0trace
0trace.sh is a shell script written by Michal Zalewski. It is a reconnaissance / firewall bypassing tool that enables hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. In case of a successful scan, 0trace provides useful additional servers for the penetration tester.
0trace.py is a python port of Michal Zalewski's 0trace hop enumeration tool. 0trace was originally announced on Bugtraq on January 6th:
create a file usleep.c (e.g. in /tmp/) with following lines:
Compile it in /bin:
links -
0trace.sh is a shell script written by Michal Zalewski. It is a reconnaissance / firewall bypassing tool that enables hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. In case of a successful scan, 0trace provides useful additional servers for the penetration tester.
Project details
0trace is written in C, shell script.Usage
Syntax
Otrace iface target_ip [ target_port ]
Strengths
- + The source code of this software is available
Typical usage
- penetration test
0trace.py is a python port of Michal Zalewski's 0trace hop enumeration tool. 0trace was originally announced on Bugtraq on January 6th:
I'd like to announce the availability of a free security reconnaissance /
firewall bypassing tool called 0trace. This tool enables the user to
perform hop enumeration ("traceroute") within an established TCP
connection, such as a HTTP or SMTP session. This is opposed to sending
stray packets, as traceroute-type tools usually do.
The important benefit of using an established connection and matching TCP
packets to send a TTL-based probe is that such traffic is happily allowed
through by many stateful firewalls and other defenses without further
inspection (since it is related to an entry in the connection table).
Why this tool?
The 0trace utility is useful to perform reconnaissance. For example, to see if additional data can be gathered about the network and its devices.How it works
The benefit of using an established connection is staying off the radar of a firewall. This technique works due to the session being already in a connection table. By using the existing connection and send TTL-based probes, no suspicion will be raised.Usage and audience
0trace.py is commonly used for bypassing security measures or reconnaissance. Target users for this tool are pentesters and security professionals.Dependencies
Download
- 0trace.py - released January 25st, 2007
Installation
To install 0trace, issue following commands:$ mkdir -p /pentest/enumeration/
$ cd /data/src/
$ wget http://lcamtuf.coredump.cx/soft/0trace.tgz
$ tar xf 0trace.tgz -C /pentest/enumeration/
Then test that you don't have any error by issuing following command:
$ cd /pentest/enumeration/0trace/
[-] /bin/usleep not found on this system, sorry.
create a file usleep.c (e.g. in /tmp/) with following lines:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (int argc, char **argv) {
usleep(atoi(argv[1]));
return 0;
}
Compile it in /bin:
$ sudo gcc -o /bin/usleep usleep.c
Example 1 with eth0
- Open a TCP connection - telnet 66.135.192.87 80
- Start 0trace.sh - ./0trace.sh eth0 66.135.192.87 80
- Initiate some TCP activity in telnet session - GET / HTTP/1.0
[+] Waiting for traffic from target on eth0... [+] Traffic acquired, waiting for a gap... [+] Target acquired: 192.168.0.10:54403 -> 66.135.192.87:80 (3736223256/873025975) [+] Setting up a sniffer... [+] Sending probes... TRACE RESULTS ------------- 1 192.168.0.1 3 68.87.187.29 4 68.87.190.161 5 68.87.190.157 6 68.87.190.153 7 68.87.190.149 8 68.87.190.145 9 68.87.190.141 10 68.87.191.145 11 12.116.11.101 12 12.123.139.150 13 12.122.10.134 14 12.123.4.249 15 192.205.33.158 16 144.232.20.20 17 144.232.26.109 18 144.232.20.161 19 144.232.15.142 20 144.232.20.141 21 144.232.20.113 22 144.232.0.250 23 144.228.110.122 24 66.135.207.186 Target reached.
Example 2 with wlan0
The following example shows probes on facebook.com.traceroute
$ traceroute 69.63.181.12 traceroute to 69.63.181.12 (69.63.181.12), 30 hops max, 60 byte packets 1 192.168.100.1 (192.168.100.1) 4.310 ms 4.422 ms 4.580 ms 2 192.168.1.1 (192.168.1.1) 4.779 ms 4.915 ms 5.722 ms 3 10.125.127.9 (10.125.127.9) 41.382 ms 41.663 ms 43.480 ms 4 10.125.127.74 (10.125.127.74) 43.897 ms 45.895 ms 46.077 ms 5 xe-5-3-0-0.ncidf202.Paris.francetelecom.net (193.253.81.118) 48.355 ms 48.548 ms 50.427 ms 6 xe-5-0-2-0.ntsta202.Paris.francetelecom.net (81.253.131.118) 51.329 ms 39.285 ms 38.338 ms 7 193.252.162.86 (193.252.162.86) 40.941 ms 41.585 ms 43.250 ms 8 tengige1-6-1-0.pastr1.Paris.opentransit.net (193.251.132.249) 44.758 ms tengige1-9-4-0.pastr1.Paris.opentransit.net (193.251.129.126) 47.407 ms tengige1-6-4-0.pastr1.Paris.opentransit.net (193.251.132.221) 47.587 ms 9 193.251.247.30 (193.251.247.30) 49.100 ms 49.215 ms 49.996 ms 10 ae-33-51.ebr1.Paris1.Level3.net (4.69.139.193) 52.868 ms 54.382 ms 54.497 ms 11 ae-48-48.ebr1.London1.Level3.net (4.69.143.113) 63.711 ms ae-45-45.ebr1.London1.Level3.net (4.69.143.101) 65.283 ms 65.388 ms 12 ae-100-100.ebr2.London1.Level3.net (4.69.141.166) 47.204 ms 45.364 ms 46.683 ms 13 ae-42-42.ebr1.NewYork1.Level3.net (4.69.137.70) 116.075 ms ae-44-44.ebr1.NewYork1.Level3.net (4.69.137.78) 119.878 ms ae-41-41.ebr1.NewYork1.Level3.net (4.69.137.66) 119.606 ms 14 ae-81-81.csw3.NewYork1.Level3.net (4.69.134.74) 132.244 ms 133.385 ms ae-61-61.csw1.NewYork1.Level3.net (4.69.134.66) 126.810 ms 15 ae-82-82.ebr2.NewYork1.Level3.net (4.69.148.41) 125.298 ms 125.419 ms ae-62-62.ebr2.NewYork1.Level3.net (4.69.148.33) 133.610 ms 16 ae-2-2.ebr4.SanJose1.Level3.net (4.69.135.185) 196.545 ms 196.750 ms 199.514 ms 17 ae-84-84.csw3.SanJose1.Level3.net (4.69.134.250) 200.493 ms ae-64-64.csw1.SanJose1.Level3.net (4.69.134.242) 200.556 ms 254.383 ms 18 ae-33-89.car3.SanJose1.Level3.net (4.68.18.133) 372.729 ms ae-13-69.car3.SanJose1.Level3.net (4.68.18.5) 412.880 ms ae-23-79.car3.SanJose1.Level3.net (4.68.18.69) 394.385 ms 19 BANDCON.car3.SanJose1.Level3.net (4.71.113.214) 191.098 ms 192.441 ms 193.180 ms 20 ae2.bb02.sjc1.tfbnw.net (204.15.21.166) 192.112 ms 192.181 ms 192.871 ms 21 ae7.br02.snc1.tfbnw.net (204.15.21.171) 211.572 ms ae4.br02.snc1.tfbnw.net (74.119.76.26) 204.725 ms ae7.br01.snc1.tfbnw.net (204.15.20.57) 206.579 ms 22 eth-17-17.csw01a.snc2.tfbnw.net (204.15.23.239) 211.730 ms eth-18-17.csw01b.snc2.tfbnw.net (204.15.23.199) 207.397 ms eth-18-1.csw01b.snc2.tfbnw.net (204.15.21.125) 205.380 ms 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *All entries with stars (from entry #23) are not provided by traceroute due to firewalls.
0trace
In a first console, launch this command:$ sudo ./0trace.sh wlan0 69.63.181.12In a second console, connect via telnet, port 80/tcp:
$ telnet 69.63.181.12 80 Trying 69.63.181.12... Connected to 69.63.181.12. Escape character is '^]'. GET / HTTP/1.1 Host: 127.0.0.1 <<<type ENTER>>>Here are the results:
0trace v0.01 PoC by <lcamtuf@coredump.cx>
[+] Waiting for traffic from target on wlan0...
[-] Something went wrong with tcpdump (check parameters).
pilou@aldpillap:/data/tmp/0trace$ sudo ./0trace.sh wlan0 69.63.181.12
0trace v0.01 PoC by <lcamtuf@coredump.cx>
[+] Waiting for traffic from target on wlan0...
[+] Traffic acquired, waiting for a gap...
[+] Target acquired: 192.168.100.18:45602 -> 69.63.181.12:80 (3991917715/2574310572).
[+] Setting up a sniffer...
[+] Sending probes...
TRACE RESULTS
-------------
10 4.69.139.193
11 4.69.143.105
12 4.69.141.166
13 4.69.137.74
14 4.69.134.66
15 4.69.148.33
16 4.69.135.185
17 4.69.134.254
18 4.68.18.197
19 4.71.113.214
22 74.119.77.19
8 193.251.132.237
9 193.251.247.30
20 204.15.21.166
21 204.15.20.57
Target reached.
Entry #22 (in yellow) is a new information we get with 0trace.links -
http://lcamtuf.coredump.cx/soft/0trace.tgz