Previously I wrote a brief article on 0trace in Backtrack 4 which can be located here however in the process of writing an updated article for Backtrack 5 I noticed that 0trace was no longer working. Every single time I would attempt to run an accurate trace through a firewall the results would come back empty and display “Probe rejected by target.” At first I was thinking maybe companies have really tightened down their firewalls however that didn’t make any sense because of how 0trace works using a standard port such as port 80 to allow traffic to pass because the servers function is to serve web pages. Below I describe the error in more detail and how you can resolve it.
0trace.sh Blank Results In Backtrack 5: Probe Rejected By Target
root@bt:/pentest/enumeration/0trace# sh 0trace.sh eth0 question-defense.com 0trace v0.01 PoC by <email@example.com> [+] Waiting for traffic from target on eth0... [+] Traffic acquired, waiting for a gap... [+] Target acquired: 192.168.1.233:51658 -> 184.108.40.206:80 (2571986892/2363806309). [+] Setting up a sniffer... [+] Sending probes... TRACE RESULTS ------------- Probe rejected by target. root@bt:
After reviewing the code I realized the issue was only the fact that Backtrack had recently changed the path of nmap. So the shell script 0trace.sh is looking to use /usr/sbin/nmap when in fact nmap is now located at /usr/local/sbin/nmap. To resolve this issue you can create a symlink from the old nmap location to the new nmap location as shown below.
TCPDUMP Directory Changed In Backtrack 5:
root@bt:/pentest/enumeration/0trace# which tcpdump /usr/local/sbin/tcpdump root@bt:/pentest/enumeration/0trace# root@bt:/pentest/enumeration/0trace# ln -s /usr/local/sbin/tcpdump /usr/sbin/tcpdump root@bt:/pentest/enumeration/0trace#
If you are uncomfortable adding a symlink you could also modify the 0trace.sh code on line 45 and line 83 by modifying the path to tcpdump from /usr/sbin/tcpdump to /usr/local/sbin/tcpdump. I would advise to add the symlink though because it is likely there are other scripts that also look for tcpdump in /usr/sbin instead of /usr/local/sbin. Once you do make these changes you can test to make sure things are working properly by issuing the 0trace.sh command as shown below.
Test 0trace.sh After Adding tcmpdump Symlink:
root@bt:/pentest/enumeration/0trace# sh 0trace.sh eth0 question-defense.com 80 0trace v0.01 PoC by <firstname.lastname@example.org> [+] Waiting for traffic from target on eth0...
After the initial command is issued above you must open another terminal or another SSH connection and send some traffic on the specified port so 0trace can sniff the traffic. Typically I open another tab and issue a command like the below example.
Send Port 80 Traffic To 0trace Target Host:
root@bt:~# telnet question-defense.com 80 Trying 220.127.116.11... Connected to question-defense.com. Escape character is '^]'. werwerwer werwer' root@bt:~#
If you telnet to port 80 on a web server likely the connection will simply sit there without sending any data back to your terminal until you actually type some things. Once you do this the connection could close immediately or you may get a bunch of data back from the website and then the connection will close. Regardless of the reaction from the web server 0trace is likely beginning to go to work or has already finished tracing the packets back to their originator. Below is what would happen in the above example command where 0trace was “waiting for traffic from target on eth0″.
0trace Target Aquired, Setting Up Sniffer, Sending Probes, Target Reached:
root@bt:/pentest/enumeration/0trace# sh 0trace.sh eth0 question-defense.com 80 0trace v0.01 PoC by <email@example.com> [+] Waiting for traffic from target on eth0... [+] Traffic acquired, waiting for a gap... [+] Target acquired: 192.168.1.233:51660 -> 18.104.22.168:80 (3043683833/3388330347). [+] Setting up a sniffer... [+] Sending probes... TRACE RESULTS ------------- 1 192.168.1.1 2 22.214.171.124 3 126.96.36.199 4 188.8.131.52 5 184.108.40.206 6 220.127.116.11 7 18.104.22.168 8 22.214.171.124 9 126.96.36.199 10 188.8.131.52 11 184.108.40.206 12 220.127.116.11 Target reached. root@bt:/pentest/enumeration/0trace#
Now in this example I used question-defense.com which does reply to ICMP requests only to show that the results are accurate. If you run a traceroute to question-defense.com you will get the exact same results as shown above in the 0trace output. I will be writing an article in the near future with more details regarding 0trace and display an example of 0trace providing results of a web server sitting behind a firewall.