Skip to main content

what is 0trace | steps to use 0trace | how to install 0trace

0trace



0trace.sh is a shell script written by Michal Zalewski. It is a reconnaissance / firewall bypassing tool that enables hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. In case of a successful scan, 0trace provides useful additional servers for the penetration tester.

Project details

0trace is written in C, shell script.

Usage

Syntax

Otrace iface target_ip [ target_port ]

 

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
Description
  0trace.py is a python port of Michal Zalewski's 0trace hop enumeration tool. 0trace was originally announced on Bugtraq on January 6th:

I'd like to announce the availability of a free security reconnaissance /
firewall bypassing tool called 0trace. This tool enables the user to
perform hop enumeration ("traceroute") within an established TCP
connection, such as a HTTP or SMTP session. This is opposed to sending
stray packets, as traceroute-type tools usually do.

The important benefit of using an established connection and matching TCP
packets to send a TTL-based probe is that such traffic is happily allowed
through by many stateful firewalls and other defenses without further
inspection (since it is related to an entry in the connection table).
 
 

Why this tool?

The 0trace utility is useful to perform reconnaissance. For example, to see if additional data can be gathered about the network and its devices.

How it works

The benefit of using an established connection is staying off the radar of a firewall. This technique works due to the session being already in a connection table. By using the existing connection and send TTL-based probes, no suspicion will be raised.

Usage and audience

0trace.py is commonly used for bypassing security measures or reconnaissance. Target users for this tool are pentesters and security professionals.

Dependencies

Download



Installation

To install 0trace, issue following commands:
 
 
$ mkdir -p /pentest/enumeration/
$ cd /data/src/
$ wget http://lcamtuf.coredump.cx/soft/0trace.tgz
$ tar xf 0trace.tgz -C /pentest/enumeration/
Then test that you don't have any error by issuing following command:
$ cd /pentest/enumeration/0trace/

 
[-] /bin/usleep not found on this system, sorry.


create a file usleep.c (e.g. in /tmp/) with following lines:
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main (int argc, char **argv) {
usleep(atoi(argv[1]));
return 0;
}


Compile it in /bin:
$ sudo gcc -o /bin/usleep usleep.c

Example 1 with eth0

  • Open a TCP connection - telnet 66.135.192.87 80
  • Start 0trace.sh - ./0trace.sh eth0 66.135.192.87 80
  • Initiate some TCP activity in telnet session - GET / HTTP/1.0
[+] Waiting for traffic from target on eth0...
[+] Traffic acquired, waiting for a gap...
[+] Target acquired: 192.168.0.10:54403 -> 66.135.192.87:80 (3736223256/873025975)
[+] Setting up a sniffer...
[+] Sending probes...

TRACE RESULTS
-------------
1 192.168.0.1
3 68.87.187.29
4 68.87.190.161
5 68.87.190.157
6 68.87.190.153
7 68.87.190.149
8 68.87.190.145
9 68.87.190.141
10 68.87.191.145
11 12.116.11.101
12 12.123.139.150
13 12.122.10.134
14 12.123.4.249
15 192.205.33.158
16 144.232.20.20
17 144.232.26.109
18 144.232.20.161
19 144.232.15.142
20 144.232.20.141
21 144.232.20.113
22 144.232.0.250
23 144.228.110.122
24 66.135.207.186
Target reached.
 
 
 
 

Example 2 with wlan0

The following example shows probes on facebook.com.

traceroute

$ traceroute 69.63.181.12
traceroute to 69.63.181.12 (69.63.181.12), 30 hops max, 60 byte packets
 1  192.168.100.1 (192.168.100.1)  4.310 ms  4.422 ms  4.580 ms
 2  192.168.1.1 (192.168.1.1)  4.779 ms  4.915 ms  5.722 ms
 3  10.125.127.9 (10.125.127.9)  41.382 ms  41.663 ms  43.480 ms
 4  10.125.127.74 (10.125.127.74)  43.897 ms  45.895 ms  46.077 ms
 5  xe-5-3-0-0.ncidf202.Paris.francetelecom.net (193.253.81.118)  48.355 ms  48.548 ms  50.427 ms
 6  xe-5-0-2-0.ntsta202.Paris.francetelecom.net (81.253.131.118)  51.329 ms  39.285 ms  38.338 ms
 7  193.252.162.86 (193.252.162.86)  40.941 ms  41.585 ms  43.250 ms
 8  tengige1-6-1-0.pastr1.Paris.opentransit.net (193.251.132.249)  44.758 ms tengige1-9-4-0.pastr1.Paris.opentransit.net (193.251.129.126)  47.407 ms tengige1-6-4-0.pastr1.Paris.opentransit.net (193.251.132.221)  47.587 ms
 9  193.251.247.30 (193.251.247.30)  49.100 ms  49.215 ms  49.996 ms
10  ae-33-51.ebr1.Paris1.Level3.net (4.69.139.193)  52.868 ms  54.382 ms  54.497 ms
11  ae-48-48.ebr1.London1.Level3.net (4.69.143.113)  63.711 ms ae-45-45.ebr1.London1.Level3.net (4.69.143.101)  65.283 ms  65.388 ms
12  ae-100-100.ebr2.London1.Level3.net (4.69.141.166)  47.204 ms  45.364 ms  46.683 ms
13  ae-42-42.ebr1.NewYork1.Level3.net (4.69.137.70)  116.075 ms ae-44-44.ebr1.NewYork1.Level3.net (4.69.137.78)  119.878 ms ae-41-41.ebr1.NewYork1.Level3.net (4.69.137.66)  119.606 ms
14  ae-81-81.csw3.NewYork1.Level3.net (4.69.134.74)  132.244 ms  133.385 ms ae-61-61.csw1.NewYork1.Level3.net (4.69.134.66)  126.810 ms
15  ae-82-82.ebr2.NewYork1.Level3.net (4.69.148.41)  125.298 ms  125.419 ms ae-62-62.ebr2.NewYork1.Level3.net (4.69.148.33)  133.610 ms
16  ae-2-2.ebr4.SanJose1.Level3.net (4.69.135.185)  196.545 ms  196.750 ms  199.514 ms
17  ae-84-84.csw3.SanJose1.Level3.net (4.69.134.250)  200.493 ms ae-64-64.csw1.SanJose1.Level3.net (4.69.134.242)  200.556 ms  254.383 ms
18  ae-33-89.car3.SanJose1.Level3.net (4.68.18.133)  372.729 ms ae-13-69.car3.SanJose1.Level3.net (4.68.18.5)  412.880 ms ae-23-79.car3.SanJose1.Level3.net (4.68.18.69)  394.385 ms
19  BANDCON.car3.SanJose1.Level3.net (4.71.113.214)  191.098 ms  192.441 ms  193.180 ms
20  ae2.bb02.sjc1.tfbnw.net (204.15.21.166)  192.112 ms  192.181 ms  192.871 ms
21  ae7.br02.snc1.tfbnw.net (204.15.21.171)  211.572 ms ae4.br02.snc1.tfbnw.net (74.119.76.26)  204.725 ms ae7.br01.snc1.tfbnw.net (204.15.20.57)  206.579 ms
22  eth-17-17.csw01a.snc2.tfbnw.net (204.15.23.239)  211.730 ms eth-18-17.csw01b.snc2.tfbnw.net (204.15.23.199)  207.397 ms eth-18-1.csw01b.snc2.tfbnw.net (204.15.21.125)  205.380 ms
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
All entries with stars (from entry #23) are not provided by traceroute due to firewalls.

0trace

In a first console, launch this command:
$ sudo ./0trace.sh wlan0 69.63.181.12
In a second console, connect via telnet, port 80/tcp:
$ telnet 69.63.181.12 80
Trying 69.63.181.12...
Connected to 69.63.181.12.
Escape character is '^]'.
GET / HTTP/1.1
Host: 127.0.0.1
<<<type ENTER>>>
Here are the results:
0trace v0.01 PoC by <lcamtuf@coredump.cx>
[+] Waiting for traffic from target on wlan0...
[-] Something went wrong with tcpdump (check parameters).
pilou@aldpillap:/data/tmp/0trace$ sudo ./0trace.sh wlan0 69.63.181.12
0trace v0.01 PoC by <lcamtuf@coredump.cx>
[+] Waiting for traffic from target on wlan0...
[+] Traffic acquired, waiting for a gap...
[+] Target acquired: 192.168.100.18:45602 -> 69.63.181.12:80 (3991917715/2574310572).
[+] Setting up a sniffer...
[+] Sending probes...

TRACE RESULTS
-------------
10 4.69.139.193
11 4.69.143.105
12 4.69.141.166
13 4.69.137.74
14 4.69.134.66
15 4.69.148.33
16 4.69.135.185
17 4.69.134.254
18 4.68.18.197
19 4.71.113.214
22 74.119.77.19
8 193.251.132.237
9 193.251.247.30
20 204.15.21.166
21 204.15.20.57
Target reached.
Entry #22 (in yellow) is a new information we get with 0trace.


links -

http://lcamtuf.coredump.cx/soft/0trace.tgz