Discovered a neat little reconnaissance tool today. It’s called intrace. Unlike the traditional UDP traceroute application, this one uses TCP to get a better trace.
A traditional traceroute will send UDP segments to the destination for our trace. The UDP segment is encapsulated in an IP packet. This IP packet has a field called Time To Live (TTL). The first transmission will have a TTL value of 1. The first hop router that will receive this packet will decrease the TTL by 1 and then discard the packet. Because if the TTL has expired, then it shouldn’t go further. This feature is necessary for a loop free network/internetwork. When discarded, if properly configured, the router will then use the Internet Control Message Protocol (ICMP). The router will send back an answer to our machine, telling us TTL Expired. This is crucial for our trace. Because in this response from the router/node, it’s source IP is to be found. Thus, the first IP-address in the trace has been completed. The TTL is increased to 2 and the procedure repeats itself till we reach the destination. When the destination machine gets the UDP segment it will respond with a ICMP message saying destination port unreachable. Because no application is listening on the port. This final step basically tells us that the trace is complete.
Now, firewalls often has rules that block incoming traffic. Be it UDP or TCP. Why let traffic through that shouldn’t belong in the network? Our UDP trace goes to some random destination port number that’s not in the firewall ruleset to let through. When tracing a destination that’s behind a firewall, the last hop according to our trace will probably be either the hop before the firewall or the firewall itself.
This is where intrace comes in. If you’re trying to trace the route to a web server for example. Then you will have to establish a TCP connection to port 80 (usually) with the web server. Since this is legitimate traffic according to the firewall, the connection will be allowed. intrace will then use this legitimate TCP connection to send IP packets to the destination with increasing TTL’s. Thus tracing behind the firewall and to the server. This gives us more information then what a traditional trace route.
A good mitigation technique for firewalls will be to block egress ICMP TTL expired messages. Correct me if I’m wrong but I think that will do it, without breaking anything else.