0trace

From aldeid
Jump to: navigation, search

Description

0trace.sh is a shell script written by Michal Zalewski. It is a reconnaissance / firewall bypassing tool that enables hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. In case of a successful scan, 0trace provides useful additional servers for the penetration tester.

Installation

To install 0trace, issue following commands:

$ mkdir -p /pentest/enumeration/
$ cd /data/src/
$ wget http://lcamtuf.coredump.cx/soft/0trace.tgz
$ tar xf 0trace.tgz -C /pentest/enumeration/

Then test that you don't have any error by issuing following command:

$ cd /pentest/enumeration/0trace/

And test the example given in the example section. If you have following error:

[-] /bin/usleep not found on this system, sorry.

create a file usleep.c (e.g. in /tmp/) with following lines:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (int argc, char **argv) {
usleep(atoi(argv[1]));
return 0;
}

Compile it in /bin:

$ sudo gcc -o /bin/usleep usleep.c

Usage

Syntax is as follows:

$ sudo ./0trace.sh iface target_ip [target_port]
Ssh-img013.png
Warning
Notice that the tool requires root privileges.

Example

The following example shows probes on facebook.com.

traceroute

$ traceroute 69.63.181.12
traceroute to 69.63.181.12 (69.63.181.12), 30 hops max, 60 byte packets
 1  192.168.100.1 (192.168.100.1)  4.310 ms  4.422 ms  4.580 ms
 2  192.168.1.1 (192.168.1.1)  4.779 ms  4.915 ms  5.722 ms
 3  10.125.127.9 (10.125.127.9)  41.382 ms  41.663 ms  43.480 ms
 4  10.125.127.74 (10.125.127.74)  43.897 ms  45.895 ms  46.077 ms
 5  xe-5-3-0-0.ncidf202.Paris.francetelecom.net (193.253.81.118)  48.355 ms  48.548 ms  50.427 ms
 6  xe-5-0-2-0.ntsta202.Paris.francetelecom.net (81.253.131.118)  51.329 ms  39.285 ms  38.338 ms
 7  193.252.162.86 (193.252.162.86)  40.941 ms  41.585 ms  43.250 ms
 8  tengige1-6-1-0.pastr1.Paris.opentransit.net (193.251.132.249)  44.758 ms tengige1-9-4-0.pastr1.Paris.opentransit.net (193.251.129.126)  47.407 ms tengige1-6-4-0.pastr1.Paris.opentransit.net (193.251.132.221)  47.587 ms
 9  193.251.247.30 (193.251.247.30)  49.100 ms  49.215 ms  49.996 ms
10  ae-33-51.ebr1.Paris1.Level3.net (4.69.139.193)  52.868 ms  54.382 ms  54.497 ms
11  ae-48-48.ebr1.London1.Level3.net (4.69.143.113)  63.711 ms ae-45-45.ebr1.London1.Level3.net (4.69.143.101)  65.283 ms  65.388 ms
12  ae-100-100.ebr2.London1.Level3.net (4.69.141.166)  47.204 ms  45.364 ms  46.683 ms
13  ae-42-42.ebr1.NewYork1.Level3.net (4.69.137.70)  116.075 ms ae-44-44.ebr1.NewYork1.Level3.net (4.69.137.78)  119.878 ms ae-41-41.ebr1.NewYork1.Level3.net (4.69.137.66)  119.606 ms
14  ae-81-81.csw3.NewYork1.Level3.net (4.69.134.74)  132.244 ms  133.385 ms ae-61-61.csw1.NewYork1.Level3.net (4.69.134.66)  126.810 ms
15  ae-82-82.ebr2.NewYork1.Level3.net (4.69.148.41)  125.298 ms  125.419 ms ae-62-62.ebr2.NewYork1.Level3.net (4.69.148.33)  133.610 ms
16  ae-2-2.ebr4.SanJose1.Level3.net (4.69.135.185)  196.545 ms  196.750 ms  199.514 ms
17  ae-84-84.csw3.SanJose1.Level3.net (4.69.134.250)  200.493 ms ae-64-64.csw1.SanJose1.Level3.net (4.69.134.242)  200.556 ms  254.383 ms
18  ae-33-89.car3.SanJose1.Level3.net (4.68.18.133)  372.729 ms ae-13-69.car3.SanJose1.Level3.net (4.68.18.5)  412.880 ms ae-23-79.car3.SanJose1.Level3.net (4.68.18.69)  394.385 ms
19  BANDCON.car3.SanJose1.Level3.net (4.71.113.214)  191.098 ms  192.441 ms  193.180 ms
20  ae2.bb02.sjc1.tfbnw.net (204.15.21.166)  192.112 ms  192.181 ms  192.871 ms
21  ae7.br02.snc1.tfbnw.net (204.15.21.171)  211.572 ms ae4.br02.snc1.tfbnw.net (74.119.76.26)  204.725 ms ae7.br01.snc1.tfbnw.net (204.15.20.57)  206.579 ms
22  eth-17-17.csw01a.snc2.tfbnw.net (204.15.23.239)  211.730 ms eth-18-17.csw01b.snc2.tfbnw.net (204.15.23.199)  207.397 ms eth-18-1.csw01b.snc2.tfbnw.net (204.15.21.125)  205.380 ms
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

All entries with stars (from entry #23) are not provided by traceroute due to firewalls.

0trace

In a first console, launch this command:

$ sudo ./0trace.sh wlan0 69.63.181.12

In a second console, connect via telnet, port 80/tcp:

$ telnet 69.63.181.12 80
Trying 69.63.181.12...
Connected to 69.63.181.12.
Escape character is '^]'.
GET / HTTP/1.1
Host: 127.0.0.1
<<<type ENTER>>>

Here are the results:

0trace v0.01 PoC by <[email protected]>
[+] Waiting for traffic from target on wlan0...
[-] Something went wrong with tcpdump (check parameters).
[email protected]:/data/tmp/0trace$ sudo ./0trace.sh wlan0 69.63.181.12
0trace v0.01 PoC by <[email protected]>
[+] Waiting for traffic from target on wlan0...
[+] Traffic acquired, waiting for a gap...
[+] Target acquired: 192.168.100.18:45602 -> 69.63.181.12:80 (3991917715/2574310572).
[+] Setting up a sniffer...
[+] Sending probes...

TRACE RESULTS
-------------
10 4.69.139.193
11 4.69.143.105
12 4.69.141.166
13 4.69.137.74
14 4.69.134.66
15 4.69.148.33
16 4.69.135.185
17 4.69.134.254
18 4.68.18.197
19 4.71.113.214
22 74.119.77.19
8 193.251.132.237
9 193.251.247.30
20 204.15.21.166
21 204.15.20.57
Target reached.

Entry #22 (in yellow) is a new information we get with 0trace.

Comments

blog comments powered by Disqus