Penetration Testing mailing list archives

Re: Traceroute Question

From: oherrera <oherrera () Prodigy Net mx>
Date: Mon, 07 Apr 2003 18:52:02 -0500

Mh... The original IP Header + 64 bits of data is included
in the ICMP Time Exceeded Message...

If we assume that our address is a.a.a.a and target is
t.t.t.t then the IP header in all ICMP Time Exceeded Message
should read:
from a.a.a.a to t.t.t.t, but... if there is some proxy
inside whose internal address is b.b.b.b the IP header would
change and any device between b.b.b.b and t.t.t.t where the
packet expires would include and IP header inside the ICMP
Time Exceeded Message reading: from b.b.b.b to t.t.t.t,
wouldn't it?

Now, assuming this proxy has an external IP address of
e.e.e.e (which a.a.a.a can see) and somehow, this proxy just
redirects traffic for a certain port to t.t.t.t on the
internal network, in theory, you would receive ICMP Type 11
:
[IP from e.e.e.e to a.a.a.a]....[ IP inside ICMP protocol:
from a.a.a.a to e.e.e.e?]

if expiring before and on the proxy... and you might
receive:
[IP from e.e.e.e to a.a.a.a]....[ IP inside ICMP protocol:
from b.b.b.b to t.t.t.t?] if expiring after the proxy (on
the internal network.)

I haven't actually tried this but looks like it would work
for mapping an internal network behind a proxy under some
circumstances (using a sniffer at least).

But regarding the question being posted, I would have
another question... Do any traceroute implementation favours
IP header inside the ICMP type 11 protocol over the IP
header of the packet itself under some circumstances?

Omar Herrera

Hi all,

While trying to do traceroute on one of the server i get
the following reply:

$traceroute a.b.c.d
 1  192.168.0.254 (192.168.0.254)  0.442 ms  0.397 ms
0.358 ms
 2  62.150.42.1 (62.150.42.1)  1.951 ms  1.315 ms  1.249
ms
 3  172.17.8.149 (172.17.8.149)  43.577 ms  23.481 ms
17.653 ms
 4  border.qualitynet.net (195.226.227.1)  19.935 ms
20.902 ms  21.896 ms
 5  isp.qualitynet.net (195.226.227.10)  19.928 ms  23.302
ms  21.839 ms
 6  192.168.226.38 (192.168.226.38)  71.321 ms  282.457 ms
*
My Question is why I am getting 192.168.226.38 non-route
able address output in traceroute reply? As far as i think
these private address space is not route able on the
internet.
Any sugestions?

Vineet


[Attachment: signature.asc]


<b>
--------------------------------------------------------------
Costs are climbing and complaints are rising
as SPAM overloads your e-mail servers and Inboxes
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it.
http://www.securityfocus.com/SurfControl-pen-test2
Download a free trial and see just
what's going in and out of your organization. 
--------------------------------------------------------------
</b>

Current thread:

Traceroute Question Vineet Mehta (Apr 07)
- <Possible follow-ups>
- RE: Traceroute Question Weaver, Woody (Apr 07)
- RE: Traceroute Question Yonatan Bokovza (Apr 07)
- RE: Traceroute Question Jorge Coll (Apr 07)
  - RE: Traceroute Question Laurent Kempenaar (Apr 08)
- Re: Traceroute Question oherrera (Apr 08)