Thursday, May 6, 2010

Layer Four Traceroute


Layer Four Traceroute (lft) http://pwhois.org/lft

If you are using the one bundled with your distro you are probably missing out some of the more interesting and new features.

From the site:

"LFT, short for Layer Four Traceroute, is a sort of 'traceroute' that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al. What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method."

Its been useful for me to locate more systems between me and the target host as well as identifying gateways/web firewalls that organization's send all (or some)web traffic through.

It also handy that you can throw it some switches to show the AS and network routes with the scan as well.

Old Traceroute:

cg@meh:~/evil/lft-3.1$ traceroute www.microsoft.com
traceroute to www.microsoft.com (65.55.21.250), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 4.681 ms 5.794 ms 14.193 ms
2-8 Local Stuff

9 pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 35.743 ms 36.391 ms 37.102 ms

10 as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 173.747 ms 174.136 ms 175.054 ms

11 209.240.199.162 (209.240.199.162) 32.762 ms 33.703 ms 37.096 ms

12 ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 17.652 ms 28.151 ms 24.033 ms

13 ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 24.864 ms 25.951 ms 26.485 ms

14 ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 109.384 ms 109.615 ms 110.180 ms

15 ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 106.607 ms 107.401 ms 110.382 ms

16 207.46.46.92 (207.46.46.92) 112.458 ms 118.682 ms 106.207 ms

17 10.22.8.14 (10.22.8.14) 107.323 ms 107.552 ms 107.789 ms
18 * * *

19 * * *

20 * * *

21 * * *

22 * * *
23 * * *
24 * * *
25 * * *
26 * * *

27 * * *

28 * * *

29 * * *
30 * * *


Layer Four Traceroute

cg@meh:~/evil/lft-3.1$ sudo lft -rNS www.microsoft.com -d 80
TTL LFT trace to 65.55.21.250:80/tcp

1 [33657] [CMCS] 192.168.1.1 2.3/1.5ms
** [neglected] no reply packets received from TTLs
2 through
-8 local stuff
9 [7922] [COMCAST-7922] pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 27.2/26.6ms

10 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 25.9/24.3ms
11 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 209.240.199.162 15.8/24.3ms

12 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 34.1/14.8ms

13 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 16.0/15.9ms

14 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 121.3/98.2ms

15 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 114.1/97.3ms
16 [6067] [ONYX] 207.46.46.92 101.6/99.9ms
17 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 10.22.8.14 99.5/109.5ms

18 [AS?] [Net?] [target open] 65.55.21.250:80 98.5/109.4ms
CG

3 comments:

dre said...

Have you seen the "-E" feature in lft?

CG said...

yeah that post kinda got published before its time... oh well cant rein it in now.

jafar said...

it's really nice
how can we use it to determine the switches we pass through?