Today’s lesson is extremely important for me, and hopefully for you. Coz through this lesson, I want to send a message to every wannabe hacker. Although the lesson itself is easy, the message is so serious, so please follow me.
Our technique today is called “Tracerouting”!
Bing Bing, this “Tracerouting” is ringing a bell in my head, Oh ya, isn’t it the tool which is called “tracert” on windows and “traceroute” on Linux? I know it, I know it, it’s this tool which shows a list of routers between 2 systems, the first is my computer and the other is the target.
:) Well, you are right this time again “in a way” :)
Let’s discuss some terms as usual before we hop into “Tracerouting”
1- TTL (Time To Live): “If this guy didn’t give you his wallet in 6 seconds, KILL him”, “Man, your time to live is decreasing now, 6, 5, 4, 3, 2, 1, BANG” and the guy is dead. “TTL” in computers works almost the same, TTL for packets determine the time that the packet can stay alive, if the TTL for the packet reaches zero then it is discarded.
As you can see from the previous figure, the TTL is decreased by 1 on every router, the first hop went from “My computer” to the first router where the TTL is decreased by 1, and then the second hop went to the second router where the TTL reached 0, which means “Time Exceeded” or “This packet cannot live anymore, and it must die”.
Normally, when a packet leaves the host, the system by default gives it a TTL count that is high enough for the packet to reach its destination
2- ICMP (Internet Control Message Protocol): ICMP is a supportive protocol; it helps the IP protocol in maintaining communication between hosts, the ICMP main job is to send messages reporting errors that occurred to packets. There are so many types of ICMP messages
Let’s see an example:
We all know the command “Ping”, what we see here is a successful ping from my computer to my router. But let’s see how it appeared on the Wireshark:
In the top pane, we can see 4 “Echo requests” and 4 “Echo reply”. While in the bottom pane, we can see an “Internet Control Message Protocol” with “Type 8” and “Code 0”.
What is “Type 8”? And what is “Code 0”? And are there any more types or codes more than this?
There are 256 “ICMP Message types” starting from “Type 0” till “Type 255”, many of these types have codes, let’s see an example with “Type 8” which we just saw
Type 8, means an “Echo Message” or a request, and “Type 8” has no codes, that’s why we can see that the code here is “Code 0”
While in the reply, we can see “Type 0” and “Code 0”
Type 0, means an “Echo Reply”, and “Type 0” as well has no codes related to it, that’s why we see “Code 0”
Let’s try a ping that gives us an error, maybe we can see a different Type or Code
Here I disabled on the router the Interface that leads to the LAN 172.16.0.0, so the Router replied to my machine 10.0.0.10 that the host 172.16.0.10 is unreachable
Let’s see what ICMP message types and codes are generated here:
Here we can see ICMP message “Type 3” which means “Destination Unreachable”, but let me ask you something, what was our destination? Was it a computer? Was it a network? Was it a port?
This is what the code will indicate
As we can see “Code 1”, means “HOST unreachable”, there are more codes for ICMP message “Type 3”:
Code 0 = Net Unreachable
Code 1 = Host Unreachable
Code 2 = Protocol Unreachable
Code 3 = Port Unreachable and so on…
To see a list of all Types and all Codes, you can visit http://www.iana.org/assignments/icmp-parameters
NOW, we can start talking about our technique for today, Tracerouting, what is it? Why would I need it in hacking? How is it working?
What it Tracerouting?
Tracerouting is the operation of sending packets with low TTL starting from TTL=1 and increasing by 1, till it reaches the required target. Chinese, huh? :)
Let’s clarify that:
Remember, I said that as soon as the TTL reaches zero, the packet is discarded. Let’s follow these steps:
1- So, if “My computer” sends a packet with TTL=1, what will happen? The packet will make 1 hop to “router 01”, who will find that the TTL reached ZERO already, so the packet must be discarded at the first router and “My computer” will get an ICMP message “Type 11” which means “Time Exceeded”
2- Now, “My computer” will send another packet with TTL=2. What will happen is that the packet will hop to “router 01”, and then “router 02”, who will discard the packet because its TTL reached ZERO, and will send me the “Time Exceeded” message.
3- The same scenario will happen again and again till the packet reaches the destined computer “My Target”, who will finally reply to my request
Now, I know now that I will keep sending packets to routers, and receiving “Time Exceeded” messages from these routers, till I finally reach the Target
But, what will I gain from that? Why would a hacker need to use this technique?
For attackers; Tracerouting is very useful in learning the network topology of the target, because you know what the routes that lead to it are, which router leads your target to the internet, besides being a device that can be attacked.
For white hackers; Tracerouting can be used to track the attackers, know their location, and allow you to know which ISPs they use (in case you want to involve Law Enforcement)
Now, it’s the Tools time :)
There are 3 types of tools here:
1- DOS-Like interfaces such as Tracert (for Windows users) and Traceroute (for Linux users)
2- Graphical Interfaces such as VisualRoute (for Windows and Linux users) and GTrace (for Linux users)
3- Web Sites that provide the service of Tracerouting, such as DNSStuff.com and CentralOps.net
From the Command prompt (using Tracert)
From the Linux Konsole (using Traceroute)
So, what’s happening now? We gained nothing from using either Tracert or Traceroute, because there is a router that is blocking the ICMP Time exceeded messages
Before we start complaining, let’s Wireshark both of the command to see what is happening behind the scene
This is the result of Tracert:
While this is the result from Traceroute:
Tracert uses the ICMP protocol, and most of the Security Engineers know that ping and Tracert are 2 of the most important tools for hackers that are depending so much on the ICMP protocol, that’s why it is one of the first steps they do is to block ICMP messaging.
While, Traceroute uses UDP plus random high port number in sending its Tracerouting packet. The reason for that is to avoid any ICMP filtering.
But, what can we do, if our target is filtering both UDP and ICMP?
Then I will quit hacking and find another job :)
C’mon, let’s think a little bit, ICMP is blocked, and UDP is blocked as well.
What is the other protocol that we can use for sending our Tracerouting packet?
It’s TCP
Yes, we can use TCP instead of UDP, because in most cases these firewalls which blocked the ICMP and UDP packets are permitting inbound TCP packets on specific ports, right? By sending out TCP SYN packets instead of UDP or ICMP ECHO packets, TCPtraceroute is able to bypass the most common firewall filters. Let’s try and see:
WOW, did you see that? It worked! That is amazing.
The Lesson:
Guys, do you remember when I said in the beginning of the article that there is an important lesson I want you to learn? Tracerouting was just 1 part of the lesson.
Now it’s time to talk about the second part.
Have you seen how are the hackers thinking?
They found that the Security Engineers started to block ICMP Echo requests, so they thought and figured out a way to make it UDP based.
And when they found that both are blocked now, they thought and developed a tool that uses TCP instead.
What would have happened if this tool TCPtraceroute doesn’t exist, will we wait till somebody creates it for us? Will we wait till somebody thinks for us?
Remember, my first article “Hacking – The Mindset”, I put a link there for an amazing article called “How to become a Hacker”. In this article, Eric Raymond said that the first basic skill for hackers is “Learn how to program”. Did you follow that? Did you start already? Or are you still a Script Kiddies?
Till next article,
Please take care.
Tracerouting and Lesson
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment