Test the remote network topology by monitoring the TTL response
Sometimes, the network administrator can configure an internal network to implement communication between a single host and other hosts at different levels. A single Internet Protocol (IP) address may represent many devices that have opened ports on the internal network. Although there are some basic ways to detect them, it is surprising that today's popular tools will also find some relevant information at the network layer of their respective output information. This article will guide readers To detect port forwarding and peripheral Remote Host Intrusion Response by detecting the Time-To-Live (TTL) value of common behavior of request information.
Learn about TTL response
Each time a host sends data to another host, the data is sent in the form of data packets from one host along a series of routers, switches, and other hosts until it reaches the target host. The data packet contains a TTL header and specifies the number of router hops that the data packet passes through when it reaches the target host. Each time a packet passes through a vro, the TTL value of the packet header is reduced by 1.
TTL can reveal the changes in transmission routes
Changes in transmission routes often occur when Internet Service Providers communicate with primary network providers. When this change occurs, the TTL value is changed immediately for every response that changes the transmission route on a host. A change in the transmission route may be due to a normal network expansion, a network device may restrict the transmission of a data source to a honeypot, or conduct activity such as destination port redirection for Server Load balancer.
TTL scan response
During port scanning, in order to generate a response, the SYN packet will be sent from different ports to the target host, so that we can know which port listens to the service. All data packets sent by the same scanner (unless specified by the scanner) have the same initial TTL value. Sometimes, different TTL response values are generated when the IP address is scanned. Different TTL values indicate that there is an additional network layer working behind the public IP address scan. If the value of TTL is higher, the host running the service is closer to the host running the scan. If the value of TTL is lower, the host running the service is farther away from the host running the scan.
In other words, if the TTL response value of the host is 47, but the TTL response value of a transmitted port is 45, the response sent from this port is obviously forwarded. On the other hand, if the TTL response value of a packet received from the same host is 48, it is likely to be the original data packet transmitted from the scanning host and the target host device.
TTL may cheat firewall and Intrusion Response
Port scanning is not the only method that facilitates TTL exception detection. Firewalls and intrusion prevention systems (IPS) between attackers and their target hosts can also generate response values in the form of RST packets and terminate links that are considered harmful to the system. Because in the device between the attacker and the target host, the RST packet received by the attacker through these ports will carry a TTL value higher than the RST packet received by the target host.
To observe the TTL exception detection information, our team gathered ttl_mon.py into github. It will continue running until the user exits using the control + C key combination, and will output the detailed information of the host during running to the screen. When the TTL response value of each port changes during running, a red notification about transmission path modification will be output on the screen. It can detect data sent by all hosts on the allocated interface or in a single target host.
Affiliated
Ttl_mon.py depends on the dpkt and pcapy packages of python2. They can be installed using the python pip module, for example:
Python2-mpip install pcapy dpkt
Usage
Usage: ttl_mon.py [options]
Option:
-H, -- help
Show Help information and exit
-I INTERFACE, -- interface = INTERFACE
Listener Interface
-L LOCAL, -- local = LOCAL
Local address to be ignored
-T TARGET, -- target = TARGET
Only changes to the specified IP address are recorded.