Mapping the route to the target

Route mapping was originally used as a diagnostic tool that allows you to view the route that an IP packet follows from one host to the next. Using the time to live (TTL) field in an IP packet, each hop from one point to the next elicits an ICMPTIME_EXCEEDED message from the receiving router, decrementing the value in the TTL field by 1. The packets count the number of hops and the route taken.

From an attacker's – or penetration tester's – perspective, the traceroute data yields the following important data:

• The exact path between the attacker and the target
• Hints pertaining to the network's external topology
• Identification of accessing control devices (firewalls and packet-filtering routers) that may be filtering attack traffic
• If the network is misconfigured, it may be possible to identify internal addressing

In Kali, traceroute is a command-line program that uses ICMP packets to map the route; in Windows, the program is tracert.

If you launch traceroute from Kali, it is likely that you will see most hops filtered (data is shown as * * *). For example, traceroute from the author's present location to www.google.com would yield the following:

However, if the same request was run using tracert from the Windows command line, we would see the following:

Not only do we get the complete path, but we can also see that www.google.com is resolving to a slightly different IP address, indicating that load balancers are in effect (you can confirm this using Kali's lbd script; however, this activity may be logged by the target site).

The reason for the different path data is that, by default, traceroute used UDP datagrams while Windows tracert uses ICMP echo request (ICMP type 8). Therefore, when completing a traceroute using Kali tools, it is important to use multiple protocols in order to obtain the most complete path, and to bypass packet-filtering devices.

Kali provides the following tools for completing route traces:

hping3 is one of the most useful tools due to the control it gives over packet type, source packet, and the destination packet. For example, Google does not allow ping requests. However, it is possible to ping the server if you send the packet as a TCP SYN request.

In the following example, the tester attempts to ping Google from the command line. The returned data identifies that www.google.com is an unknown host; Google is clearly blocking ICMP-based ping commands. However, the next command invokes hping3, instructing it to do the following:

• Send a ping-like command to Google using TCP with the SYN flag set (-S)
• Direct the packet to port 80; legitimate requests of this type are rarely blocked (- p 80)
• Set a count of sending three packets to the target (-c 3)

To execute the previous steps, use the commands shown in the following screenshot:

The hping3 command successfully identifies that the target is online, and provides some basic routing information.