[HACK] Tracert y Puerto 80.
RoMaNSoFt
r0man at phreaker.net
Wed Jan 15 13:37:48 CET 2003
On Mon, 13 Jan 2003 12:26:17 -0300, you wrote:
>> En realidad no tienen por que ser paquetes icmp (aunque sea lo
>>normal). Hay implementaciones q por ejemplo usan paquetes UDP. La cosa
>>es q sean IP :-)
>
>No exactamente. El punto es que el host destino debe omitir respuesta de
>acuerdo al contenido del paquete.
Aquí me he perdido. ¿Podrías argumentar con mayor detalle? ¿Q más da
si el _destino_ responde o no? Lo q importa es q "respondan" los
_routers intermedios_ a paquetes _IP_ con TTL extinguido, y esta
respuesta irá siempre en forma de paquetes ICMP de error de TTL
excedido.
El campo TTL forma parte de la cabecera IP, por tanto está presente
siempre en todo paquete IP, sin importar q éste "transporte" contenido
UDP, TCP o ICMP. No entiendo tu afirmación.
Mira un fragmento de captura de un "traceroute www.argo.es":
(ignorar las tramas DNS / puerto 53)
goliat:~ # tcpdump -n ip and ! port 22
tcpdump: listening on eth0
17:49:48.273692 192.168.0.200.33396 > 195.5.64.2.53: 15315+ A?
www.argo.es. (29) (DF)
17:49:53.276157 192.168.0.200.33397 > 195.5.64.6.53: 15315+ A?
www.argo.es. (29) (DF)
17:49:53.548312 195.5.64.6.53 > 192.168.0.200.33397: 15315* 1/4/4
A[|domain]
17:49:53.548838 192.168.0.200.44391 > 62.37.230.2.33435: udp 12 [ttl
1]
17:49:53.549410 192.168.0.1 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:53.549635 192.168.0.200.44391 > 62.37.230.2.33436: udp 12 [ttl
1]
17:49:53.550267 192.168.0.1 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:53.550306 192.168.0.200.44391 > 62.37.230.2.33437: udp 12 [ttl
1]
17:49:53.550892 192.168.0.1 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:53.550933 192.168.0.200.44391 > 62.37.230.2.33438: udp 12
17:49:53.750883 62.36.208.18 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:53.751097 192.168.0.200.33397 > 195.5.64.2.53: 15316+ PTR?
18.208.36.62.in-addr.arpa. (43) (DF)
17:49:54.016406 195.5.64.2.53 > 192.168.0.200.33397: 15316 1/4/3
(227) (DF)
17:49:54.016522 192.168.0.200.44391 > 62.37.230.2.33439: udp 12
17:49:54.218995 62.36.208.18 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:54.219037 192.168.0.200.44391 > 62.37.230.2.33440: udp 12
17:49:54.417054 62.36.208.18 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:54.417097 192.168.0.200.44391 > 62.37.230.2.33441: udp 12
17:49:54.627171 62.36.208.65 > 192.168.0.200: icmp: time exceeded
in-transit [tos 0xc0]
17:49:54.627375 192.168.0.200.33397 > 195.5.64.2.53: 15317+ PTR?
65.208.36.62.in-addr.arpa. (43) (DF)
17:49:54.898399 195.5.64.2.53 > 192.168.0.200.33397: 15317 1/4/3
(231) (DF)
17:49:54.898480 192.168.0.200.44391 > 62.37.230.2.33442: udp 12
17:49:55.095159 62.36.208.65 > 192.168.0.200: icmp: time exceeded
in-transit [tos 0xc0]
17:49:55.095197 192.168.0.200.44391 > 62.37.230.2.33443: udp 12
17:49:55.299153 62.36.208.65 > 192.168.0.200: icmp: time exceeded
in-transit [tos 0xc0]
17:49:55.299196 192.168.0.200.44391 > 62.37.230.2.33444: udp 12
17:49:55.497029 62.36.208.146 > 192.168.0.200: icmp: time exceeded
in-transit [tos 0xc0]
17:49:55.497225 192.168.0.200.33397 > 195.5.64.2.53: 15318+ PTR?
146.208.36.62.in-addr.arpa. (44) (DF)
17:49:55.744519 195.5.64.2.53 > 192.168.0.200.33397: 15318 1/4/3
(232) (DF)
17:49:55.744601 192.168.0.200.44391 > 62.37.230.2.33445: udp 12
17:49:55.929118 62.36.208.146 > 192.168.0.200: icmp: time exceeded
in-transit [tos 0xc0]
17:49:55.929156 192.168.0.200.44391 > 62.37.230.2.33446: udp 12
17:49:56.127002 62.36.208.146 > 192.168.0.200: icmp: time exceeded
in-transit [tos 0xc0]
17:49:56.127060 192.168.0.200.44391 > 62.37.230.2.33447: udp 12
17:49:56.325195 62.36.204.81 > 192.168.0.200: icmp: time exceeded
in-transit
17:49:56.325395 192.168.0.200.33397 > 195.5.64.2.53: 15319+ PTR?
81.204.36.62.in-addr.arpa. (43) (DF)
17:49:56.578414 195.5.64.2.53 > 192.168.0.200.33397: 15319 1/4/3
(230) (DF)
17:49:56.578509 192.168.0.200.44391 > 62.37.230.2.33448: udp 12
17:49:56.769246 62.36.204.81 > 192.168.0.200: icmp: time exceeded
in-transit
Es un traceroute de Linux, y manda paquetes UDP, con TTL creciente,
de forma q cada vez el paquete enviado tiene más alcance y llega a un
router más alejado de la fuente, el cual emitirá un error de TTL
excedido, gracias al cual es posible obtener la información q
traceroute nos muestra.
El "tracert" de Windows no manda paquetes UDP sino ICMP. Observa:
C:\>windump -n
windump: listening
on\Device\Packet_{F4D9ED88-1643-4D8C-867E-5DAC63DA0FDC}
17:59:24.166987 0:30:19:68:e1:81 > 1:80:c2:0:0:0 sap 42 ui/C
17:59:24.229685 192.168.0.247 > 62.37.230.2: icmp: echo request [ttl
1]
17:59:24.229747 192.168.0.1 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:24.229766 192.168.0.1 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:24.230367 192.168.0.247 > 62.37.230.2: icmp: echo request [ttl
1]
17:59:24.230422 192.168.0.1 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:24.230435 192.168.0.1 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:24.230971 192.168.0.247 > 62.37.230.2: icmp: echo request [ttl
1]
17:59:24.230991 192.168.0.1 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:24.231003 192.168.0.1 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:25.236392 192.168.0.247 > 62.37.230.2: icmp: echo request
17:59:25.443304 62.36.208.18 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:25.443325 62.36.208.18 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:25.444131 192.168.0.247 > 62.37.230.2: icmp: echo request
17:59:25.641251 62.36.208.18 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:25.641272 62.36.208.18 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:25.642038 192.168.0.247 > 62.37.230.2: icmp: echo request
17:59:25.827149 62.36.208.18 > 192.168.0.247: icmp: time exceeded
in-transit
17:59:25.827170 62.36.208.18 > 192.168.0.247: icmp: time exceeded
in-transit
Espero q esto aclare ideas... :-)
Salu2,
--Roman
--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
More information about the hacking
mailing list