Hi folks,

Many of you know how important is the analysis and planning of the targeted environment before the attempt of a successful penetration test.

I got the idea, and I am trying to draw the network design in order to visualize things better. Many tools can be used to do that, I used hping3 as it comes with BT4, others include tcptraceroute, firewalk-5.0 (discontinued by developers...), etc.

What in fact is done by the program (hping3) is TCP/IP packet injection (with the SYN bit enabled) hop-by-hop until it reaches the final host (destination).

By sniffing the traffic, I could determine the TTL of the various responding hosts within the path until my packet "got there".

As far as I know the default behavior of a network would be to decrement the TTL of a device as long as I go deeper on the network (meaning that I am getting closer the targetet IP). Like, for example, in a network with 3 devices (routers) before my targetet IP it would be something like this:

123.123.123.122 TTL 255 (my gateway)
123.123.123.133 TTL 254
123.123.123.144 TTL 253
177.177.177.177 TTL 124 (target IP)
Demonstrating that the host is Windows based (TTL starts at 128) and is placed 4 hops from me.
What I know by the notice though, is that sometimes the TTL increases. Likewise:

123.123.123.122 TTL 255 (my gateway)
123.123.123.133 TTL 250
123.123.123.144 TTL 251
177.177.177.177 TTL 124 (target IP)
This is confusing, because I can't know for sure the network structure (if they are placed aside or below/above each other).

Can someone here enlighten this topic?
Thanks in advance!
sl33p