0trace.py

Description

0trace.py is a python port of Michal Zalewski's 0trace hop enumeration tool. 0trace was originally announced on Bugtraq on January 6th:

I'd like to announce the availability of a free security reconnaissance /
firewall bypassing tool called 0trace. This tool enables the user to
perform hop enumeration ("traceroute") within an established TCP
connection, such as a HTTP or SMTP session. This is opposed to sending
stray packets, as traceroute-type tools usually do.

The important benefit of using an established connection and matching TCP
packets to send a TTL-based probe is that such traffic is happily allowed
through by many stateful firewalls and other defenses without further
inspection (since it is related to an entry in the connection table).

Dependencies

Download

Example Run

  • Open a TCP connection - telnet 66.135.192.87 80
  • Start 0trace.py - ./0trace.py eth0 66.135.192.87 80
  • Initiate some TCP activity in telnet session - GET / HTTP/1.0
[+] Waiting for traffic from target on eth0...
[+] Traffic acquired, waiting for a gap...
[+] Target acquired: 192.168.0.10:54403 -> 66.135.192.87:80 (3736223256/873025975)
[+] Setting up a sniffer...
[+] Sending probes...

TRACE RESULTS
-------------
1 192.168.0.1
3 68.87.187.29
4 68.87.190.161
5 68.87.190.157
6 68.87.190.153
7 68.87.190.149
8 68.87.190.145
9 68.87.190.141
10 68.87.191.145
11 12.116.11.101
12 12.123.139.150
13 12.122.10.134
14 12.123.4.249
15 192.205.33.158
16 144.232.20.20
17 144.232.26.109
18 144.232.20.161
19 144.232.15.142
20 144.232.20.141
21 144.232.20.113
22 144.232.0.250
23 144.228.110.122
24 66.135.207.186
Target reached.

Copyright © 2015 - Jon Oberheide <jon at oberheide dot org>.