Ivan 12:27 am on February 12, 2019  

Root Me – IP: Determine TTL

Root Me is another CTF challenge website. I registered some months back and completed this particular challenge. While simple it teaches important skills on how to read fundamental metadata on Wireshark packet capture necessary for analysis apart from just exporting content or following TCP streams. The challenge is here.

The challenge statement is this

Find the TTL used to reach the targeted host in this ICMP exchange.

Opening it we see this

ch7.jpg

Challenge details did not provide source/destination host IPs so let’s deduce it from the log. We assume at the outset the source is 24.6.126.218 while the remote host is 192.173.244.32 We also see a bunch of TTL-exceeded replies starting from 12.244.25.161 for packet TTL=2, 12.244.72.210 to 204.2.121.162 for TTL=12. Recall what Odom’s ICND1 guide says about how the traceroute command works

odom-icnd1 tracert pic.jpg

To find all the routers in the path, and finally confirm that packets flow all the way to the destination host, the traceroute command sends a packet with TTL=1, TTL=2, then 3, 4, and so on, until the destination host replies. Figure 23-13 shows the packet from the second set with a TTL=2. In this case, one router (R1) actually forwards the packet, while another router (R2) happens to decrement the TTL to 0, causing a TTL Exceeded message being sent back to host A.

Traceroute starts without knowing how far away the remote host is with TTL=1. Each time the TTL is exceeded for each ICMP packet, we get a replying packet stating TTL exceeded. This is exactly what we see in the log capture. The source of these “TTL exceeded” packets varies but the destination is always 24.6.126.218, which we deduce must be our source host. Secondly note that 24.6.126.218 is always present in either the source/destination. This strongly suggests the Wireshark application is installed on the this host, since it captures all packets outgoing or incoming on this interface.

Great. We identified the source and destination hosts. Now what is the distance to the destination host? Note that we will keep getting “TTL exceeded” messages until the TTL of the originating packet increases to the point we stop getting it. Scrolling down we see this stops at TTL=13.

ch7p2.jpg

So our destination host must lie 13 hops away. How do we confirm this? Note the ICMP reply from the remote host appears immediately after the outgoing TTL=13 packet. It carries a TTL of 51. From this page, we know there are generally 3 default TTL values which covers almost all systems: 64, 128 and 254. If the reply packet’s TTL is 51, its original TTL must be 64. Since 64-51=13, this means there are 13 hops from destination to the source, which confirms our theory that the host is 13 hops away.