Penetration Testing mailing list archives
RE: getting different ttl values for the same IP
From: "Sahir Hidayatullah" <sahirh () mielesecurity com>
Date: Thu, 29 Dec 2005 00:28:29 +0530
Looks like it might be some kind of load balancing device and you're seeing the TTL's of the systems *behind* the balancer. Since almost all operating systems have an initial TTL of either 32,64,128 or 255, you can probably say that the first response is a host 25 hops away (255-230) and the second response is 26 hops away (128-102). This would imply one more hop till the system with the TTL of 128. The initial TTL of 128 might be a Windows box, while a default TTL of 255 could be a Solaris box. You can have a look at this (slightly outdated) database: http://project.honeynet.org/papers/finger/traces.txt Perhaps making a few connections and checking the IPIDs will help you. Cheers, Sahir Hidayatullah Technical Consultant - Information Security -------------------------------------- MIEL e-Security Pvt. Ltd. C- 611 / 612, Floral Deck Plaza, MIDC Central Road, Andheri (E), Mumbai 400 093, India. Tel No:+ 91 (022) 2821 5050 PGP KeyID: 0x4F5EC345 Fingerprint: F4C2 7274 792E 8E39 D90D BA02 C070 B4BF 4F5E C345 -----Original Message----- From: aqua.le0 () gmail com [mailto:aqua.le0 () gmail com] Sent: Wednesday, December 28, 2005 6:38 PM To: pen-test () securityfocus com Subject: getting different ttl values for the same IP Hi all While performing a TCP traceroute using cain&able i got different ttl values for the same ip, can anyone explain about this 10.10.10.10;401 ms (TTL=230) - TTL exceeded;411 ms (TTL=230) - TTL exceeded;500 ms (TTL=230) - TTL exceeded;(Unknown) 10.10.10.10;400 ms (TTL=106) - Echo Reply;401 ms (TTL=102) - Echo Reply;400 ms (TTL=102) - Echo Reply;(Unknown); Rgds Aqua ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- getting different ttl values for the same IP aqua . le0 (Dec 28)
- Re: getting different ttl values for the same IP Tim (Dec 28)
- Re: getting different ttl values for the same IP Maciek Dudek (Dec 28)
- Re: getting different ttl values for the same IP Maciek Dudek (Dec 28)
- Re: getting different ttl values for the same IP ilaiy (Dec 28)
- Re: getting different ttl values for the same IP Joachim Schipper (Dec 28)
- RE: getting different ttl values for the same IP Sahir Hidayatullah (Dec 28)
- Re: getting different ttl values for the same IP Pieter Danhieux (Dec 28)
- RE: getting different ttl values for the same IP berg (Dec 29)
- Re: getting different ttl values for the same IP Thierry Zoller (Dec 29)
- Re: getting different ttl values for the same IP Paul Robertson (Dec 29)
- Re: getting different ttl values for the same IP Technica Forensis (Dec 31)
- <Possible follow-ups>
- Re: getting different ttl values for the same IP pentest (Dec 29)
- Re: getting different ttl values for the same IP Tim (Dec 28)