traceroute using TCP (was Re: hping)

[Darren Reed <darrenr () reed wattle id au>]

For the curious, have a look at
http://coombs.anu.edu.au/~avalon/tcptroute.tgz
(it does require libpcap, now).
BTW, for Solaris users, the version of traceroute upon which the above
is based falsely sets/resets the CANT_HACK_CKSUM (well at least on some
versions of Solaris).  Depending on which version of the OS you're on,
and then whether you're intel or sparc, UDP/ICMP traceroute will or won't
work based on how it's set.  I've emailed the LBL folks the matrix but
haven't yet seen a rev. post 1.4a5.  This is just in case someone tries
it out and it doesn't work for them on Solaris.

Some of the work in this was contributed by Anthony Osborne.

Added command line options are -O <frag offset>, -T <tcpflags>,
-Z <frag size>

Changed is -p which allows -p <port>,<port> to fix both source and
destination ports for either UDP or TCP.  The old -p <port> syntax
is still supported.

What I alluded to was, for example, setting both ports to 53 with UDP,
or setting on to 80 or 20 and another to say 4321 and using TCP to send
fake ACKs.

The port 53 UDP issue can be even better exploited by building up a
`fake' DNS datagram query.  Unless something is looking to allow only
UDP queries in that match ones sent out, this is likely to fool even
`intelligent' packet filters that look at content.  I've not yet had
the time to actually code this, but it's not a very hard exercise.

Using traceroute with TCP is quite interesting when you start picking
on certain firewall vendors' sites who sell firewalls which are known
to leak TCP ACK packets.  One could be forgiven to thinking they don't
know how to configure their own firewall software properly :-)

Darren