When performing digital reconnaissance or penetrating testing, it's important to fingerprint a network by understanding what servers or devices sit between your system and a target. For example, security professionals can't go straight to attacking a web server without first taking the time to see if there's a firewall in front of it.
This is where the traceroute utility comes in. It can send a packet from your system to the target machine, and list out its entire route for the journey there. This will reveal how many devices your network data is passing through, as well as the IP address of each device.
Kali Linux has another similar reconnaissance utility called mtr, which mostly functions the same as traceroute. In this guide, we'll see how to use traceroute and mtr, along with their various command options, on Kali.In this tutorial you will learn:
- How to use traceroute
- How to use mtr
|Category||Requirements, Conventions or Software Version Used|
|Other||Privileged access to your Linux system as root or via the |
|Conventions|| # - requires given linux commands to be executed with root privileges either directly as a root user or by use of |
How to use traceroute
If traceroute isn't already installed on your system, open a command line terminal and type the following commands to install it.
$ sudo apt update $ sudo apt install traceroute
Once it's installed, try running a traceroute to some other system. It can be a device on your network, a web server, or really anything that you're able to connect to, whether it be locally or remotely. Specify the hostname, domain name, or IP address in your command. Note that some traceroute commands require root privileges.
$ traceroute linuxconfig.org traceroute to linuxconfig.org (220.127.116.11), 30 hops max, 60 byte packets 1 10.0.2.2 (10.0.2.2) 0.186 ms 0.122 ms 0.097 ms 2 192.168.0.1 (192.168.0.1) 8.717 ms 13.210 ms 13.552 ms 3 192.168.1.1 (192.168.1.1) 13.435 ms 13.413 ms 13.394 ms 4 10.115.222.7 (10.115.222.7) 27.564 ms 27.541 ms 27.662 ms 5 10.113.5.226 (10.113.5.226) 28.760 ms 28.909 ms 29.236 ms 6 * * * 7 10.111.5.9 (10.111.5.9) 11.810 ms 11.192 ms 13.026 ms 8 et-3-0-4-100-grtlurem1.net.telefonicaglobalsolutions.com (18.104.22.168) 25.205 ms 25.186 ms 25.003 ms 9 22.214.171.124 (126.96.36.199) 23.088 ms 23.355 ms 23.333 ms 10 188.8.131.52 (184.108.40.206) 22.653 ms 22.631 ms 22.729 ms
A traceroute to linuxconfig.org took 10 hops to reach. You'll notice some asterisks on hop 6, which means that particular device blocked our traceroute. This probably means the device is blocking ICMP, specifically. We can overcome this blocking with traceroute by trying to send different types of packets (i.e. TCP instead of ICMP). Listed below are more options that we can use with traceroute.
-I option instructs traceroute to use ICMP ECHO packets, which are blocked less frequently, and can usually give you faster results.
$ sudo traceroute -I linuxconfig.org
-T option will instruct traceroute to use TCP instead of ICMP. This method is used to gather data that's more relevant to a web server.
$ sudo traceroute -T linuxconfig.org
To use IPv4 or IPv6 specifically, use either the
-6 option, respectively.
$ traceroute -4 linuxconfig.org OR $ traceroute -6 linuxconfig.org
If you'd like to test a specific port, the
-p flag can help with that.
$ traceroute -p 53 192.168.1.1
By default, packets sent from traceroute have a TTL (time to live) of 30. In other words, if it takes more than 30 hops to reach a destination, the packet is dropped and the traceroute attempt is abandoned. You can change this behavior by specifying a different TTL with the
$ traceroute -m 60 linuxconfig.org
Note that any of these options can be combined into a single command. For example:
$ sudo traceroute -I -4 -m 60 linuxconfig.org
To see all additional options for traceroute, use the help option.
$ traceroute --help
How to use mtr
If mtr isn't already installed on your system, open a command line terminal and type the following commands to install it.
$ sudo apt update $ sudo apt install mtr
The simplest way to use mtr is by just specifying a hostname, domain name, or IP address that you want to trace the path to.
$ mtr linuxconfig.org
You'll see that a new window is brought up, where mtr continues running the traceroute and updating its results in real time. You can think of this as basically a much more interactive version of traceroute. The two utilities function the same, but some users will find mtr easier to use or just nicer to look at.
To forgo this interactive window and keep your results in the terminal, like traceroute does, you can use the
$ mtr -r linuxconfig.org
To send TCP or UDP packets instead of ICMP ECHO (the default), use the
--udp flags, respectively.
$ mtr --tcp linuxconfig.org OR $ mtr --udp linuxconfig.org
mtr has a lot of other options available, giving you granular control over your traceroute tests. To understand all of them, you can check out the man page, which explains them in detail. Or for the shortened version, just use
$ man mtr OR $ mtr --help
In this guide, we saw how to use traceroute on Kali Linux. We also saw how to use mtr, which feels like a more modern and robust version of traceroute. The traceroute utility, as well as mtr, come in handy by helping us understand the network path to a certain device. They can also be used to help test your internet connection. Use these tools to find devices that are sitting between Kali and a target system.