Firewall Wizards mailing list archives
traceroute using TCP (was Re: hping)
From: Darren Reed <darrenr () reed wattle id au>
Date: Thu, 17 Dec 1998 00:27:57 +1100 (EST)
For the curious, have a look at http://coombs.anu.edu.au/~avalon/tcptroute.tgz (it does require libpcap, now). BTW, for Solaris users, the version of traceroute upon which the above is based falsely sets/resets the CANT_HACK_CKSUM (well at least on some versions of Solaris). Depending on which version of the OS you're on, and then whether you're intel or sparc, UDP/ICMP traceroute will or won't work based on how it's set. I've emailed the LBL folks the matrix but haven't yet seen a rev. post 1.4a5. This is just in case someone tries it out and it doesn't work for them on Solaris. Some of the work in this was contributed by Anthony Osborne. Added command line options are -O <frag offset>, -T <tcpflags>, -Z <frag size> Changed is -p which allows -p <port>,<port> to fix both source and destination ports for either UDP or TCP. The old -p <port> syntax is still supported. What I alluded to was, for example, setting both ports to 53 with UDP, or setting on to 80 or 20 and another to say 4321 and using TCP to send fake ACKs. The port 53 UDP issue can be even better exploited by building up a `fake' DNS datagram query. Unless something is looking to allow only UDP queries in that match ones sent out, this is likely to fool even `intelligent' packet filters that look at content. I've not yet had the time to actually code this, but it's not a very hard exercise. Using traceroute with TCP is quite interesting when you start picking on certain firewall vendors' sites who sell firewalls which are known to leak TCP ACK packets. One could be forgiven to thinking they don't know how to configure their own firewall software properly :-) Darren