Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: getting different ttl values for the same IP

From: "Sahir Hidayatullah" <sahirh () mielesecurity com>
Date: Thu, 29 Dec 2005 00:28:29 +0530
Looks like it might be some kind of load balancing device and you're seeing
the TTL's of the systems *behind* the balancer.

Since almost all operating systems have an initial TTL of either 32,64,128
or 255, you can probably say that the first response is a host 25 hops away
(255-230) and the second response is 26 hops away (128-102). This would
imply one more hop till the system with the TTL of 128.

The initial TTL of 128 might be a Windows box, while a default TTL of 255
could be a Solaris box. You can have a look at this (slightly outdated)
database:
http://project.honeynet.org/papers/finger/traces.txt

Perhaps making a few connections and checking the IPIDs will help you.

Cheers,

Sahir Hidayatullah
Technical Consultant - Information Security
--------------------------------------
MIEL e-Security Pvt. Ltd.
C- 611 / 612, Floral Deck Plaza,
MIDC Central Road, Andheri (E),
Mumbai 400 093, India.
Tel No:+ 91 (022) 2821 5050
PGP KeyID: 0x4F5EC345
Fingerprint: F4C2 7274 792E 8E39 D90D  BA02 C070 B4BF 4F5E C345


-----Original Message-----
From: aqua.le0 () gmail com [mailto:aqua.le0 () gmail com] 
Sent: Wednesday, December 28, 2005 6:38 PM
To: pen-test () securityfocus com
Subject: getting different ttl values for the same IP

Hi all

While performing a TCP traceroute using cain&able i got different ttl values
for the same ip, can anyone explain about this


10.10.10.10;401 ms (TTL=230) - TTL exceeded;411 ms (TTL=230) - TTL
exceeded;500 ms (TTL=230) - TTL exceeded;(Unknown)

10.10.10.10;400 ms (TTL=106) - Echo Reply;401 ms (TTL=102) - Echo Reply;400
ms (TTL=102) - Echo Reply;(Unknown);

Rgds

Aqua

----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: