intrace - Piggyback Your Traceroute
Introduction
If you've ever used a computer before, and if you're at all interested in Security or Hacking, then I'm going to take a wild guess and assume you've used traceroute/tracert - if you haven't, you really need to go back to the basics and start again. Just in case you haven't, in the words of Wiki, traceroute is this:
traceroute is a computer network tool used to show the route taken by packets across an IP network. An IPv6 variant, traceroute6, is also widely available.
The traceroute tool is available on practically all Unix-like operating systems. Variants with similar functionality are also available, such as tracepath on modern Linux installations and tracert on Microsoft Windows operating systems
-http://en.wikipedia.org/wiki/Traceroute
In terms of a penetration test, it's useful for determining which boxes a packet passes through along the way to a destination, and therefore, can help you determine the internal network structure of an organization (and therefore, possible further targets for a penetration test). Sometimes, however, a firewall may block your traceroute attempts, or other times, it may simply just not give you enough information. Welcome "intrace" - a program by Robert Święcki, who is an Information Security Engineer for Google. The difference between traceroute and intrace is that intrace will make use of an existing TCP connection, and piggyback its packets on this connection, effectively bypassing any firewall rules that block them, and quite often giving you more internal information than you expected.
Usage
In terms of usage, it actually relatively simple. Download a copy of the source from the Google Project Page, and extract it on your Linux/Unix box:
tar xfz intrace-1.4.3.tgz
Then "cd" into the directory, and type "make". Next up is the actual "command switch" to get it to run - it's pretty simple. Type this:
sudo ./intrace -h paypal.com -p 80
Obviously, substituting "paypal.com" for the host that you need to use, but I provide PayPal for this example, as it's been used before. Also, the "-p 80" can be substituted for any port, depending on the service you are wanting to piggyback on (such as 21 for FTP, or 22 for SSH). Once you've done that, you need to initiate some form of a connection to the host - the easiest way to do this is with "netcat". Type this:
nc paypal.com 80
That will initiate a connection with PayPal, and all you will need to do is head back to your "intrace" window, and press "enter", and watch the magic happen. If you don't like netcat, just visit paypal in your web browser of choice. You should see an output like this (IP's have been censored where applicable to protect privacy):
InTrace 1.4.3 -- R: 66.211.169.3/80 (80) L: xxx.xxx.xxx.xxx/45814
Payload Size: 1 bytes, Seq: 0xf5f1548d, Ack: 0xf30efa5d
Status: Press ENTER
# [src addr] [icmp src addr] [pkt type]
1. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
2. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
3. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
4. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
5. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
6. [xxx.xxx.xxx.xxx ] [66.211.169.3 ] [ICMP_TIMXCEED]
7. [4.53.208.13 ] [66.211.169.3 ] [ICMP_TIMXCEED]
8. [4.68.18.126 ] [66.211.169.3 ] [ICMP_TIMXCEED]
9. [4.69.134.213 ] [66.211.169.3 ] [ICMP_TIMXCEED]
10. [4.69.132.58 ] [66.211.169.3 ] [ICMP_TIMXCEED]
11. [ *** ] [ *** ] [ICMP_TIMXCEED]
12. [4.53.1.58 ] [66.211.169.3 ] [ICMP_TIMXCEED]
13. [xxx.1.0.186 ] [66.211.169.3 ] [ICMP_TIMXCEED]
14. [xxx.128.2.105 ] [66.211.169.3 ] [ICMP_TIMXCEED]
15. [xxx.14.0.254 ] [66.211.169.3 ] [ICMP_TIMXCEED]
16. [66.211.169.3 ] [ *** ] [TCP]
Compared to a standard traceroute output of the same host, which never seems to reach the destination (IP's have been censored where applicable to protect privacy):
user@box:~/Tools/Information Gathering/Traceroute Like/intrace$ traceroute paypal.com
traceroute to paypal.com (66.211.169.3), 30 hops max, 60 byte packets
1 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.179 ms 0.125 ms 0.137 ms
2 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.467 ms 1.198 ms 0.916 ms
3 xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx) 0.570 ms 0.394 ms 0.550 ms
4 host1 (xxx.xxx.xxx.xxx) 0.485 ms 0.495 ms 0.493 ms
5 host2 (xxx.xxx.xxx.xxx) 0.482 ms 0.498 ms 0.489 ms
6 host3 (xxx.xxx.xxx.xxx) 0.448 ms 1.432 ms *
7 xe-7-0-0.edge1.SanJose3.Level3.net (4.53.208.13) 217.897 ms 217.926 ms 217.920 ms
8 vlan69.csw1.SanJose1.Level3.net (4.68.18.62) 223.946 ms 223.859 ms vlan89.csw3.SanJose1.Level3.net (4.68.18.190) 218.459 ms
9 ae-72-72.ebr2.SanJose1.Level3.net (4.69.134.213) 228.414 ms 228.437 ms 228.588 ms
10 ae-3-3.ebr1.Denver1.Level3.net (4.69.132.58) 248.427 ms 248.445 ms 248.422 ms
11 ae-11-53.car1.Denver1.Level3.net (4.68.107.70) 244.703 ms ae-11-51.car1.Denver1.Level3.net (4.68.107.6) 245.007 ms ae-11-55.car1.Denver1.Level3.net (4.68.107.134) 244.836 ms
12 EBAY-INC.car1.Denver1.Level3.net (4.53.1.58) 246.131 ms 245.800 ms 245.803 ms
13 xxx.1.0.186 (xxx.1.0.186) 245.779 ms 246.058 ms 246.036 ms
14 xxx.128.2.105 (xxx.128.2.105) 241.460 ms 241.386 ms 241.321 ms
15 xxx.14.0.250 (xxx.14.0.250) 241.625 ms 241.403 ms 241.367 ms
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Real World Application
Real world application is pretty simple with this one - you take a destination you know you have access too (such as the clients web page, FTP, or SSH) and you run intrace to see if it provides more info about a network for you. Enjoy. As always, only use this tool in ways that you are legally licensed too (i.e., during a legal penetration test, or in your own home network or lab) and never use it to perform anything illegal. Thanks.