Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Nessus-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: tcp-traceroute

from [Renaud Deraison] Network Security [Permanent Link]
Subject: Re: tcp-traceroute
Date: Tue, 26 Oct 2004 10:53:58 -0400 
On Tue, Oct 26, 2004 at 04:37:47PM +0200, Thomas Springer wrote:

Renaud,

first of all, thanks for Nessus as it is - I like it and I use it.


All kind of traceroute (tcp or udp) is an icmp traceroute in the end -
the very basis of traceroute is to receive an ICMP unreach message from
the gateways on the way. So if a firewall on the way decides to block all


TCP-Traceroute is different! It uses TCP-SYN-Packets an doesn't rely 
on ICMP unreachable. Therefore it gets often behind firewalls that 
Block ICMP-Packets. 


Errr.... According to the source code (that I admit having looked at
very quickly) it seems to send a TCP probe, but still expects an ICMP
unreach in return.

Run tcpdump while the tcptraceroute is going on :

# tcpdump -ln 'icmp and ( icmp[0] = 3 or icmp[0] = 11)'

You'll see the time exceeded in transit error messages popping up.

[...]

See the difference?
Many firewalled hosts respond with natted adresses or at least more 
detailed routing when queried with tcptraceroute.


Yes, because the probe can go further since it's TCP based. However the
reply is still ICMP based. 
Don't get me wrong - TCP probes are definitely better than UDP probes.


After having a look at the plugin i'm even more confused:
It does tcp, udp and icmp, but
    it stops after the first successful trace


Yes. Because they're in order of likely success.


    it doesn't tell wich trace was successful


This is correct. We could improve that.


    it has no port-management for tcptrace.


It uses get_host_open_port() which returns a port which is _known_ to be
open on the remote host. If there's no known open port, we fall back to
port 80.


This seems unperfect.
what i'd love to see would be
1) the result of an (even incomplete) icmp-trace, labeled as ICMP-Trace
2) the result of a tcp-trace to at least one open port on the host 
(based on the portscan-results rather than the actual fixed 
"if(!dport)dport = 80;", labeled as "tcp-trace to port xx".
3) the result of a udp-trace to at least one open port on the (based 
on portscan-results oder fixed to dns/ntp/snmp/iskamp) labeled as such
4) finally a notification if the traces differ


So you want 3 traceroutes instead of one. It's not something I'm really
interested in doing but if someone volunteers and produces a plugin
whose execution time is still reasonable, I'll be happy to commit it.

                                -- Renaud
_______________________________________________
Nessus mailing list
Nessus@list.nessus.org
http://mail.nessus.org/mailman/listinfo/nessus
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: tcp-traceroute, Thomas Springer
Next by Date:  Nessus doesn't DNS resolve, OBrien, Edward
Previous by Thread:  Re: tcp-traceroute, Thomas Springer
Next by Thread:  Re: tcp-traceroute, Michel Arboi
Indexes:  [Date] [Thread] [Top] [All Lists]