Results 1 to 10 of 10

Thread: intrace - Piggyback your Traceroute

  1. #1
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    5

    Default intrace - Piggyback your Traceroute

    Hey, just a simple tutorial on "intrace" usage - couldn't spot one on the forums anywhere, so thought I'd post one I wrote up today:

    Introduction

    If you've ever used a computer before, and if you're at all interested in Security or Hacking, then I'm going to take a wild guess and assume you've used traceroute/tracert - if you haven't, you really need to go back to the basics and start again. Just in case you haven't, in the words of Wiki, traceroute is this:
    traceroute is a computer network tool used to show the route taken by packets across an IP network. An IPv6 variant, traceroute6, is also widely available.

    The traceroute tool is available on practically all Unix-like operating systems. Variants with similar functionality are also available, such as tracepath on modern Linux installations and tracert on Microsoft Windows operating systems

    -http://en.wikipedia.org/wiki/Traceroute
    In terms of a penetration test, it's useful for determining which boxes a packet passes through along the way to a destination, and therefore, can help you determine the internal network structure of an organization (and therefore, possible further targets for a penetration test). Sometimes, however, a firewall may block your traceroute attempts, or other times, it may simply just not give you enough information. Welcome "intrace" - a program by Robert Święcki, who is an Information Security Engineer for Google. The difference between traceroute and intrace is that intrace will make use of an existing TCP connection, and piggyback its packets on this connection, effectively bypassing any firewall rules that block them, and quite often giving you more internal information than you expected.


    Usage

    In terms of usage, it actually relatively simple. Download a copy of the source from the Google Project Page, and extract it on your Linux/Unix box:

    Code:
    tar xfz intrace-1.4.3.tgz
    Then "cd" into the directory, and type "make". Next up is the actual "command switch" to get it to run - it's pretty simple. Type this:

    Code:
    sudo ./intrace -h paypal.com -p 80
    Obviously, substituting "paypal.com" for the host that you need to use, but I provide PayPal for this example, as it's been used before. Also, the "-p 80" can be substituted for any port, depending on the service you are wanting to piggyback on (such as 21 for FTP, or 22 for SSH). Once you've done that, you need to initiate some form of a connection to the host - the easiest way to do this is with "netcat". Type this:

    Code:
    nc paypal.com 80
    That will initiate a connection with PayPal, and all you will need to do is head back to your "intrace" window, and press "enter", and watch the magic happen. If you don't like netcat, just visit paypal in your web browser of choice. You should see an output like this (IP's have been censored where applicable to protect privacy):

    InTrace 1.4.3 -- R: 66.211.169.3/80 (80) L: xxx.xxx.xxx.xxx/45814
    Payload Size: 1 bytes, Seq: 0xf5f1548d, Ack: 0xf30efa5d
    Status: Press ENTER

    # [src addr] [icmp src addr] [pkt type]
    1. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
    2. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
    3. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
    4. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
    5. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
    6. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
    7. [4.53.208.13 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    8. [4.68.18.126 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    9. [4.69.134.213 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    10. [4.69.132.58 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    11. [ *** ] [ *** ] [ICMP_TIMXCEED]
    12. [4.53.1.58 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    13. [xxx.1.0.186 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    14. [xxx.128.2.105 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    15. [xxx.14.0.254 ] [66.211.169.3 ] [ICMP_TIMXCEED]
    16. [66.211.169.3 ] [ *** ] [TCP]
    Compared to a standard traceroute output of the same host, which never seems to reach the destination (IP's have been censored where applicable to protect privacy):

    user@box:~/Tools/Information Gathering/Traceroute Like/intrace$ traceroute paypal.com
    traceroute to paypal.com (66.211.169.3), 30 hops max, 60 byte packets
    1 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.179 ms 0.125 ms 0.137 ms
    2 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.467 ms 1.198 ms 0.916 ms
    3 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.570 ms 0.394 ms 0.550 ms
    4 host1 (xxx.xxx.xxx.xxx) 0.485 ms 0.495 ms 0.493 ms
    5 host2 (xxx.xxx.xxx.xxx) 0.482 ms 0.498 ms 0.489 ms
    6 host3 (xxx.xxx.xxx.xxx) 0.448 ms 1.432 ms *
    7 xe-7-0-0.edge1.SanJose3.Level3.net (4.53.208.13) 217.897 ms 217.926 ms 217.920 ms
    8 vlan69.csw1.SanJose1.Level3.net (4.68.18.62) 223.946 ms 223.859 ms vlan89.csw3.SanJose1.Level3.net (4.68.18.190) 218.459 ms
    9 ae-72-72.ebr2.SanJose1.Level3.net (4.69.134.213) 228.414 ms 228.437 ms 228.588 ms
    10 ae-3-3.ebr1.Denver1.Level3.net (4.69.132.58) 248.427 ms 248.445 ms 248.422 ms
    11 ae-11-53.car1.Denver1.Level3.net (4.68.107.70) 244.703 ms ae-11-51.car1.Denver1.Level3.net (4.68.107.6) 245.007 ms ae-11-55.car1.Denver1.Level3.net (4.68.107.134) 244.836 ms
    12 EBAY-INC.car1.Denver1.Level3.net (4.53.1.58) 246.131 ms 245.800 ms 245.803 ms
    13 xxx.1.0.186 (xxx.1.0.186) 245.779 ms 246.058 ms 246.036 ms
    14 xxx.128.2.105 (xxx.128.2.105) 241.460 ms 241.386 ms 241.321 ms
    15 xxx.14.0.250 (xxx.14.0.250) 241.625 ms 241.403 ms 241.367 ms
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    27 * * *
    28 * * *
    29 * * *
    30 * * *

    Real World Application

    Real world application is pretty simple with this one - you take a destination you know you have access too (such as the clients web page, FTP, or SSH) and you run intrace to see if it provides more info about a network for you. Enjoy. As always, only use this tool in ways that you are legally licensed too (i.e., during a legal penetration test, or in your own home network or lab) and never use it to perform anything illegal. Thanks.

    Originally from this page at my site: intrace - Piggyback Your Traceroute | Greyhat-Security.com

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default Re: intrace - Piggyback your Traceroute

    Please create tutorials based on tools which are in backtrack.

  3. #3
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    5

    Default Re: intrace - Piggyback your Traceroute

    Quote Originally Posted by purehate View Post
    Please create tutorials based on tools which are in backtrack.
    According to your tools list, which is where I first saw the tool, I did:
    Tools - Offensive-security.com

  4. #4
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default Re: intrace - Piggyback your Traceroute

    Quote Originally Posted by MrPPS View Post
    According to your tools list, which is where I first saw the tool, I did:
    Tools - Offensive-security.com
    Actually that tool list is outdated and for BT3 not BT4 or the latest R1. Further this tool is not included in either distro. At least I can't find it.
    In addition your guide even walks through installing the tool.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  5. #5
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    5

    Default Re: intrace - Piggyback your Traceroute

    Quote Originally Posted by Archangel-Amael View Post
    Actually that tool list is outdated and for BT3 not BT4 or the latest R1. Further this tool is not included in either distro. At least I can't find it.
    In addition your guide even walks through installing the tool.
    In that case, my apologies, as I assumed that it would be in there (BackTrack is not my primary OS, so I didn't check to confirm if the list was correct). I included installation instructions because I wrote this originally for posting on my site, and not everyone there uses BackTrack. I decided to share it here because I noticed there were no tut's for it, and because I assumed it was still in BT, decided it would be nice to post it here. My apologies for causing any disruption/other negative outcomes.

  6. #6
    Just burned his ISO
    Join Date
    Jan 2010
    Posts
    2

    Default Re: intrace - Piggyback your Traceroute

    awesome MrPPS! Nice informative post. Keep up the good work! We need more people like you in the community.

  7. #7
    Just burned his ISO
    Join Date
    Aug 2010
    Posts
    5

    Default Re: intrace - Piggyback your Traceroute

    Thanks for the support sonicboom

  8. #8
    Junior Member
    Join Date
    Apr 2010
    Location
    Sweden
    Posts
    35

    Default Re: intrace - Piggyback your Traceroute

    But how does it work?

    Edit: Nvm. Fired up Wireshark and looked it up. It's just as a regular traceroute but with TCP it seems.
    Last edited by randalth0r; 08-18-2010 at 10:04 AM.

  9. #9
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: intrace - Piggyback your Traceroute

    Ignoring the lack-of-being-in-BT issue, and just focusing on the fact that you wrote up a "tutorial" for using this, you were pretty damned light on the details. It actually took me a few minutes to realise that you hadn't told me anything, and then I had to look at the authors actual website (not your bloggy thing) to find out that what it does. Next time you write something like this, try to actually provide the useful information about the tool. Or just cut and paste it somewhere at least.

    (By the way people, it sometimes reveals internal IP address' which is actually quite useful, now I'm off to check my office network with it)
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  10. #10
    Junior Member
    Join Date
    Apr 2010
    Location
    Sweden
    Posts
    35

    Default Re: intrace - Piggyback your Traceroute

    To mitigate this kind of trace, one needs to add a rule to drop egress ICMP TTL expired messages. Correct?

Similar Threads

  1. Replies: 3
    Last Post: 06-28-2010, 06:16 PM
  2. Replies: 0
    Last Post: 06-03-2010, 12:06 PM
  3. Layer Four Traceroute
    By SWFu64 in forum Tool Requests
    Replies: 0
    Last Post: 05-10-2010, 10:36 PM
  4. Traceroute command
    By 0c00l in forum Angolo dei Newbie
    Replies: 1
    Last Post: 01-29-2010, 02:49 PM
  5. Some questions about DHCP and traceroute
    By moskal in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-22-2010, 06:28 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •