InTrace ------- http://www.swiecki.net (C) Copyright 2007 Robert Swiecki 1. What is that? ==================================== InTrace is traceroute-like application that enables users to enumerate IP hops using existing TCP connections, both initiated from local network (local system) or from remote hosts. It could be useful for network reconnaissance and firewall bypassing. 2. Locally initiated TCP connection =================================== Run intrace: --------------------------------------------------------------------- localhost# ./intrace -i eth0 -h www.freescale.com InTrace 1.2 (C)2007 Robert Swiecki R: 192.88.156.10/ANY (0) L: 0.0.0.0/0 Last rcvd SEQ: 0, ACK: 0 Waiting to acquire enough packets --------------------------------------------------------------------- Establish TCP connection: --------------------------------------------------------------------- localhost$ nc www.freescale.com 80 GET / HTTP/1.0 --------------------------------------------------------------------- Take a look at the InTrace output: --------------------------------------------------------------------- InTrace 1.2 (C)2007 Robert Swiecki R: 192.88.156.10/ANY (80) L: 192.168.0.5/40005 Last rcvd SEQ: 1400545495, ACK: 3344758762 Press ENTER to start sending packets --------------------------------------------------------------------- Do as it says.. ;) --------------------------------------------------------------------- 1. 192.158.0.1 [ICMP TTL-EXCEEDED] 2. 212.76.62.233 [ICMP TTL-EXCEEDED] 3. --- [NO RESPONSE] 4. 212.76.35.70 [ICMP TTL-EXCEEDED] 5. 212.76.35.173 [ICMP TTL-EXCEEDED] 6. 213.248.77.201 [ICMP TTL-EXCEEDED] 7. --- [NO RESPONSE] 8. 213.248.96.25 [ICMP TTL-EXCEEDED] 9. 80.91.249.137 [ICMP TTL-EXCEEDED] 10. 213.248.77.182 [ICMP TTL-EXCEEDED] 11. 67.17.68.22 [ICMP TTL-EXCEEDED] 12. 64.212.225.214 [ICMP TTL-EXCEEDED] 13. 69.25.168.1 [ICMP TTL-EXCEEDED] 14. 69.25.127.90 [ICMP TTL-EXCEEDED] 15. 191.83.158.250 [ICMP TTL-EXCEEDED] 16. 192.88.156.10 [ICMP TTL-EXCEEDED] [NAT] 17. 192.88.156.10 [TCP REPLY] --------------------------------------------------------------------- So, we've found pretty NAT appliance at hop 192.88.156.10 Another try with www.paypal.com -> 216.113.188.65/80 TCP reveals some details of PayPal's internal network structure. --------------------------------------------------------------------- 1. 217.17.45.185 [ICMP TTL-EXCEEDED] 2. 193.111.37.5 [ICMP TTL-EXCEEDED] 3. 212.73.253.129 [ICMP TTL-EXCEEDED] 4. --- [NO RESPONSE] 5. 64.159.1.113 [ICMP TTL-EXCEEDED] 6. 4.68.107.2 [ICMP TTL-EXCEEDED] 7. 64.156.40.98 [ICMP TTL-EXCEEDED] 8. 10.1.1.162 [ICMP TTL-EXCEEDED] <-- PayPal's 9. 10.1.1.110 [ICMP TTL-EXCEEDED] <-- internal 10. --- [NO RESPONSE] <-- network 11. 216.113.188.65 [TCP REPLY] --------------------------------------------------------------------- 3. Remotely initiated TCP connection ==================================== Take a look at remotely established TCP connections in the system's TCP tables and pick one --------------------------------------------------------------------- localhost# netstat -tanp Active Internet connections (servers and established) Proto R-Q S-Q Local Address Foreign Address State PID/Program name ... tcp 0 0 212.76.62.233:22 217.17.34.18:23203 ESTABLISHED 6321/sshd ... --------------------------------------------------------------------- Run InTrace ... --------------------------------------------------------------------- localhost# ./intrace -i eth0 -h 217.17.34.18 --------------------------------------------------------------------- ... wait for a few packets (exchanged within that connection), then press ENTER. --------------------------------------------------------------------- InTrace 1.2 (C)2007 Robert Swiecki R: 217.17.34.18/ANY (23203) L: 212.76.62.233/22 Last rcvd SEQ: 209707007, ACK: 29305148 Press ENTER to start sending packets 1. 212.76.43.254 [ICMP TTL-EXCEEDED] 2. --- [NO RESPONSE] 3. --- [NO RESPONSE] 4. 212.76.35.50 [ICMP TTL-EXCEEDED] 5. 212.76.35.25 [ICMP TTL-EXCEEDED] 6. 195.85.195.8 [ICMP TTL-EXCEEDED] 7. 85.232.232.65 [ICMP TTL-EXCEEDED] 8. 85.232.232.62 [ICMP TTL-EXCEEDED] 9. 217.17.34.18 [ICMP TTL-EXCEEDED] [NAT] 10. --- [NO RESPONSE] 11. 217.17.34.18 [TCP REPLY] --------------------------------------------------------------------- So, we've discovered that the TCP connection is actually initiated from behind NAT appliance (hop # 9), and there is one more IP hop behind it (hop # 10), unfortunately not responding with icmp time-exceeded. 4. Feedback ==================================== If you have any suggestions or comments, don't hesitate to contact! The address is: Robert Swiecki 5. Credits ==================================== Michal Zalewski (http://lcamtuf.coredump.cx) - initial concept and the first implementation. http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0145.html