The next tool up for review in the information gathering section is tcptraceroute. tcptraceroute is a traceroute implementation using TCP packets. The more traditional traceroute sends out either UDP or ICMP ECHO packets with a TTL of one, and increments the TTL until the destination has been reached. By printing the gateways that generate ICMP time exceeded messages along the way, it is able to determine the path packets are taking to reach the destination. The problem is that with the widespread use of firewalls on the modern Internet, many of the packets that traceroute sends out end up being filtered, making it impossible to completely trace the path to the destination. However, in many cases, these firewalls will permit inbound TCP packets to specific ports that hosts sitting behind the firewall are listening for connections on. By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, tcptraceroute is able to bypass the most common firewall filters.
Lets take a look at the options availbale:
- root@666:~# tcptraceroute -h
- tcptraceroute 1.5beta7
- Copyright (c) 2001-2006 Michael C. Toren <mct@toren.net>
- Updates are available from http://michael.toren.net/code/tcptraceroute/
- Usage: tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
- [-l <packet length>] [-q <number of queries>] [-t <tos>]
- [-m <max ttl>] [-pP] <source port>] [-s <source address>]
- [-w <wait time>] <host> [destination port] [packet length]
I dont usually say this about a tool but I think this one is pretty dated. It hasn’t been updated since 2006. I was not able to get it to work in any of the examples shown below. I am actually going to flag this tool from removal in Backtrack.
For the following example I simply took these from the example.txt file which comes with the tools.
A classic firewalled webserver using plain old traceroute:
- [mct@quint ~]$ traceroute -w2 -q1 -f 5 pages.ebay.com
- traceroute to pages.ebay.com (216.32.120.133), 30 hops max, 38 byte packets
- 5 core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130) 10.390 ms
- 6 core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101) 14.310 ms
- 7 core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28) 9.935 ms
- 8 250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25) 14.727 ms
- 9 0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118) 18.766 ms
- 10 0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86) 22.659 ms
- 11 0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97) 15.002 ms
- 12 121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178) 120.593 ms
- 13 297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5) 123.571 ms
- 14 191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245) 130.606 ms
- 15 *
- 16 *
- 17 *
The same webserver using tcptraceroute:
- [mct@quint ~]$ tcptraceroute -f 5 pages.ebay.com
- Selected device eth0, address 207.8.132.210, port 1056 for outgoing packets
- Tracing the path to pages.ebay.com (216.32.120.133) on TCP port 80 (www), 30 hops max
- 5 core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130) 10.849 ms
- 6 core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101) 105.601 ms
- 7 core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28) 19.929 ms
- 8 250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25) 16.123 ms
- 9 0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118) 14.717 ms
- 10 0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86) 22.183 ms
- 11 0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97) 18.194 ms
- 12 121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178) 101.491 ms
- 13 297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5) 110.817 ms
- 14 191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245) 113.841 ms
- 15 ebay-oc12-gw.customer.alter.net (157.130.209.10) 121.632 ms
- 16 10.128.1.42 (10.128.1.42) 109.132 ms
- 17 pages.ebay.com (216.32.120.133) [open] 115.378 ms
If you are interested in some more examples here is the examples.txt that comes with the tool:
- root@666:~/tcptraceroute-1.5beta7# cat examples.txt
- A few real world examples of using tcptraceroute to trace through
- firewalls that traceroute(8) has trouble with. These are all sites
- that pass TCP SYN packets on to hosts sitting on the clean side of the
- firewall, and which don't filter ICMP time exceeded messages leaving
- their network. All examples listed below were captured on July 1st.
- -- Michael C. Toren <mct@toren.net> Sun, 1 Jul 2001 21:25:26 -0400
- pages.ebay.com, a classic firewalled webserver:
- [mct@quint ~]$ traceroute -w2 -q1 -f 5 pages.ebay.com
- traceroute to pages.ebay.com (216.32.120.133), 30 hops max, 38 byte packets
- 5 core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130) 10.390 ms
- 6 core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101) 14.310 ms
- 7 core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28) 9.935 ms
- 8 250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25) 14.727 ms
- 9 0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118) 18.766 ms
- 10 0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86) 22.659 ms
- 11 0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97) 15.002 ms
- 12 121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178) 120.593 ms
- 13 297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5) 123.571 ms
- 14 191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245) 130.606 ms
- 15 *
- 16 *
- 17 *
- [mct@quint ~]$ tcptraceroute -f 5 pages.ebay.com
- Selected device eth0, address 207.8.132.210, port 1056 for outgoing packets
- Tracing the path to pages.ebay.com (216.32.120.133) on TCP port 80 (www), 30 hops max
- 5 core2-abov-ds3.b2.iad.netaxs.net (207.106.127.130) 10.849 ms
- 6 core1-mae-e-gige-1.mae-e.iad.netaxs.net (207.106.127.101) 105.601 ms
- 7 core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28) 19.929 ms
- 8 250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25) 16.123 ms
- 9 0.so-3-1-0.XL1.DCA6.ALTER.NET (152.63.38.118) 14.717 ms
- 10 0.so-7-0-0.XR1.DCA6.ALTER.NET (152.63.38.86) 22.183 ms
- 11 0.so-3-0-0.TR1.DCA6.ALTER.NET (152.63.11.97) 18.194 ms
- 12 121.at-5-0-0.TR1.SAC1.ALTER.NET (152.63.2.178) 101.491 ms
- 13 297.ATM7-0.XR1.SFO4.ALTER.NET (152.63.51.5) 110.817 ms
- 14 191.ATM7-0.GW8.SJC2.ALTER.NET (152.63.49.245) 113.841 ms
- 15 ebay-oc12-gw.customer.alter.net (157.130.209.10) 121.632 ms
- 16 10.128.1.42 (10.128.1.42) 109.132 ms
- 17 pages.ebay.com (216.32.120.133) [open] 115.378 ms
- www.microsoft.com, another classic firewalled webserver:
- [mct@quint ~]$ traceroute -w2 -q1 -f 5 www.microsoft.com
- traceroute: Warning: www.microsoft.com has multiple addresses; using 207.46.197.100
- traceroute to www.microsoft.akadns.net (207.46.197.100), 30 hops max, 38 byte packets
- 5 baltimore.balt-core.h0-0-45M.netaxs.net (207.106.2.18) 17.560 ms
- 6 blt-dc.dc-core.h5-0-45M.netaxs.net (207.106.2.2) 27.769 ms
- 7 core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28) 28.802 ms
- 8 250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25) 27.934 ms
- 9 0.so-3-1-0.XL2.DCA6.ALTER.NET (152.63.38.122) 24.210 ms
- 10 0.so-0-0-0.XR2.DCA6.ALTER.NET (152.63.35.117) 35.693 ms
- 11 0.so-4-0-0.TR2.DCA6.ALTER.NET (152.63.11.93) 22.170 ms
- 12 121.at-1-1-0.TR2.SEA1.ALTER.NET (146.188.140.78) 94.099 ms
- 13 0.so-1-0-0.XL2.SEA1.ALTER.NET (152.63.106.237) 101.325 ms
- 14 POS7-0.GW4.SEA1.ALTER.NET (146.188.201.53) 91.887 ms
- 15 microsoftoc48-gw.customer.alter.net (157.130.184.26) 89.536 ms
- 16 *
- 17 *
- 18 *
- [mct@quint ~]$ tcptraceroute -f 5 207.46.197.100
- Selected device eth0, address 207.8.132.210, port 1058 for outgoing packets
- Tracing the path to 207.46.197.100 on TCP port 80 (www), 30 hops max
- 5 baltimore.balt-core.h0-0-45M.netaxs.net (207.106.2.18) 9.430 ms
- 6 blt-dc.dc-core.h5-0-45M.netaxs.net (207.106.2.2) 17.514 ms
- 7 core1-core3-fe-1.mae-e.iad.netaxs.net (207.106.31.28) 23.256 ms
- 8 250.ATM3-0.BR3.DCA6.ALTER.NET (137.39.92.25) 30.819 ms
- 9 0.so-3-1-0.XL2.DCA6.ALTER.NET (152.63.38.122) 26.605 ms
- 10 0.so-0-0-0.XR2.DCA6.ALTER.NET (152.63.35.117) 38.700 ms
- 11 0.so-4-0-0.TR2.DCA6.ALTER.NET (152.63.11.93) 31.402 ms
- 12 121.at-1-1-0.TR2.SEA1.ALTER.NET (146.188.140.78) 93.992 ms
- 13 0.so-1-0-0.XL2.SEA1.ALTER.NET (152.63.106.237) 105.176 ms
- 14 POS7-0.GW4.SEA1.ALTER.NET (146.188.201.53) 86.524 ms
- 15 microsoftoc48-gw.customer.alter.net (157.130.184.26) 85.916 ms
- 16 207.46.129.51 (207.46.129.51) 84.920 ms
- 17 microsoft.com (207.46.197.100) [open] 85.344 ms
- odc-t.ankara.af.mil, a firewalled mail server:
- [mct@quint ~]$ traceroute -w2 -q1 -f 5 odc-t.ankara.af.mil
- traceroute to odc-t.ankara.af.mil (207.133.163.7), 30 hops max, 38 byte packets
- 5 nyc-l3.nyc-core.h3-0-45M.netaxs.net (207.106.127.18) 7.277 ms
- 6 nyc-pos-l.netaxs.net (207.106.3.133) 11.803 ms
- 7 mae-east.dc-core.netaxs.net (207.106.31.29) 18.922 ms
- 8 netaxs-core3.iad.above.net (209.249.119.233) 19.200 ms
- 9 core1-core3-oc48.iad1.above.net (209.249.203.34) 11.942 ms
- 10 sjc2-iad1-oc48.sjc2.above.net (216.200.127.26) 80.741 ms
- 11 core5-sjc2-oc48-2.sjc1.above.net (208.184.102.205) 80.829 ms
- 12 core2-sjc1-oc3.sjc6.above.net (207.126.96.106) 81.621 ms
- 13 fix-west-pilot-fddi2.disa.mil (198.32.136.88) 93.961 ms
- 14 137.209.200.207 (137.209.200.207) 99.437 ms
- 15 206.38.100.2 (206.38.100.2) 258.541 ms
- 16 140.35.16.18 (140.35.16.18) 373.297 ms
- 17 198.26.165.18 (198.26.165.18) 373.686 ms
- 18 *
- 19 *
- 20 *
- 21 *
- [mct@quint ~]$ tcptraceroute -f 5 odc-t.ankara.af.mil smtp
- Selected device eth0, address 207.8.132.210, port 1150 for outgoing packets
- Tracing the path to odc-t.ankara.af.mil (207.133.163.7) on TCP port 25 (smtp), 30 hops max
- 5 nyc-l3.nyc-core.h3-0-45M.netaxs.net (207.106.127.18) 9.456 ms
- 6 nyc-pos-l.netaxs.net (207.106.3.133) 11.762 ms
- 7 mae-east.dc-core.netaxs.net (207.106.31.29) 11.958 ms
- 8 netaxs-core3.iad.above.net (209.249.119.233) 11.791 ms
- 9 core1-core3-oc48.iad1.above.net (209.249.203.34) 12.510 ms
- 10 sjc2-iad1-oc48.sjc2.above.net (216.200.127.26) 80.335 ms
- 11 core5-sjc2-oc48-2.sjc1.above.net (208.184.102.205) 81.364 ms
- 12 core2-sjc1-oc3.sjc6.above.net (207.126.96.106) 83.107 ms
- 13 fix-west-pilot-fddi2.disa.mil (198.32.136.88) 76.092 ms
- 14 137.209.200.207 (137.209.200.207) 99.776 ms
- 15 206.38.100.2 (206.38.100.2) 252.840 ms
- 16 140.35.16.18 (140.35.16.18) 370.720 ms
- 17 198.26.165.18 (198.26.165.18) 485.771 ms
- 18 odctfw.ankara.af.mil (207.133.163.161) 443.782 ms
- 19 odc-t.ankara.af.mil (207.133.163.7) [open] 745.611 ms
- tcptraceroute-1.3beta1 added support for controlling the SYN and ACK
- flags used in outgoing probe packets through the -S and -A command line
- arguments. By utilizing probe packets with the ACK bit set, it is
- possible to traceroute to hosts located behind stateless firewalls that
- block all inbound TCP connections, but permit those hosts to establish
- outbound connections. Below are two examples of such behavior,
- recorded on August 15th, 2001.
- -- Michael C. Toren <mct@toren.net> Sun, 29 Jun 2003 17:18:41 -0400
- Tracing to a host protected by a Linux 2.2 ipchains firewall:
- [mct@quint ~]$ tcptraceroute -f7 -q1 argo.starforce.com
- Selected device eth0, address 207.8.132.210, port 3738 for outgoing packets
- Tracing the path to argo.starforce.com (216.158.56.82) on TCP port 80 (www), 30 hops max
- 7 voicenet-gw.core-1-hssi-6-0-0-50.oldcity.dca.net (207.103.28.30) 69.252 ms
- 8 node-150-eth3-0-local.oldcity.dca.net (207.245.82.150) 16.216 ms
- 9 *
- 10 *
- 11 *
- [mct@quint ~]$ tcptraceroute -f7 -q1 -A argo.starforce.com
- Selected device eth0, address 207.8.132.210, port 3747 for outgoing packets
- Tracing the path to argo.starforce.com (216.158.56.82) on TCP port 80 (www), 30 hops max
- 7 voicenet-gw.core-1-hssi-6-0-0-50.oldcity.dca.net (207.103.28.30) 11.030 ms
- 8 node-150-eth3-0-local.oldcity.dca.net (207.245.82.150) 24.488 ms
- 9 argo.starforce.com (216.158.56.82) [closed] 1514.142 ms
- Tracing to falkland, a host behind jumpgate, a Cisco router with the
- following access-list:
- access-list 100 permit tcp any any established
- access-list 100 deny ip any any
- [mct@quint ~]$ tcptraceroute -q1 falkland
- Selected device eth0, address 207.8.132.210, port 3771 for outgoing packets
- Tracing the path to falkland (207.106.130.86) on TCP port 80 (www), 30 hops max
- 1 jumpgate.netisland.net (207.106.130.81) 2.111 ms
- 2 *
- 3 *
- 4 *
- [mct@quint ~]$ tcptraceroute -q1 -A falkland
- Selected device eth0, address 207.8.132.210, port 3773 for outgoing packets
- Tracing the path to falkland (207.106.130.86) on TCP port 80 (www), 30 hops max
- 1 jumpgate.netisland.net (207.106.130.81) 2.044 ms
- 2 falkland.netisland.net (207.106.130.86) [closed] 4.635 ms
- Another example of tracing to a host protected by a stateless firewall, which
- permits hosts behind it to make outbound TCP connections:
- [mct@ellesmere ~]$ tcptraceroute -q1 -f9 uunet1.fe.weather.com
- Selected device eth0, address 209.163.107.174, port 35833 for outgoing packets
- Tracing the path to uunet1.fe.weather.com (63.111.66.2) on TCP port 80 (www), 30 hops max
- 9 0.so-3-1-0.XL2.ATL5.ALTER.NET (152.63.0.238) 32.925 ms
- 10 0.so-7-0-0.XR2.ATL5.ALTER.NET (152.63.85.194) 32.765 ms
- 11 110.at-5-1-0.WR1.ATL5.ALTER.NET (152.63.3.58) 32.941 ms
- 12 pos6-0.ur1.atl7.web.wcom.net (157.130.216.50) 32.781 ms
- 13 198.5.128.134 32.802 ms
- 14 *
- 15 *
- 16 *
- [mct@ellesmere ~]$ tcptraceroute -q1 -f9 -A uunet1.fe.weather.com
- Selected device eth0, address 209.163.107.174, port 35834 for outgoing packets
- Tracing the path to uunet1.fe.weather.com (63.111.66.2) on TCP port 80 (www), 30 hops max
- 9 0.so-3-1-0.XL2.ATL5.ALTER.NET (152.63.0.238) 32.704 ms
- 10 0.so-7-0-0.XR2.ATL5.ALTER.NET (152.63.85.194) 32.665 ms
- 11 110.at-5-1-0.WR1.ATL5.ALTER.NET (152.63.3.58) 32.996 ms
- 12 pos6-0.ur1.atl7.web.wcom.net (157.130.216.50) 32.779 ms
- 13 198.5.128.134 33.122 ms
- 14 uunet1.fe.weather.com (63.111.66.2) [closed] 33.399 ms
- tcptraceroute-1.5beta6 added the --dnat detection support, to detect
- DNAT devices which do not correctly rewrite the IP address of the IP
- packets quoted in ICMP time-exceeded messages tcptraceroute solicits,
- revealing the destination IP address an outbound probe packet was NATed
- to. Below are examples of using --dnat to determine the IP address our
- probe packets are being NATed to, recorded on March 28th, 2006.
- -- Michael C. Toren <mct@toren.net> Tue, 28 Mar 2006 23:40:54 -0500
- [mct@ellesmere ~]$ tcptraceroute -q1 -f5 --track-port --dnat pages.ebay.com
- Selected device eth0, address 209.163.107.174 for outgoing packets
- Tracing the path to pages.ebay.com (66.135.192.87) on TCP port 80 (www), 30 hops max
- 5 equinix-chaz.coretel.net (209.163.107.121) 5.288 ms
- 6 gsr12012.ash.he.net (206.223.137.132) 5.610 ms
- 7 pos3-3.gsr12416.pao.he.net (216.218.254.205) 88.611 ms
- 8 pao1-br01.net.ebay.com (198.32.176.56) 88.637 ms
- 9 10.6.1.133 90.605 ms
- 10 ge2-7-snv1-xr01.net.ebay.com (66.135.207.54) 91.667 ms
- 11 10.6.1.74 92.471 ms
- Detected DNAT to 10.6.35.86
- 12 10.6.105.8 91.187 ms
- 13 pages.ebay.com (66.135.192.87) [open] 91.908 ms
- [mct@ellesmere ~]$ tcptraceroute -q1 -f8 --dnat magicpipe.no-ip.com 22
- Selected device eth0, address 209.163.107.174, port 40857 for outgoing packets
- Tracing the path to magicpipe.no-ip.com (69.142.94.59) on TCP port 22 (ssh), 30 hops max
- 8 tbr2-cl15.n54ny.ip.att.net (12.122.10.53) 12.965 ms
- 9 gar7-p390.n54ny.ip.att.net (12.123.3.85) 79.347 ms
- 10 12.118.102.22 12.430 ms
- 11 te-8-1-ar01.plainfield.nj.panjde.comcast.net (68.86.211.1) 12.425 ms
- 12 po80-ar01.audubon.nj.panjde.comcast.net (68.86.208.2) 14.968 ms
- 13 po10-ar01.wallingford.pa.panjde.comcast.net (68.86.208.26) 16.521 ms
- 14 po90-ur02.wallingford.pa.panjde.comcast.net (68.86.208.189) 16.356 ms
- 15 *
- Detected DNAT to 192.168.1.100
- 16 c-69-142-94-59.hsd1.pa.comcast.net (69.142.94.59) 24.674 ms
- 17 c-69-142-94-59.hsd1.pa.comcast.net (69.142.94.59) [open] 25.230 ms
- (The timeout on the 15th hop is normal behavior on Comcast's
- network, and is unrelated to tcptraceroute.)