My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
intrace  

Featured
Updated Jul 3, 2011 by robert.s...@gmail.com

What is that?

InTrace is a traceroute-like application that enables users to enumerate IP hops exploiting existing TCP connections, both initiated from local network (local system) or from remote hosts. It could be useful for network reconnaissance and firewall bypassing.

Locally initiated TCP connection

Run intrace: 
# ./intrace --h www.freescale.com
InTrace 1.4.3 -- R: 192.88.156.10/0 (0) L: 0.0.0.0/0
Payload Size: 1 bytes, Seq: 0x00000000, Ack: 0x00000000
Status: Sniffing for connection packets

Establish a TCP connection: 

    localhost$ nc www.freescale.com 80
    GET / HTTP/1.0
Take a look at the InTrace output: 
InTrace 1.4.3 -- R: 192.88.156.10/80 (0) L: 194.55.39.1/50049
Payload Size: 1 bytes, Seq: 0xede67714, Ack: 0x8164047b
Status: Press ENTER
Do as it says!.. ;) 
  #  [src addr]         [icmp src addr]    [pkt type]
 1.  [194.55.39.1    ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 2.  [194.29.3.254   ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 3.  [62.179.116.149 ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 4.  [213.46.171.42  ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 5.  [89.149.182.49  ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 6.  [77.67.94.74    ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 7.  [69.25.168.65   ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 8.  [69.25.127.90   ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
 9.  [192.88.158.250 ]  [192.88.156.10  ]  [ICMP_TIMXCEED]
10.  [192.88.156.10  ]  [192.88.156.10  ]  [ICMP_TIMXCEED NAT]
11.  [192.88.156.10  ]  [      ***      ]  [TCP]
And so discovered a NAT appliance at IP: 192.88.156.10
Another try, this time with www.paypal.com -> 216.113.188.65/80 TCP reveals details of PayPal's internal network structure. 
     1.    217.17.45.185     [ICMP TTL-EXCEEDED]
     2.    193.111.37.5      [ICMP TTL-EXCEEDED]
     3.    212.73.253.129    [ICMP TTL-EXCEEDED]
     4.         ---             [NO RESPONSE]
     5.    64.159.1.113      [ICMP TTL-EXCEEDED]
     6.    4.68.107.2        [ICMP TTL-EXCEEDED]
     7.    64.156.40.98      [ICMP TTL-EXCEEDED]
     8.    10.1.1.162        [ICMP TTL-EXCEEDED] <-- PayPal's
     9.    10.1.1.110        [ICMP TTL-EXCEEDED] <-- internal
    10.         ---             [NO RESPONSE]    <-- network
    11.    216.113.188.65        [TCP REPLY]

Remotely initiated TCP connection

Take a look at remotely established TCP connections in your system's TCP tables and pick one (i.e. use netstat) 
    localhost#	netstat -tanp
    Active Internet connections (servers and established)
    Proto R-Q S-Q Local Address   Foreign Address  State  PID/Program name
    ...
    tcp   0   0  212.76.62.233:22 217.17.34.18:23203 ESTABLISHED 6321/sshd
    ...
Run InTrace ... 
    localhost# ./intrace -i eth0 -h 217.17.34.18
... wait for a couple of packets (being exchanged within that connection), then press ENTER. 
    InTrace 1.2 (C)2007 Robert Swiecki <robert@swiecki.net>
    R: 217.17.34.18/ANY (23203)  L: 212.76.62.233/22
    Last rcvd SEQ: 209707007, ACK: 29305148
    Press ENTER to start sending packets

     1.    212.76.43.254     [ICMP TTL-EXCEEDED]
     2.         ---             [NO RESPONSE]
     3.         ---             [NO RESPONSE]
     4.    212.76.35.50      [ICMP TTL-EXCEEDED]
     5.    212.76.35.25      [ICMP TTL-EXCEEDED]
     6.    195.85.195.8      [ICMP TTL-EXCEEDED]
     7.    85.232.232.65     [ICMP TTL-EXCEEDED]
     8.    85.232.232.62     [ICMP TTL-EXCEEDED]
     9.    217.17.34.18      [ICMP TTL-EXCEEDED]  [NAT]
    10.         ---             [NO RESPONSE]
    11.    217.17.34.18          [TCP REPLY]
So, we've discovered that the TCP connection is actually initiated from behind the NAT appliance (hop # 9), and there is one more IP hop behind that (hop # 10) one, unfortunately not responding with icmp time-exceeded packet.

Feedback

If you have any suggestions or comments, don't hesitate to contact! The address is: Robert Swiecki <robert@swiecki.net>

Credits

Michal Zalewski <lcamtuf@dione.ids.pl> (http://lcamtuf.coredump.cx) - initial concept and the first implementation. http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0145.html
Comment by project member rafaelal...@gmail.com, May 1, 2010

Hallo! How i can join in your proyect?

Comment by mycrazyd...@gmail.com, Aug 6, 2010

LOCAL:intrace-1.4.3 bransom$ make -f Makefile CC debug.c In file included from ./intrace.h:54,

from debug.c:35:
./listener.h:25: error: field ‘icmph’ has incomplete type make: [debug.o] Error 1

Comment by project member robert.s...@gmail.com, Aug 24, 2010

@mycrazydream - I'd need more data to resolve this, OS version, gcc version, glibc version would be good for the beginning

Comment by nishan...@gmail.com, Feb 4, 2011

nishant@ubuntu:~/intrace$ ./intrace -h www.google.com

InTrace?, version 1.4.3 (C)2007-2009 Robert Swiecki <robert@swiecki.net> 2011/02/04 00:58:33.188671 <ERROR> listener: Cannot open raw TCP socket, 'Operation not permitted' 2011/02/04 00:58:33.188785 <FATAL> threads: Listener initialization failed, err=-21'

please help me on this.

Comment by nishan...@gmail.com, Feb 4, 2011

When i logged in as root i am able to run. But i am not getting any response from the process.

InTrace? 1.4.3 -- R: 74.125.227.16/0 (0) L: 0.0.0.0/0 Payload Size: 1 bytes, Seq: 0x00000000, Ack: 0x00000000 Status: Sniffing for connection packets

  1. addr? src addr? type?
Comment by project member robert.s...@gmail.com, Feb 11, 2011

Just an update on nishantmc's problem. He was doing intrace -h www.google.com

and then opening http://www.google.com in the browser, but www.google.com resolves to many IPs, so it's better to use IP address in both cases.

Comment by houcem.h...@gmail.com, Mar 10, 2011

Nice. But what is the added value of intrace comparing to tcptraceroute?

Comment by project member robert.s...@gmail.com, Mar 27, 2011

@nishant - You need root permissions to open RAW sockets.

@houcem - Basically, stateful firewalls might reject simple probing based on sending TCP packets which do not belong to any previously established connection. intrace uses existing connections (for which firewalls have a 'state' recorded), thus increasing the possibility of succeeding in such task.

Comment by nishan...@gmail.com, May 19, 2011

I logged in as root user and i tried for a particular ip of google.com (74.125.227.17) I am getting a response like this.

InTrace? 1.4.3 -- R: 74.125.227.17/80 (0) L: 192.168.224.156/54569 Payload Size: 1 bytes, Seq: 0x791a595d, Ack: 0xeb7e766e Status: Press ENTER

  1. addr? src addr? type?
  1. [192.168.224.2 ] [74.125.227.17 ] ICMP_TIMXCEED?
2. [74.125.227.17 ] *** TCP?

This should end with the tcp reply but it is not.

When i tried to traceroute on this ip

traceroute to 74.125.227.17 (74.125.227.17), 30 hops max, 60 byte packets

  1. 192.168.224.2 (192.168.224.2) 0.389 ms 0.197 ms 0.253 ms
2 3 4 5 6 7

Could you please give your comments on this? I am using ubuntu through vmware

root@ubuntu:/home/nishant/intra# cat /proc/version Linux version 2.6.32-24-generic (buildd@rothera) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010

Comment by njohnson...@gmail.com, May 22, 2011

This is great!

Comment by project member robert.s...@gmail.com, Jun 7, 2011

@nishant - It's always to best to use public IP for such tests. Simply because your NAT device can mangle the outgoing packets, it changes source IP address, it might interfere with other IP/TCP fields.

For me it looks like: 

InTrace 1.4.3 -- R: 74.125.57.33/33707 (0) L: removed_for_privacy_reasons/22
Payload Size: 1 bytes, Seq: 0xf836db46, Ack: 0x9d53f303
Status: Press ENTER                                                        

  #  [src addr]         [icmp src addr]    [pkt type]
 1.  removed_for_privacy_reasons
 2.  [94.103.96.3    ]  [74.125.57.33   ]  [ICMP_TIMXCEED]
 3.  [62.179.116.149 ]  [74.125.57.33   ]  [ICMP_TIMXCEED]
 4.  [74.125.49.101  ]  [74.125.57.33   ]  [ICMP_TIMXCEED]
 5.  [      ***      ]  [      ***      ]  [NO REPLY]
 6.  [74.125.57.33   ]  [74.125.57.33   ]  [ICMP_TIMXCEED NAT]
 7.  [74.125.57.33   ]  [      ***      ]  [TCP]
Comment by thomas.t...@gmail.com, Nov 14, 2011

Xcode 4.0.2 /w gcc 4.2.1 doesn't work.

Target: i686-apple-darwin10 Configured with: /var/tmp/gcc/gcc-5666.3~123/src/configure --disable-checking --enable-werror --prefix=/usr --mandir=/share/man --enable-languages=c,objc,c++,obj-c++ --program-transform-name=/[cg][.-]$/s/$/-4.2/ --with-slibdir=/usr/lib --build=i686-apple-darwin10 --program-prefix=i686-apple-darwin10- --host=x86_64-apple-darwin10 --target=i686-apple-darwin10 --with-gxx-include-dir=/include/c++/4.2.1 Thread model: posix gcc version 4.2.1 (Apple Inc. build 5666) (dot 3)

Comment by project member robert.s...@gmail.com, Nov 16, 2011

This won't work with anything but Linux, it uses quite quirky sockets, not sure if they exist/works in the same way on BSD UNIX flavors.

Comment by n4th4nr...@gmail.com, Feb 12, 2012

I am also wondering what does this do that tcptraceroute doesn't already do?

Comment by azi...@gmail.com, Feb 12, 2012

Can you give 1 working IP example? Because for me this don't work everywhere...

Comment by project member robert.s...@gmail.com, Mar 9, 2012

> I am also wondering what does this do that tcptraceroute doesn't already do? > Can you give 1 working IP example? Because for me this don't work everywhere...

It can traceroute back on connections initiated "from within a firewalled network", therefore ICMP packets are usually allowed as part of the TCP stream (already established).

In case of locally initiated connections (what tcptraceroute does), we usually cannot connect to some corp firewalled/nat-ed networks.

But it works sometimes with locally initiated connection better than tcptraceroute. Back in the days it was PayPal?, now I would have to check a few networks.


Sign in to add a comment
Powered by Google Project Hosting