Traceroute, Firewalls & Geo-IP

Reading Traceroute

infosec / networking / hping3 / nmap / traceroute / geo-ip / scanning

Table of Contents

Traceroute

Traceroute is useful for diagnosing networking problems, e.g., end-to-end connectivty, complement with ping. It can also be used to pinpoint the location of devices, routers and firewalls. The tracerouting tools fundamentally rely on the IP packet’s field - TTL (Time-To-Live, decremented at each hop, dies at 0), they send short-life IP packets and wait for Time Exceeded ICMP packets reporting the death of these packets from a router, consequently reveal the route.

Mode:
-I, --icmp      Use ICMP ECHO for tracerouting
-T, --tcp       Use TCP SYN for tracerouting (default port is 80)
-U, --udp       Use UDP to particular port for tracerouting
                (instead of increasing the port per each probe), default port is 53

ICMP mode

Default traceroute uses ICMP ECHO packets.

$ traceroute <target>

UDP mode

Default dest port is 53 (DNS).

$ traceroute -U <target>

For security reasons, the default traceroute’s UDP packets and ICMP Echo packets are often blocked. To evade firewalls, the following techniques can be used.

TCP mode

tcptraceroute or -T of the traceroute uses TCP SYN packets (SYN packet is the first step TCP three-way handshake), which usually not blocked by firewalls, and as long as the destination port is opened. To specify the dest port, uses -p 80 (HTTP) or 443 (HTTPS), that normally allowed to egress for probes.

$ tcptraceroute <target>
$ sudo traceroute -T <target>

# -w: wait 10 secs before timeout
# -q: set the number of probe packets per hop, default is 3, hence RTT1, RTT2, RTT3
$ traceroute -w 10 -q 3 <target>

With ICMP Echo request, the packet was blocked after 58.27.14.58. With TCP SYN handshake, it passed two more hops.

Output format explanation

           v--- the router/ip-addr traversed by the packet 
[Hop]     [Hostname/(IP-addr)]      [RTT1]  [RTT2]  [RTT3]
 ^--- transit no. of the route       ^---- round-trip time

The round-trip time is the latency (delay between sending the packet and getting the response).

By default, traceroute sends 3 packets per TTL increment. Each column [RTT1]…[RTT3] corresponds to the time it took to get response (round-trip time). 3 different packets give a better sampling of the latency, it also helps for situation where multi-path exist (different link). For instance, the packet is routed to different link in hop 2:

2  175.137.109.62 (175.137.109.62)  38.360 ms       [RTT1]
   175.137.109.70 (175.137.109.70)  38.219 ms       [RTT2]
   175.137.109.62 (175.137.109.62)  38.123 ms       [RTT3]

Another common scenario is timeout/packet dropped. For instance, 2 out of 3 traceroute packets were dropped/timeout in hop 4:

4  10.55.32.88 (10.55.32.88)   113.878 ms * *


Hping3

The hping3 feature equivalent of traceroute with ICMP protocol -1 --icmp:

-V: verbose
-1: icmp

# hping3 --traceroute -V -1 <target>

Note: TCP, UDP (-2 --udp) mode can be used to traceroute on port 80, 443, 53, both are useful to identify where the packet get blocked:

-S: set SYN flag
-p: port

# hping3 --traceroute -S -p 443 <target>

-p 80

-p 443

-p 53



InTrace

Traceroute-like enumerates IP hops by exploiting existing TCP connections.

# intrace -i eth0 -h <target>

Establish a TCP connection to port 80:

And it’s capable to identified the target host is behind a NAT:

Traceroute to remotely initiated connections:



Nmap: traceroute-geolocation script

is a tool to pinpoint the nodes and traverse the network path with geo location. Nmap traceroute-geolocation.nse supports geolocation, it lists the geographic locations of each hop and output the results to KML format plottable on Google Maps.

# nmap --traceroute --script traceroute-geolocation.nse --script-args 'traceroute-geolocation.kmlfile=<target>.kml' <target>