TRACEROUTE

Traceroute does just what it saysit traces the route that an IP packet takes to get from your host to its destination.

It starts by sending an IP packet (either ICMP or User Datagram ProtocolUDP) to its specified destination, but it sets the TTL field to 1. The packet " expires " at the first hop, and that router tells us that the packet expired using an ICMP message, which allows us to identify where that first hop is. Now we send another IP packet off to the destination, but this time the TTL field is set to 2. The packet will expire at the second hop, and that router will notify us once again. By continually incrementing the TTL until we reach the destination, we can discover which routers are standing in between our host and our destination (as shown in Figure 14-1).


Figure 14-1: Traceroute diagram

This tool can be extremely useful for diagnosing network problems (for example, for discovering the source of a network outage or finding a routing loop), but it can also be used to get an idea of where a system is located.

Here's a fragment of sample output we might get from issuing a traceroute command (using fake hostnames and private IP addresses to protect the innocent):

 11  cxchg.GW2.SEAWA1.BACK_BONE.NET  (192.168.240.79)  88.959 ms   83.770 ms 84.251 ms 12  dxchg.GW1.SEAWA1.BACK_BONE.NET  (192.168.206.185) 84.427 ms   83.894 ms 82.176 ms 13  aexchg.GW5.SEAWA1.BACK_BONE.NET (192.168.101.25)  84.570 ms   84.122 ms 84.243 ms 

This shows the last few hops before traceroute reached its destination. Parts of the Internet backbone use hostnames with geographic descriptions. It's likely that SEAWA1 could refer to Seattle, Washington, indicating that the location of this box could be in the northwestern United States.

Note 

Internet backbone providers are starting to adopt airport codes for their major location routers.

A graphical traceroute program for Unix called gtrace uses databases of known host locations to show a geographic map of the route that your packet is taking across the world. Look for it at http://www.caida.org/tools/visualization/gtrace/. Similar programs for Windows, called VisualRoute and McAfee Visual Trace, are available from http://www.visualware.com/ and http://www. mcafee .com/, respectively. Keep in mind that graphical traceroutes aren't always accurate because many rely on whois databases, which may or may not have current entries.

Implementation

Like Ping, the traceroute command has a few different implementations . And also like Ping, the traceroute command on Windows differs greatly from the traceroute used on Unix systems, so much that the Windows utility is named tracert , presumably so that it can still be used on Microsoft systems without long filename support. Table 14-3 describes some of the more important command-line options (all options are Unix-specific unless otherwise stated).

Table 14-3: Traceroute Options

Option

Explanation

-g < hostlist > (Unix)
-j < hostlist > (Windows)

Specifies a loose source-routing list for the packet to follow.

-i < interface >

Specifies the network interface to use when choosing a source IP address to route from (for hosts with more than one network interface).

-I

Uses ICMP instead of UDP for the traceroute. By default, traceroute sends UDP packets to ports that normally don't have anything listening on them, so that the destination host will respond with an ICMP PORT_ UNREACHABLE message when the packet reaches its destination.

-m < hops > (Unix)
-h < hops > (Windows)

Sets the maximum number of hops to take before reaching the destination. If traceroute doesn't reach the destination in hops number of hops, it gives up. The default is 30.

-n (Unix)
-d (Windows)

Does not resolve IP addresses. Usually makes your traceroute a lot faster, but obviously you give up obtaining useful location-based information from the hostnames.

-p < port >

If we're using UDP traceroute and the destination actually has someone listening on or around the default UDP port (which is 33434), we can specify a different port here.

-w (Unix and Windows)

Sets how long traceroute should wait for a response from an intermediate hop.

Interpreting Traceroute Output

Here is a snippet of some output from a traceroute from a local box to a remote server (again using "fake" nonroutable IP addresses):

 bash-2.03$ traceroute -n 192.168.76.177 traceroute to 192.168.76.177 (192.168.76.177), 30 hops max, 40 byte packets  1  192.168.146.1  20.641 ms  15.853 ms  16.582 ms  2  192.168.83.187  15.230 ms  13.237 ms  13.129 ms  3  192.168.127.65  16.843 ms  14.968 ms  13.727 ms  4  * * *  5  192.168.14.85  16.915 ms  15.945 ms  15.500 ms  6  192.168.14.138  17.495 ms  17.697 ms  16.598 ms  7  192.168.14.38  17.476 ms  17.073 ms  14.342 ms  8  192.168.189.194  19.130 ms  18.208 ms  18.250 ms  9  192.168.96.162  39.989 ms  35.118 ms  36.275 ms 10  192.168.98.19  472.009 ms  36.853 ms  35.128 ms 11  192.168.210.126  37.135 ms  36.288 ms  35.612 ms 12  192.168.76.177  37.792 ms  36.920 ms  34.972 ms 

Notice that each probe is sent three times. This is indicated by the three response time columns ( 20.641 ms 15.853 ms 16.582 ms ). Also notice that the fourth hop never responded. If you see the * timeout symbol on a hop but the trace continues once it gets to the next hop, chances are that the device at that hop isn't sending ICMP messages back to you to tell you that the packet's TTL has expired. Perhaps an intermediate firewall is prohibiting ICMP communication. Perhaps the ICMP "time exceeded" message sent by hop 4 had too short a TTL to make it back to you!

A variety of other ICMP messages can be received by traceroute. If you see any of the bizarre markings detailed in Table 14-4 in your traceroute output, that particular hop is trying to tell you something.

Table 14-4: Traceroute Hop Information

Flag

Description

!H

ICMP host unreachable

!N

ICMP network unreachable

!P

ICMP protocol unreachable

!S

Source route failed

!F

Fragmentation needed

!X

Communication administratively prohibited

!#

ICMP unreachable code #

Tip 

You'll need to use the v option if you want to see messages other than the normal TIME_ EXCEEDED and the three UNREACHABLE messages.

Traceroute provides valuable information, including the geographic region of a host, a list of the machines that handle the traffic between the source and the destination host, as well as the Internet provider for the host. This kind of information can allow a hacker to look for intermediate routers that might be vulnerable to attack or use social engineering to get even more information. Since traceroutes are considered valid traffic by most systems, only firewalls and intrusion-detection systems can be used to block or detect external traceroutes.



Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net