From aldeid
Jump to navigation Jump to search


Some organizations have parameterized their firewalls to block ICMP. In such cases, standard traceroute won't work. Tcptraceroute enables to obtain a traceroute through TCP instead of ICMP.



$ sudo apt-get install libnet1-dev

Installation of tcptraceroute

$ cd /data/src/
$ wget
$ tar xzvf tcptraceroute-1.5beta7.tar.gz
$ cd tcptraceroute-1.5beta7/
$ ./configure
$ make
$ sudo make install

Then optionally create a symbolic link in your /pentest/ directory:

$ mkdir -p /pentest/enumeration/tcptraceroute/
$ ln -s /usr/sbin/tcptraceroute /pentest/enumeration/tcptraceroute/tcptraceroute


Basic syntax

$ sudo /usr/local/bin/tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>]
      [-l <packet length>] [-q <number of queries>] [-t <tos>]
      [-m <max ttl>] [-pP] <source port>] [-s <source address>]
      [-w <wait time>] <host> [destination port] [packet length]
Notice that the tool requires root privileges.


Display numeric output, rather than doing a reverse DNS lookup for each hop.
By default, reverse lookups are never attempted on RFC1918 address space, regardless of the -n flag.
Perform a reverse DNS lookup for each hop, including RFC1918 addresses.
Set the initial TTL used in the first outgoing packet. The default is 1.
Set the maximum TTL used in outgoing packets. The default is 30.
Use the specified local TCP port in outgoing packets. The default is to obtain a free port from the kernel using bind. Unlike with traditional traceroute, this number will not increase with each hop.
Set the source address for outgoing packets. See also the -i flag.
Use the specified interface for outgoing packets.
Set the number of probes to be sent to each hop. The default is 3.
Set the timeout, in seconds, to wait for a response for each probe. The default is 3.
Set the TCP SYN flag in outgoing packets. This is the default, if neither -S or -A is specified.
Set the TCP ACK flag in outgoing packets. By doing so, it is possible to trace through stateless firewalls which permit outgoing TCP connections.
Send ECN SYN packets, as described in RFC2481.
Set the IP TOS (type of service) to be used in outgoing packets. The default is not to set any TOS.
Set the IP "don't fragment" bit in outgoing packets.
Set the total packet length to be used in outgoing packets. If the length is greater than the minimum size required to assemble the necessary probe packet headers, this value is automatically increased.
Enable debugging, which may or may not be useful.
Enable DNAT detection, and display messages when DNAT transitions are observed. DNAT detection is based on the fact that some NAT devices, such as some Linux 2.4 kernels, do not correctly rewrite the IP address of the IP packets quoted in ICMP time-exceeded messages tcptraceroute solicits, revealing the destination IP address an outbound probe packet was NATed to. NAT devices which correctly rewrite the IP address quoted by ICMP messages, such as some Linux 2.6 kernels, will not be detected. For some target hosts, it may be necessary to use --dnat in conjunction with --track-port.
Enable DNAT detection for the purposes of correctly identifying ICMP time-exceeded messages that match up with outbound probe packets, but do not display messages when a DNAT transition is observed. This is the default behavior.
Do not perform any DNAT detection whatsoever. No attempt will be made match up ICMP time-exceeded messages with outbound probe packets, and when tracerouting through a NAT device which does not rewrite the IP addresses of the IP packets quoted in ICMP time-exceeded messages, some hops along the path may appear to be unresponsive. This option should not be needed in the vast majority of cases, but may be utilized if it is suspected that the DNAT detection code is misidentifying ICMP time-exceeded messages.


$ sudo /usr/local/bin/tcptraceroute ***************.fr
Selected device wlan0, address, port 44387 for outgoing packets
Tracing the path to ( on TCP port 80 (www), 30 hops max
 1  1.274 ms  2.008 ms  1.028 ms
 2  4.392 ms  2.499 ms  2.705 ms
 3  38.795 ms  37.941 ms  37.719 ms
 4  57.642 ms  54.602 ms  38.561 ms
 5 (  40.038 ms  37.770 ms  58.550 ms
 6 (  38.809 ms  38.486 ms  38.597 ms
 7 (  39.551 ms  38.880 ms  39.671 ms
 8 (  44.998 ms  44.272 ms  79.293 ms
 9 (  45.561 ms  44.327 ms  43.827 ms
10 (  81.759 ms  57.455 ms  44.843 ms
11  45.595 ms  79.353 ms  55.471 ms
12  pleskwindows4.dns**.com (84.246.***.***) [open]  70.184 ms * 45.874 ms