Please create tutorials based on tools which are in backtrack.
Hey, just a simple tutorial on "intrace" usage - couldn't spot one on the forums anywhere, so thought I'd post one I wrote up today:
If you've ever used a computer before, and if you're at all interested in Security or Hacking, then I'm going to take a wild guess and assume you've used traceroute/tracert - if you haven't, you really need to go back to the basics and start again. Just in case you haven't, in the words of Wiki, traceroute is this:
In terms of a penetration test, it's useful for determining which boxes a packet passes through along the way to a destination, and therefore, can help you determine the internal network structure of an organization (and therefore, possible further targets for a penetration test). Sometimes, however, a firewall may block your traceroute attempts, or other times, it may simply just not give you enough information. Welcome "intrace" - a program by Robert Święcki, who is an Information Security Engineer for Google. The difference between traceroute and intrace is that intrace will make use of an existing TCP connection, and piggyback its packets on this connection, effectively bypassing any firewall rules that block them, and quite often giving you more internal information than you expected.traceroute is a computer network tool used to show the route taken by packets across an IP network. An IPv6 variant, traceroute6, is also widely available.
The traceroute tool is available on practically all Unix-like operating systems. Variants with similar functionality are also available, such as tracepath on modern Linux installations and tracert on Microsoft Windows operating systems
In terms of usage, it actually relatively simple. Download a copy of the source from the Google Project Page, and extract it on your Linux/Unix box:
Then "cd" into the directory, and type "make". Next up is the actual "command switch" to get it to run - it's pretty simple. Type this:Code:tar xfz intrace-1.4.3.tgz
Obviously, substituting "paypal.com" for the host that you need to use, but I provide PayPal for this example, as it's been used before. Also, the "-p 80" can be substituted for any port, depending on the service you are wanting to piggyback on (such as 21 for FTP, or 22 for SSH). Once you've done that, you need to initiate some form of a connection to the host - the easiest way to do this is with "netcat". Type this:Code:sudo ./intrace -h paypal.com -p 80
That will initiate a connection with PayPal, and all you will need to do is head back to your "intrace" window, and press "enter", and watch the magic happen. If you don't like netcat, just visit paypal in your web browser of choice. You should see an output like this (IP's have been censored where applicable to protect privacy):Code:nc paypal.com 80
Compared to a standard traceroute output of the same host, which never seems to reach the destination (IP's have been censored where applicable to protect privacy):InTrace 1.4.3 -- R: 22.214.171.124/80 (80) L: xxx.xxx.xxx.xxx/45814
Payload Size: 1 bytes, Seq: 0xf5f1548d, Ack: 0xf30efa5d
Status: Press ENTER
# [src addr] [icmp src addr] [pkt type]
1. [xxx.xxx.xxx.xxx ] [126.96.36.199 ] [ICMP_TIMXCEED]
2. [xxx.xxx.xxx.xxx ] [188.8.131.52 ] [ICMP_TIMXCEED]
3. [xxx.xxx.xxx.xxx ] [184.108.40.206 ] [ICMP_TIMXCEED]
4. [xxx.xxx.xxx.xxx ] [220.127.116.11 ] [ICMP_TIMXCEED]
5. [xxx.xxx.xxx.xxx ] [18.104.22.168 ] [ICMP_TIMXCEED]
6. [xxx.xxx.xxx.xxx ] [22.214.171.124 ] [ICMP_TIMXCEED]
7. [126.96.36.199 ] [188.8.131.52 ] [ICMP_TIMXCEED]
8. [184.108.40.206 ] [220.127.116.11 ] [ICMP_TIMXCEED]
9. [18.104.22.168 ] [22.214.171.124 ] [ICMP_TIMXCEED]
10. [126.96.36.199 ] [188.8.131.52 ] [ICMP_TIMXCEED]
11. [ *** ] [ *** ] [ICMP_TIMXCEED]
12. [184.108.40.206 ] [220.127.116.11 ] [ICMP_TIMXCEED]
13. [xxx.1.0.186 ] [18.104.22.168 ] [ICMP_TIMXCEED]
14. [xxx.128.2.105 ] [22.214.171.124 ] [ICMP_TIMXCEED]
15. [xxx.14.0.254 ] [126.96.36.199 ] [ICMP_TIMXCEED]
16. [188.8.131.52 ] [ *** ] [TCP]
user@box:~/Tools/Information Gathering/Traceroute Like/intrace$ traceroute paypal.com
traceroute to paypal.com (184.108.40.206), 30 hops max, 60 byte packets
1 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.179 ms 0.125 ms 0.137 ms
2 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.467 ms 1.198 ms 0.916 ms
3 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.570 ms 0.394 ms 0.550 ms
4 host1 (xxx.xxx.xxx.xxx) 0.485 ms 0.495 ms 0.493 ms
5 host2 (xxx.xxx.xxx.xxx) 0.482 ms 0.498 ms 0.489 ms
6 host3 (xxx.xxx.xxx.xxx) 0.448 ms 1.432 ms *
7 xe-7-0-0.edge1.SanJose3.Level3.net (220.127.116.11) 217.897 ms 217.926 ms 217.920 ms
8 vlan69.csw1.SanJose1.Level3.net (18.104.22.168) 223.946 ms 223.859 ms vlan89.csw3.SanJose1.Level3.net (22.214.171.124) 218.459 ms
9 ae-72-72.ebr2.SanJose1.Level3.net (126.96.36.199) 228.414 ms 228.437 ms 228.588 ms
10 ae-3-3.ebr1.Denver1.Level3.net (188.8.131.52) 248.427 ms 248.445 ms 248.422 ms
11 ae-11-53.car1.Denver1.Level3.net (184.108.40.206) 244.703 ms ae-11-51.car1.Denver1.Level3.net (220.127.116.11) 245.007 ms ae-11-55.car1.Denver1.Level3.net (18.104.22.168) 244.836 ms
12 EBAY-INC.car1.Denver1.Level3.net (22.214.171.124) 246.131 ms 245.800 ms 245.803 ms
13 xxx.1.0.186 (xxx.1.0.186) 245.779 ms 246.058 ms 246.036 ms
14 xxx.128.2.105 (xxx.128.2.105) 241.460 ms 241.386 ms 241.321 ms
15 xxx.14.0.250 (xxx.14.0.250) 241.625 ms 241.403 ms 241.367 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Real World Application
Real world application is pretty simple with this one - you take a destination you know you have access too (such as the clients web page, FTP, or SSH) and you run intrace to see if it provides more info about a network for you. Enjoy. As always, only use this tool in ways that you are legally licensed too (i.e., during a legal penetration test, or in your own home network or lab) and never use it to perform anything illegal. Thanks.
Originally from this page at my site: intrace - Piggyback Your Traceroute | Greyhat-Security.com
Please create tutorials based on tools which are in backtrack.
awesome MrPPS! Nice informative post. Keep up the good work! We need more people like you in the community.
Thanks for the support sonicboom
But how does it work?
Edit: Nvm. Fired up Wireshark and looked it up. It's just as a regular traceroute but with TCP it seems.
Last edited by randalth0r; 08-18-2010 at 10:04 AM.
Ignoring the lack-of-being-in-BT issue, and just focusing on the fact that you wrote up a "tutorial" for using this, you were pretty damned light on the details. It actually took me a few minutes to realise that you hadn't told me anything, and then I had to look at the authors actual website (not your bloggy thing) to find out that what it does. Next time you write something like this, try to actually provide the useful information about the tool. Or just cut and paste it somewhere at least.
(By the way people, it sometimes reveals internal IP address' which is actually quite useful, now I'm off to check my office network with it)
Still not underestimating the power...
There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.
To mitigate this kind of trace, one needs to add a rule to drop egress ICMP TTL expired messages. Correct?