Penetration Testing Scanning 101.2

Part two of the hugely popular Penetration Testing 101 series from security researcher Hozaifa Owaisi, who breaks down network tracing and the tools he uses to scan networks.

Penetration Testing Scanning 101.2

This article is going to cover the network tracing from my last article and expand on the idea, if you haven’t read that article I would recommend it because it gives you a great introduction to the subject. We will also cover the tool we most commonly use for network tracing how it works, how to use it and some helpful tips for that tool.

Some of my Assumptions

I know this is supposed to be an introductory detailed scanning article but there is a limit to that. I can't go into insane detail because then it's a networking article rather than a penetration testing article, remember that networking is a prerequisite of pen-testing. Here are some of my assumptions:

The TTL Field

In a basic IP packet header, there is a field called the TTL field also known as Time To Live. This field contains an 8-bit long number that shows the number of hops this packet can do before it's useless. As soon as the router receives the packet it decreases the TTL field by 1 each time, so when one of the routers receives the packet and decrements the TTL to zero it is supposed to drop that particular packet and send an “error” message: “TTL Exceeded in Transit” back to the origin IP and the source address of that ICMP TTL Exceeded in Transit is the address of the router because a source address is the address of the origin device. This is very interesting because this allows us to perform a network tracing and allows us to determine the series of router hops between one device to another. Now similarly in IPv6 packets, there is a field called the “Hop Limit Field” this works similarly to the TTL Field and is also decremented by each router in the path. Now there are a lot of documents that prove that network tracing is impossible to fix in all most all of the scenarios except some and these documents go very deep into this topic with some understandable math you guys can read one of the best here

Lets talk TOOL

Now that we have covered some of the concepts of network tracing in detail you might think you can make an application that does this for you and you are right you can, but there are already a lot of tools that do this exact job for you, and, if you still want to do it, I would say go for there is nothing wrong with that. In fact, you will only get experience and get good with socket programming its a win-win, but for now we will talk about the most famous pre-existing tools made specifically for this job.

Traceroute/Tracert is an amazing tool it is known as a network diagnostics tool but we as pen-tester also use a lot of tools which are intended to be used for system/network diagnostics. This tool soul job is to show the network path and show diagnostics information related to that so basically, it does network tracing the best. Traceroute and tracert use the same TTL Technique we mentioned above, both of these tools support both IPv4 and IPv6.

How does Traceroute/Tracert Work?

When someone runs the traceroute/tracert tool it requires a minimum of 1 argument which will be the destination address and that can be an IP address or a domain name. Then the tool starts out by making sending a packet to that target by adding its address to the destination field, the TTL filed starts out by 1 so as soon as the first router receives the packet it drops the packet and sends a TTL exceeded in transit. Now traceroute/tracert has the IP address of the first router and now it sends another packet to the exact target with the TTL of 2 and the second router drops it and send the error message back and doing this in a loop until it reaches to the actual target by now the tool has the whole route the packet took and it simply shows you that route in output. Now sometimes the device is configured to filter inbound probe or omit the ICMP Response then Traceroute/Tracert simply put a * for that hop, you might also notice that it has 3 * that’s because each hop is tested 3 times aka a packet with TTL of 1 is send 3 times. The Traceroute tool uses the UDP protocol and for the ports it utilizes all the ports after 33434, basically it increments a port with each packet sent, for example, if it sends the first packet to port 33434 with TTL 1 then it will send another packet with the same TTL but to port 33435 next it does this one more time increasing the port by adding 1 but keeping the TTL same and it does this for every packet and remember each TTL number is sent 3 times by default, we can change all the things mentioned above by using options and providing valid arguments. Here are some important options to remember for Traceroute tool (UNIX/LINUX):-

  • Basic Format of the command : traceroute [IP/ Domain name] [-options][argument for options]

  • -g[hostlist] : This option lets you choose the routers that the packet will travel through, instead of letting the network determine.

  • -I : Using ICMP Echo Request message as a probe instead of UDP packets.

  • -n : Print IP addresses instead of domain name.

  • -f[INT] : Allows you to set the initial number of the TTL Field.

  • -m[INT] : Allows you to set the maximum number of hops. The default is 30

  • -T : Use TCP packets instead of UDP packets ( it will have a fixed destination port of 80)

  • -p : change the UDP starting port or set a TCP port (remember when you use the TCP protocol you can only set one destination port)

  • -4 : force to use IPv4

  • -6 : force to use IPv6

  • -w[INT] : set the amount of time to wait for each response (5 is default)

Web-Based network tracing service

Instead of using our trusty tool traceroute we could also go for an alternative which are Web-Based services that provide network tracing. Remember that by using a web-based application for this purpose you are leaking information to a third party letting them know that someone at your IP address has interest in that particular domain/IP address. For penetration testers and ethical hackers, these services are immensely valuable in differentiating whether a tester has been shunned by the target network administrators or automated detection technology, or if the target network or systems has gone down.

Last words

I just wanted to thank you guys for reading through the article and serving so far. The intent is to give a good amount of information in small digestible pills, a lot of time when I was studying penetration testing (and I still am) there was a lot of information in one article and even after reading it I could remember the whole thing. I am trying to provide solid information in small easily consumable and digestible format. This is the beginning of these articles, there will be a lot more coming one by one. I love feedback, I think they are very important to me. If you have feedback, you can reach me on twitter: @k4b00m. I also apologize because I wasn’t able to publish this last week on Sunday, that's because I was busy with some work and school. Anyway, I am looking forward to delivering these on time from the week after next week.