Penetration Testing mailing list archives
Re: Traceroute Question
From: oherrera <oherrera () Prodigy Net mx>
Date: Mon, 07 Apr 2003 18:52:02 -0500
Mh... The original IP Header + 64 bits of data is included in the ICMP Time Exceeded Message... If we assume that our address is a.a.a.a and target is t.t.t.t then the IP header in all ICMP Time Exceeded Message should read: from a.a.a.a to t.t.t.t, but... if there is some proxy inside whose internal address is b.b.b.b the IP header would change and any device between b.b.b.b and t.t.t.t where the packet expires would include and IP header inside the ICMP Time Exceeded Message reading: from b.b.b.b to t.t.t.t, wouldn't it? Now, assuming this proxy has an external IP address of e.e.e.e (which a.a.a.a can see) and somehow, this proxy just redirects traffic for a certain port to t.t.t.t on the internal network, in theory, you would receive ICMP Type 11 : [IP from e.e.e.e to a.a.a.a]....[ IP inside ICMP protocol: from a.a.a.a to e.e.e.e?] if expiring before and on the proxy... and you might receive: [IP from e.e.e.e to a.a.a.a]....[ IP inside ICMP protocol: from b.b.b.b to t.t.t.t?] if expiring after the proxy (on the internal network.) I haven't actually tried this but looks like it would work for mapping an internal network behind a proxy under some circumstances (using a sniffer at least). But regarding the question being posted, I would have another question... Do any traceroute implementation favours IP header inside the ICMP type 11 protocol over the IP header of the packet itself under some circumstances? Omar Herrera
Hi all, While trying to do traceroute on one of the server i get the following reply: $traceroute a.b.c.d 1 192.168.0.254 (192.168.0.254) 0.442 ms 0.397 ms 0.358 ms 2 62.150.42.1 (62.150.42.1) 1.951 ms 1.315 ms 1.249 ms 3 172.17.8.149 (172.17.8.149) 43.577 ms 23.481 ms 17.653 ms 4 border.qualitynet.net (195.226.227.1) 19.935 ms 20.902 ms 21.896 ms 5 isp.qualitynet.net (195.226.227.10) 19.928 ms 23.302 ms 21.839 ms 6 192.168.226.38 (192.168.226.38) 71.321 ms 282.457 ms * My Question is why I am getting 192.168.226.38 non-route able address output in traceroute reply? As far as i think these private address space is not route able on the internet. Any sugestions? Vineet [Attachment: signature.asc]
<b> -------------------------------------------------------------- Costs are climbing and complaints are rising as SPAM overloads your e-mail servers and Inboxes SurfControl E-mail Filter puts the brakes on spam & viruses and gives you the reports to prove it. http://www.securityfocus.com/SurfControl-pen-test2 Download a free trial and see just what's going in and out of your organization. -------------------------------------------------------------- </b>
Current thread:
- Traceroute Question Vineet Mehta (Apr 07)
- <Possible follow-ups>
- RE: Traceroute Question Weaver, Woody (Apr 07)
- RE: Traceroute Question Yonatan Bokovza (Apr 07)
- RE: Traceroute Question Jorge Coll (Apr 07)
- RE: Traceroute Question Laurent Kempenaar (Apr 08)
- Re: Traceroute Question oherrera (Apr 08)