Results 1 to 8 of 8

Thread: can the TTL increase through the network path?

Hybrid View

  1. #1
    Just burned his ISO sl33p's Avatar
    Join Date
    Jan 2010
    Posts
    19

    Lightbulb can the TTL increase through the network path?

    Hi folks,

    Many of you know how important is the analysis and planning of the targeted environment before the attempt of a successful penetration test.

    I got the idea, and I am trying to draw the network design in order to visualize things better. Many tools can be used to do that, I used hping3 as it comes with BT4, others include tcptraceroute, firewalk-5.0 (discontinued by developers...), etc.

    What in fact is done by the program (hping3) is TCP/IP packet injection (with the SYN bit enabled) hop-by-hop until it reaches the final host (destination).

    By sniffing the traffic, I could determine the TTL of the various responding hosts within the path until my packet "got there".

    As far as I know the default behavior of a network would be to decrement the TTL of a device as long as I go deeper on the network (meaning that I am getting closer the targetet IP). Like, for example, in a network with 3 devices (routers) before my targetet IP it would be something like this:

    123.123.123.122 TTL 255 (my gateway)
    123.123.123.133 TTL 254
    123.123.123.144 TTL 253
    177.177.177.177 TTL 124 (target IP)
    Demonstrating that the host is Windows based (TTL starts at 128) and is placed 4 hops from me.
    What I know by the notice though, is that sometimes the TTL increases. Likewise:

    123.123.123.122 TTL 255 (my gateway)
    123.123.123.133 TTL 250
    123.123.123.144 TTL 251
    177.177.177.177 TTL 124 (target IP)
    This is confusing, because I can't know for sure the network structure (if they are placed aside or below/above each other).

    Can someone here enlighten this topic?
    Thanks in advance!
    sl33p

  2. #2

    Default

    Quote Originally Posted by sleep View Post
    What I know by the notice though, is that sometimes the TTL increases.
    sl33p
    Two guesses:

    1. There is a routing loop between those 2 hops.
    2. Maybe hping increments the TTL for each hop and that particular node didn't respond to the first packet, so hping incremented by one automatically.

    As I said, these are just guesses...very curious indeed!

    regards,

    cybrsnpr

  3. #3
    Just burned his ISO sl33p's Avatar
    Join Date
    Jan 2010
    Posts
    19

    Default

    Thanks for your attention.

    1. What would be a routing loop? How could I certify this behavior?
    2. As far as I understood, what hping does: it sends a SYN-TCP packet with a TTL of 1 to obligate the respondant (the next hop) to send a packet back with the ICMP type 11 (Time-to-live exceeded) data encapsulated in the content. So, you look into the TTL of the TCP packet (IP layer), not the TTL of the ICMP message (because it will always be 1).

    Additionally, I know that they're configurable (www[dot]map[dot]meteoswiss[dot]ch[slash]map-doc[slash]ftp-probleme.htm), but honestly I have never found a device with TTL modified by a system administrator.

    HTH

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    I'm not so sure your theory is correct on that after doing some experimenting here.

    From my desk I ping a switch that's across a T1 and then through one switch, I get a TTL of 62.

    If I ping one device that's connected to that switch, I get a TTL of 126 and another device I get a TTL of 28. Both of those device are on the same switch, and technically the same distance from me, but are just different kinds of devices.

    Also, pinging a router across one of my VPN links, I get a TTL of 63, but pinging a device that's connected on the other side of that router, I get a TTL of 62, but pinging another device connected to that router, I get a TTL of 126.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Member PeppersGhost's Avatar
    Join Date
    Jan 2008
    Posts
    204

    Default

    Two different questions here sleep. Yes normal routing behavior is to decrement TTL each hop and if TTL hits 0 the packet is discarded. However, the ICMP (i.e. tracert, hping etc) protocol progressively increments the TTL field (2, 3, 4 so on) for each sequence of messages. This provides the trace with the address of each hop as packets move towards the destination.
    <EeePc 1000HA BT4/W7 USB boot Alfa500 GPS BlueTooth>

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by PeppersGhost View Post
    Two different questions here sleep. Yes normal routing behavior is to decrement TTL each hop and if TTL hits 0 the packet is discarded. However, the ICMP (i.e. tracert, hping etc) protocol progressively increments the TTL field (2, 3, 4 so on) for each sequence of messages. This provides the trace with the address of each hop as packets move towards the destination.
    Actually, stricly speaking, it's a router that decrements the TTL value in an IP packet that it forwards. Could a router be configured to increment a TTL value instead of decrementing it? Sure it could, although configuring a router to bahave that way, would be difficult, unusual and likely to cause problems.

    In addition, a tool that uses ICMP like hping or tracert to perform a traceroute will create IP packets that have incrementing TTL values. The ICMP protocol doesn't have anything to do with this - embedded protocols other than ICMP can and are used to perform a traceroute (Unix traceroute usses UDP packets for example). The thing that makes a traceroute work is the steadily incrementing TTL value whcih sits in the IP Header of a packet, and the embedded protocol (TCP/UDP/ICMP) is only of secondary interest in the process.

    And for the OP, a packet normaliser could change the TTL on packets coming into a network...
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •