Monday, March 21, 2011

0trace

This one is an interesting traceroute utility. It requires an established TCP connection, and using that will do the trace. This is good, cause firewalls allows established TCP connections through, and thus won't filter the trace. Usage of this a bit more complicated then the others.

1. Open a TCP connection - telnet [IP address] 80
2. Start 0trace - ./0trace.sh eth0 [IP address] 80  
3. Generate some network traffic (TCP activity) - GET / HTTP/1.0


It won't work, if:

  • The FW at the target drops outgoing ICMP packets
  • The FW at the target rewrites the TTL field
  • There is an application layer proxy / loadbalancer in the traffic way
  • No L3 infrastructure behind the FW

And as the tool, has a recognizable TCP fingerprint, IDS and IPS systems can detect it.

Official website: http://lcamtuf.coredump.cx/

    No comments: