Re: Using TTL to Locate Hosts

From: Pete Herzog (lists@isecom.org)
Date: Thu Mar 30 2006 - 03:33:24 EST

• Next message: Rick Zhong: "SMTP service on Cisco VPN Concentrator"
• Previous message: Matthew Webster: "Re: Wireless Audit Reports"
• In reply to: Chris Hammer: "Using TTL to Locate Hosts"
• Next in thread: Joe: "Re: Using TTL to Locate Hosts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

It's a pretty open question. Do you want to know if the machine
(networking stack in kernel) is up or the service?

TTL is a guide. When you send a packet, you are looking for a response.
  That response will contain a TTL. However, you don't know many things
about that TTL. The most important thing you don't know is if the TTL
was created by the stack on the host or somewhere else, most often a
device between you and the host. This device can be proxies for certain
ports, like cache proxies for HTTP port 80, or a "firewall".

The good thing is that the TTL if through correlation you can identify
where the response came from, you have your probable answer of "up".

There are tools, especially in HPING, that will help you do things such
as Fire Walking (there is also a firewalking tool) and loose source
routing which both work with "hops" and end-effect TTLs in sending to
achieve responses. Something as simple as Traceroute and its
derivatives (like TCPtraceroute) especially with attempting certain
settings (see the OSSTMM 2.11 modules on Logistics and Enumeration) will
aide in eliciting responses. Every response counts as it tells you
something about the host.

Sincerely,
-pete.

Chris Hammer wrote:
> Hello everyone, I had an interesting question posed to me earlier. The
> question was "Could you use only the TTL of a packet to locate hosts and
> verify they are up?" I know playing around with Tracert this could be
> possible, or a crafted packet using HPING. Any other ideas or thoughts?
>
> Thanks!
> Chris

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
As attacks through web applications continue to rise, you need to proactively
protect your applications from hackers. Cenzic has the most comprehensive
solutions to meet your application security penetration testing and
vulnerability management needs. You have an option to go with a managed
service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help you:
http://www.cenzic.com/forms/ec.php?pubid=10025
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com
------------------------------------------------------------------------------

• Next message: Rick Zhong: "SMTP service on Cisco VPN Concentrator"
• Previous message: Matthew Webster: "Re: Wireless Audit Reports"
• In reply to: Chris Hammer: "Using TTL to Locate Hosts"
• Next in thread: Joe: "Re: Using TTL to Locate Hosts"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:46 EDT