  250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25)  30.819 ms
  72.     9  0.so-3-1-0.XL2.DCA6.ALTER.NET (152.63.38.122)  26.605 ms
  73.    10  0.so-0-0-0.XR2.DCA6.ALTER.NET (152.63.35.117)  38.700 ms
  74.    11  0.so-4-0-0.TR2.DCA6.ALTER.NET (152.63.11.93)  31.402 ms
  75.    12  121.at-1-1-0.TR2.SEA1.ALTER.NET (146.188.140.78)  93.992 ms
  76.    13  0.so-1-0-0.XL2.SEA1.ALTER.NET (152.63.106.237)  105.176 ms
  77.    14  POS7-0.GW4.SEA1.ALTER.NET (146.188.201.53)  86.524 ms
  78.    15  microsoftoc48-gw.customer.alter.net (157.130.184.26)  85.916 ms
  79.    16  207.46.129.51 (207.46.129.51)  84.920 ms
  80.    17  microsoft.com (207.46.197.100) [open]  85.344 ms
  81.  
  82. odc-t.ankara.af.mil, a firewalled mail server:
  83.  
  84.    [mct@quint ~]$ traceroute -w2 -q1 -f 5 odc-t.ankara.af.mil
  85.    traceroute to odc-t.ankara.af.mil (207.133.163.7), 30 hops max, 38 byte packets
  86.     5  nyc-l3.nyc-core.h3-0-45M.netaxs.net (207.106.127.18)  7.277 ms
  87.     6  nyc-pos-l.netaxs.net (207.106.3.133)  11.803 ms
  88.     7  mae-east.dc-core.netaxs.net (207.106.31.29)  18.922 ms
  89.     8  netaxs-core3.iad.above.net (209.249.119.233)  19.200 ms
  90.     9  core1-core3-oc48.iad1.above.net (209.249.203.34)  11.942 ms
  91.    10  sjc2-iad1-oc48.sjc2.above.net (216.200.127.26)  80.741 ms
  92.    11  core5-sjc2-oc48-2.sjc1.above.net (208.184.102.205)  80.829 ms
  93.    12  core2-sjc1-oc3.sjc6.above.net (207.126.96.106)  81.621 ms
  94.    13  fix-west-pilot-fddi2.disa.mil (198.32.136.88)  93.961 ms
  95.    14  137.209.200.207 (137.209.200.207)  99.437 ms
  96.    15  206.38.100.2 (206.38.100.2)  258.541 ms
  97.    16  140.35.16.18 (140.35.16.18)  373.297 ms
  98.    17  198.26.165.18 (198.26.165.18)  373.686 ms
  99.    18  *
  100.    19  *
  101.    20  *
  102.    21  *
  103.  
  104.    [mct@quint ~]$ tcptraceroute -f 5 odc-t.ankara.af.mil smtp
  105.    Selected device eth0, address 207.8.132.210, port 1150 for outgoing packets
  106.    Tracing the path to odc-t.ankara.af.mil (207.133.163.7) on TCP port 25 (smtp), 30 hops max
  107.     5  nyc-l3.nyc-core.h3-0-45M.netaxs.net (207.106.127.18)  9.456 ms
  108.     6  nyc-pos-l.netaxs.net (207.106.3.133)  11.762 ms
  109.     7  mae-east.dc-core.netaxs.net (207.106.31.29)  11.958 ms
  110.     8  netaxs-core3.iad.above.net (209.249.119.233)  11.791 ms
  111.     9  core1-core3-oc48.iad1.above.net (209.249.203.34)  12.510 ms
  112.    10  sjc2-iad1-oc48.sjc2.above.net (216.200.127.26)  80.335 ms
  113.    11  core5-sjc2-oc48-2.sjc1.above.net (208.184.102.205)  81.364 ms
  114.    12  core2-sjc1-oc3.sjc6.above.net (207.126.96.106)  83.107 ms
  115.    13  fix-west-pilot-fddi2.disa.mil (198.32.136.88)  76.092 ms
  116.    14  137.209.200.207 (137.209.200.207)  99.776 ms
  117.    15  206.38.100.2 (206.38.100.2)  252.840 ms
  118.    16  140.35.16.18 (140.35.16.18)  370.720 ms
  119.    17  198.26.165.18 (198.26.165.18)  485.771 ms
  120.    18  odctfw.ankara.af.mil (207.133.163.161)  443.782 ms
  121.    19  odc-t.ankara.af.mil (207.133.163.7) [open]  745.611 ms
  122.  
  123. tcptraceroute-1.3beta1 added support for controlling the SYN and ACK
  124. flags used in outgoing probe packets through the -S and -A command line
  125. arguments.  By utilizing probe packets with the ACK bit set, it is
  126. possible to traceroute to hosts located behind stateless firewalls that
  127. block all inbound TCP connections, but permit those hosts to establish
  128. outbound connections.  Below are two examples of such behavior,
  129. recorded on August 15th, 2001.
  130.  
  131. -- Michael C. Toren <mct@toren.net>  Sun, 29 Jun 2003 17:18:41 -0400
  132.  
  133. Tracing to a host protected by a Linux 2.2 ipchains firewall:
  134.  
  135.    [mct@quint ~]$ tcptraceroute -f7 -q1 argo.starforce.com
  136.    Selected device eth0, address 207.8.132.210, port 3738 for outgoing packets
  137.    Tracing the path to argo.starforce.com (216.158.56.82) on TCP port 80 (www), 30 hops max
  138.     7  voicenet-gw.core-1-hssi-6-0-0-50.oldcity.dca.net (207.103.28.30)  69.252 ms
  139.     8  node-150-eth3-0-local.oldcity.dca.net (207.245.82.150)  16.216 ms
  140.     9  *
  141.    10  *
  142.    11  *
  143.  
  144.    [mct@quint ~]$ tcptraceroute -f7 -q1 -A argo.starforce.com
  145.    Selected device eth0, address 207.8.132.210, port 3747 for outgoing packets
  146.    Tracing the path to argo.starforce.com (216.158.56.82) on TCP port 80 (www), 30 hops max
  147.     7  voicenet-gw.core-1-hssi-6-0-0-50.oldcity.dca.net (207.103.28.30)  11.030 ms
  148.     8  node-150-eth3-0-local.oldcity.dca.net (207.245.82.150)  24.488 ms
  149.     9  argo.starforce.com (216.158.56.82) [closed]  1514.142 ms
  150.  
  151. Tracing to falkland, a host behind jumpgate, a Cisco router with the
  152. following access-list:
  153.  
  154.    access-list 100 permit tcp any any established
  155.    access-list 100 deny   ip any any
  156.  
  157.    [mct@quint ~]$ tcptraceroute -q1 falkland
  158.    Selected device eth0, address 207.8.132.210, port 3771 for outgoing packets
  159.    Tracing the path to falkland (207.106.130.86) on TCP port 80 (www), 30 hops max
  160.     1  jumpgate.netisland.net (207.106.130.81) 2.111 ms
  161.     2  *
  162.     3  *
  163.     4  *
  164.  
  165.    [mct@quint ~]$ tcptraceroute -q1 -A falkland
  166.    Selected device eth0, address 207.8.132.210, port 3773 for outgoing packets
  167.    Tracing the path to falkland (207.106.130.86) on TCP port 80 (www), 30 hops max
  168.     1  jumpgate.netisland.net (207.106.130.81) 2.044 ms
  169.     2  falkland.netisland.net (207.106.130.86) [closed]  4.635 ms
  170.  
  171. Another example of tracing to a host protected by a stateless firewall, which
  172. permits hosts behind it to make outbound TCP connections:
  173.  
  174.    [mct@ellesmere ~]$ tcptraceroute -q1 -f9 uunet1.fe.weather.com
  175.    Selected device eth0, address 209.163.107.174, port 35833 for outgoing packets
  176.    Tracing the path to uunet1.fe.weather.com (63.111.66.2) on TCP port 80 (www), 30 hops max
  177.     9  0.so-3-1-0.XL2.ATL5.ALTER.NET (152.63.0.238)  32.925 ms
  178.    10  0.so-7-0-0.XR2.ATL5.ALTER.NET (152.63.85.194)  32.765 ms
  179.    11  110.at-5-1-0.WR1.ATL5.ALTER.NET (152.63.3.58)  32.941 ms
  180.    12  pos6-0.ur1.atl7.web.wcom.net (157.130.216.50)  32.781 ms
  181.    13  198.5.128.134  32.802 ms
  182.    14  *
  183.    15  *
  184.    16  *
  185.  
  186.    [mct@ellesmere ~]$ tcptraceroute -q1 -f9 -A uunet1.fe.weather.com
  187.    Selected device eth0, address 209.163.107.174, port 35834 for outgoing packets
  188.    Tracing the path to uunet1.fe.weather.com (63.111.66.2) on TCP port 80 (www), 30 hops max
  189.     9  0.so-3-1-0.XL2.ATL5.ALTER.NET (152.63.0.238)  32.704 ms
  190.    10  0.so-7-0-0.XR2.ATL5.ALTER.NET (152.63.85.194)  32.665 ms
  191.    11  110.at-5-1-0.WR1.ATL5.ALTER.NET (152.63.3.58)  32.996 ms
  192.    12  pos6-0.ur1.atl7.web.wcom.net (157.130.216.50)  32.779 ms
  193.    13  198.5.128.134  33.122 ms
  194.    14  uunet1.fe.weather.com (63.111.66.2) [closed]  33.399 ms
  195.  
  196. tcptraceroute-1.5beta6 added the --dnat detection support, to detect
  197. DNAT devices which do not correctly rewrite the IP address of the IP
  198. packets quoted in ICMP time-exceeded messages tcptraceroute solicits,
  199. revealing the destination IP address an outbound probe packet was NATed
  200. to.  Below are examples of using --dnat to determine the IP address our
  201. probe packets are being NATed to, recorded on March 28th, 2006.
  202.  
  203. -- Michael C. Toren <mct@toren.net>  Tue, 28 Mar 2006 23:40:54 -0500
  204.  
  205.    [mct@ellesmere ~]$ tcptraceroute -q1 -f5 --track-port --dnat pages.ebay.com
  206.    Selected device eth0, address 209.163.107.174 for outgoing packets
  207.    Tracing the path to pages.ebay.com (66.135.192.87) on TCP port 80 (www), 30 hops max
  208.     5  equinix-chaz.coretel.net (209.163.107.121)  5.288 ms
  209.     6  gsr12012.ash.he.net (206.223.137.132)  5.610 ms
  210.     7  pos3-3.gsr12416.pao.he.net (216.218.254.205)  88.611 ms
  211.     8  pao1-br01.net.ebay.com (198.32.176.56)  88.637 ms
  212.     9  10.6.1.133  90.605 ms
  213.    10  ge2-7-snv1-xr01.net.ebay.com (66.135.207.54)  91.667 ms
  214.    11  10.6.1.74  92.471 ms
  215.          Detected DNAT to 10.6.35.86
  216.    12  10.6.105.8  91.187 ms
  217.    13  pages.ebay.com (66.135.192.87) [open]  91.908 ms
  218.  
  219.    [mct@ellesmere ~]$ tcptraceroute -q1 -f8 --dnat magicpipe.no-ip.com 22
  220.    Selected device eth0, address 209.163.107.174, port 40857 for outgoing packets
  221.    Tracing the path to magicpipe.no-ip.com (69.142.94.59) on TCP port 22 (ssh), 30 hops max
  222.     8  tbr2-cl15.n54ny.ip.att.net (12.122.10.53)  12.965 ms
  223.     9  gar7-p390.n54ny.ip.att.net (12.123.3.85)  79.347 ms
  224.    10  12.118.102.22  12.430 ms
  225.    11  te-8-1-ar01.plainfield.nj.panjde.comcast.net (68.86.211.1)  12.425 ms
  226.    12  po80-ar01.audubon.nj.panjde.comcast.net (68.86.208.2)  14.968 ms
  227.    13  po10-ar01.wallingford.pa.panjde.comcast.net (68.86.208.26)  16.521 ms
  228.    14  po90-ur02.wallingford.pa.panjde.comcast.net (68.86.208.189)  16.356 ms
  229.    15  *
  230.          Detected DNAT to 192.168.1.100
  231.    16  c-69-142-94-59.hsd1.pa.comcast.net (69.142.94.59)  24.674 ms
  232.    17  c-69-142-94-59.hsd1.pa.comcast.net (69.142.94.59) [open]  25.230 ms
  233.  
  234.        (The timeout on the 15th hop is normal behavior on Comcast's
  235.          network, and is unrelated to tcptraceroute.)

Computer Networking: Internet Protocols in Action (Paperback)


New From: $53.92 USD In Stock
Used from: $11.05 USD In Stock

Share