Anti-Hacker Tool Kit, Third Edition
| < Day Day Up > |
|
Traceroute does just what it says—it traces the route that an IP packet takes to get from your host to its destination.
It starts by sending an IP packet (either ICMP or User Datagram Protocol—UDP) to its specified destination, but it sets the TTL field to 1. The packet “expires” at the first hop, and that router tells us that the packet expired using an ICMP message, which allows us to identify where that first hop is. Now we send another IP packet off to the destination, but this time the TTL field is set to 2. The packet will expire at the second hop, and that router will notify us once again. By continually incrementing the TTL until we reach the destination, we can discover which routers are standing in between our host and our destination (as shown in Figure 14-1).
This tool can be extremely useful for diagnosing network problems (for example, for discovering the source of a network outage or finding a routing loop), but it can also be used to get an idea of where a system is located.
Here’s a fragment of sample output we might get from issuing a traceroute command (using fake hostnames and private IP addresses to protect the innocent):
11 cxchg.GW2.SEAWA1.BACK_BONE.NET (192.168.240.79) 88.959 ms 83.770 ms 84.251 ms 12 dxchg.GW1.SEAWA1.BACK_BONE.NET (192.168.206.185) 84.427 ms 83.894 ms 82.176 ms 13 aexchg.GW5.SEAWA1.BACK_BONE.NET (192.168.101.25) 84.570 ms 84.122 ms 84.243 ms
This shows the last few hops before traceroute reached its destination. Parts of the Internet backbone use hostnames with geographic descriptions. It’s likely that SEAWA1 could refer to Seattle, Washington, indicating that the location of this box could be in the northwestern United States.
Note | Internet backbone providers are starting to adopt airport codes for their major location routers. |
A graphical traceroute program for Unix called gtrace uses databases of known host locations to show a geographic map of the route that your packet is taking across the world. Look for it at http://www.caida.org/tools/visualization/gtrace/. Similar programs for Windows, called VisualRoute and McAfee Visual Trace, are available from http://www.visualware.com/ and http://www.mcafee.com/, respectively. Keep in mind that graphical traceroutes aren’t always accurate because many rely on whois databases, which may or may not have current entries.
Implementation
Like Ping, the traceroute command has a few different implementations. And also like Ping, the traceroute command on Windows differs greatly from the traceroute used on Unix systems, so much that the Windows utility is named tracert, presumably so that it can still be used on Microsoft systems without long filename support. Table 14-2 describes some of the more important command-line options (all options are Unix-specific unless otherwise stated).
Option | Explanation |
---|---|
-g <hostlist> (Unix) -j <hostlist> (Windows) | Specifies a loose source-routing list for the packet to follow: |
-i <interface> | Specifies the network interface to use when choosing a source IP address to route from (for hosts with more than one network interface). |
-I | Uses ICMP instead of UDP for the traceroute. By default, traceroute sends UDP packets to ports that normally don't have anything listening on them, so that the destination host will respond with an ICMP PORT_UNREACHABLE message when the packet reaches its destination. |
-m <hops> (Unix) -h <hops> (Windows) | Sets the maximum number of hops to take before reaching the destination. If traceroute doesn't reach the destination in hops number of hops, it gives up. The default is 30. |
-n (Unix) -d (Windows) | Does not resolve IP addresses. Usually makes your traceroute a lot faster, but obviously you give up obtaining useful location-based information from the hostnames. |
-p <port> | If we're using UDP traceroute and the destination actually has someone listening on or around the default UDP port (which is 33434), we can specify a different port here. |
-w (Unix and Windows) | Sets how long traceroute should wait for a response from an intermediate hop. |
Interpreting Traceroute Output
Here is a snippet of some output from a traceroute from a local box to a remote server (again using “fake” nonroutable IP addresses):
bash-2.03$ traceroute -n 192.168.76.177 traceroute to 192.168.76.177 (192.168.76.177), 30 hops max, 40 byte packets 1 192.168.146.1 20.641 ms 15.853 ms 16.582 ms 2 192.168.83.187 15.230 ms 13.237 ms 13.129 ms 3 192.168.127.65 16.843 ms 14.968 ms 13.727 ms 4 * * * 5 192.168.14.85 16.915 ms 15.945 ms 15.500 ms 6 192.168.14.138 17.495 ms 17.697 ms 16.598 ms 7 192.168.14.38 17.476 ms 17.073 ms 14.342 ms 8 192.168.189.194 19.130 ms 18.208 ms 18.250 ms 9 192.168.96.162 39.989 ms 35.118 ms 36.275 ms 10 192.168.98.19 472.009 ms 36.853 ms 35.128 ms 11 192.168.210.126 37.135 ms 36.288 ms 35.612 ms 12 192.168.76.177 37.792 ms 36.920 ms 34.972 ms
Notice that each probe is sent three times. This is indicated by the three response time columns (20.641 ms 15.853 ms 16.582 ms). Also notice that the fourth hop never responded. If you see the * time-out symbol on a hop but the trace continues once it gets to the next hop, chances are that the device at that hop isn’t sending ICMP messages back to you to tell you that the packet’s TTL has expired. Perhaps an intermediate firewall is prohibiting ICMP communication. Perhaps the ICMP “time exceeded” message sent by hop 4 had too short a TTL to make it back to you!
A variety of other ICMP messages can be received by traceroute. If you see any of the bizarre markings detailed in Table 14-3 in your traceroute output, that particular hop is trying to tell you something.
Flag | Description |
---|---|
!H | ICMP host unreachable |
!N | ICMP network unreachable |
!P | ICMP protocol unreachable |
!S | Source route failed |
!F | Fragmentation needed |
!X | Communication administratively prohibited |
!# | ICMP unreachable code # |
Note | You’ll need to use the –v option if you want to see messages other than the normal TIME_EXCEEDED and the three UNREACHABLE messages. |
Traceroute provides valuable information, including the geographic region of a host, a list of the machines that handle the traffic between the source and the destination host, as well as the Internet provider for the host. This kind of information can allow a hacker to look for intermediate routers that might be vulnerable to attack or use social engineering to get even more information. Since traceroutes are considered valid traffic by most systems, only firewalls and intrusion-detection systems can be used to block or detect external traceroutes.
| < Day Day Up > |
|