Some organizations have parameterized their firewalls to block ICMP. In such cases, standard traceroute won't work. Tcptraceroute enables to obtain a traceroute through TCP instead of ICMP.
$ sudo apt-get install libnet1-dev
Installation of tcptraceroute
$ cd /data/src/ $ wget http://michael.toren.net/code/tcptraceroute/tcptraceroute-1.5beta7.tar.gz $ tar xzvf tcptraceroute-1.5beta7.tar.gz $ cd tcptraceroute-1.5beta7/ $ ./configure $ make $ sudo make install
Then optionally create a symbolic link in your /pentest/ directory:
$ mkdir -p /pentest/enumeration/tcptraceroute/ $ ln -s /usr/sbin/tcptraceroute /pentest/enumeration/tcptraceroute/tcptraceroute
$ sudo /usr/local/bin/tcptraceroute [-nNFSAE] [-i <interface>] [-f <first ttl>] [-l <packet length>] [-q <number of queries>] [-t <tos>] [-m <max ttl>] [-pP] <source port>] [-s <source address>] [-w <wait time>] <host> [destination port] [packet length]
- Display numeric output, rather than doing a reverse DNS lookup for each hop.
- By default, reverse lookups are never attempted on RFC1918 address space, regardless of the -n flag.
- Perform a reverse DNS lookup for each hop, including RFC1918 addresses.
- Set the initial TTL used in the first outgoing packet. The default is 1.
- Set the maximum TTL used in outgoing packets. The default is 30.
- Use the specified local TCP port in outgoing packets. The default is to obtain a free port from the kernel using bind. Unlike with traditional traceroute, this number will not increase with each hop.
- Set the source address for outgoing packets. See also the -i flag.
- Use the specified interface for outgoing packets.
- Set the number of probes to be sent to each hop. The default is 3.
- Set the timeout, in seconds, to wait for a response for each probe. The default is 3.
- Set the TCP SYN flag in outgoing packets. This is the default, if neither -S or -A is specified.
- Set the TCP ACK flag in outgoing packets. By doing so, it is possible to trace through stateless firewalls which permit outgoing TCP connections.
- Send ECN SYN packets, as described in RFC2481.
- Set the IP TOS (type of service) to be used in outgoing packets. The default is not to set any TOS.
- Set the IP "don't fragment" bit in outgoing packets.
- Set the total packet length to be used in outgoing packets. If the length is greater than the minimum size required to assemble the necessary probe packet headers, this value is automatically increased.
- Enable debugging, which may or may not be useful.
- Enable DNAT detection, and display messages when DNAT transitions are observed. DNAT detection is based on the fact that some NAT devices, such as some Linux 2.4 kernels, do not correctly rewrite the IP address of the IP packets quoted in ICMP time-exceeded messages tcptraceroute solicits, revealing the destination IP address an outbound probe packet was NATed to. NAT devices which correctly rewrite the IP address quoted by ICMP messages, such as some Linux 2.6 kernels, will not be detected. For some target hosts, it may be necessary to use --dnat in conjunction with --track-port.
- Enable DNAT detection for the purposes of correctly identifying ICMP time-exceeded messages that match up with outbound probe packets, but do not display messages when a DNAT transition is observed. This is the default behavior.
- Do not perform any DNAT detection whatsoever. No attempt will be made match up ICMP time-exceeded messages with outbound probe packets, and when tracerouting through a NAT device which does not rewrite the IP addresses of the IP packets quoted in ICMP time-exceeded messages, some hops along the path may appear to be unresponsive. This option should not be needed in the vast majority of cases, but may be utilized if it is suspected that the DNAT detection code is misidentifying ICMP time-exceeded messages.
$ sudo /usr/local/bin/tcptraceroute ***************.fr Selected device wlan0, address 192.168.100.18, port 44387 for outgoing packets Tracing the path to scgb-salvaggio.fr (188.8.131.52) on TCP port 80 (www), 30 hops max 1 192.168.100.1 1.274 ms 2.008 ms 1.028 ms 2 192.168.1.1 4.392 ms 2.499 ms 2.705 ms 3 10.125.127.9 38.795 ms 37.941 ms 37.719 ms 4 10.125.127.10 57.642 ms 54.602 ms 38.561 ms 5 xe-5-1-0-0.ncidf201.Aubervilliers.francetelecom.net (184.108.40.206) 40.038 ms 37.770 ms 58.550 ms 6 tengige0-13-0-4.ntaub201.Aubervilliers.francetelecom.net (220.127.116.11) 38.809 ms 38.486 ms 38.597 ms 7 tengige0-3-0-1.ntpst101.Paris.francetelecom.net (18.104.22.168) 39.551 ms 38.880 ms 39.671 ms 8 xe-5-1-0-0.nrlyo101.Lyon.francetelecom.net (22.214.171.124) 44.998 ms 44.272 ms 79.293 ms 9 xe-7-0-2-0.nrlyo102.Lyon.francetelecom.net (126.96.36.199) 45.561 ms 44.327 ms 43.827 ms 10 xe-3-1-0-0.nclyo102.Lyon.francetelecom.net (188.8.131.52) 81.759 ms 57.455 ms 44.843 ms 11 184.108.40.206 45.595 ms 79.353 ms 55.471 ms 12 pleskwindows4.dns**.com (84.246.***.***) [open] 70.184 ms * 45.874 ms