Wednesday, February 13, 2008

How to Using MTR

How to Using MTR

Background:

MTR combines the functionality of the traceroute and ping programs in a single net-work diagnostic tool.
As mtr starts, it investigates the network connection between the host mtr runs on
and HOSTNAME. by sending packets with purposely low TTLs. It continues to send packets
with low TTL, noting the response time of the intervening routers. This allows
mtr to print the response percentage and response times of the Internet route to
HOSTNAME. A sudden increase in packet-loss or response time is often an indication of
a bad (or simply overloaded) link.

(SOURCE MTR man pages)

Disclaimer: This information is for educational purposes only and not to commit a crime.
I stress the first part because this may get you into trouble with your ISP or Network Admins.
If you do something that causes you to hose your box don't come kicking and screaming on the forums!
All IP and MAC address' have been munged!


First off I did this using BT2 Final but the process is the exact same using BT3 the only change is now there is graphical front-end using GTK+
I am going to show a couple of examples of this tool and leave the rest up to you for now. I may add more later on.

The purpose of this tool is to provide a ping and traceroute utility in one package.
This is good for 1 allowing us to determine if a target is alive and 2 what hops our packets take in order to get to said target.
When Pentesting once we have identified a target on a network we try to learn about other networks that interact with it and this is one of the ways.
This will also help us what else may stand in our way.

To use mtr we need to open a terminal and type at the prompt
Code:
 bt ~ # mtr --help
usage: mtr [-hvrctglspni46] [--help] [--version] [--report]
[--report-cycles=COUNT] [--curses] [--gtk]
[--raw] [--split] [--no-dns] [--address interface]
[--psize=bytes/-s bytes]
[--interval=SECONDS] HOSTNAME [PACKETSIZE]
bt ~ #
This shows us the usage flags and options.
So in order to know more about the different flags we will take a look at them now:

OPTIONS
-h help
Print the summary of command line argument options.

-v --version
Print the installed version of mtr.

-r --report
This option puts mtr into report mode. When in this mode, mtr will run for
the number of cycles specified by the -c option, and then print statistics and
exit.
This mode is useful for generating statistics about network quality. Note
that each running instance of mtr generates a significant amount of network
traffic. Using mtr to measure the quality of your network may result in
decreased network performance.

-c COUNT --report-cycles COUNT
Use this option to set the number of pings sent to determine both the machines
on the network and the reliability of those machines. Each cycle lasts one
second.

-s BYTES --psize BYTES

PACKETSIZE
These options or a trailing PACKETSIZE on the commandline sets the packet size
used for probing. It is in bytes inclusive IP and ICMP headers

If set to a negative number, every iteration will use a different, random
packetsize upto that number.

-t --curses
Use this option to force mtr to use the curses based terminal interface (if available).

-n --no-dns
Use this option to force mtr to display numeric IP numbers and not try to
resolve the host names.

-g --gtk
Use this option to force mtr to use the GTK+ based X11 window interface (if
available). GTK+ must have been available on the system when mtr was built
for this to work. See the GTK+ web page at
www DOT gimp DOTorg/gtk/for more information about GTK+.

-p --split
Use this option to set mtr to spit out a format that is suitable for a split-
user interface.


-l --raw
Use this option to tell mtr to use the raw output format. This format is better
suited for archival of the measurement results. It could be parsed to be
presented into any of the other display methods.

-a IP.ADD.RE.SS

--address IP.ADD.RE.SS
Use this option to bind outgoing packets' socket to specific interface, so
that any packet will be sent through this interface. NOTE that this option
doesn't apply to DNS requests (which could be and could not be what you want).

-i SECONDS

--interval SECONDS
Use this option to specify the positive number of seconds between ICMP ECHO
requests. The default value for this parameter is one second.

-4
Use IPv4 only.

-6
Use IPv6 only.

Ok now we see that we have lots of options to play with here.

Ok back to the terminal we are going to look at a target computer with the -r (report mode) and -c (count) set to 1 packet

Code:
bt ~ # mtr -r -c 1 www.yourexampletarget.com
To see the output of this command click on the picture here:
output

NOTE: I had to use this picture in order to get the formatting to show up like it would in a shell.


NOTE: we can use both domain names like above or we can use IP address the result is the same.

Ok now let's see what we got back, we only care about the first two columns. The first is the name of the nodes along the route,and the second is the percent of packets that were lost. If we lose packets then the traceroute must find a new way to get to the destination. Sometimes nodes along our route will drop these packets.
So we see that in number 3 above it would seem we lost a packet however the node just dropped it.
But our trace continues until it gets to 13 and the same thing happens. Also this could be the result of a node not advertising itself blindly. Could be good or bad.
And last we arrive at 14 our target network. Remember just like any traceroute the first node returned is the closest to your box and the last is farthest away.
If we are Pentesting we can use a whois command and lookup the network node names above and may learn more about the route our packets take to our target.
This may help us determine if our target is sitting on the edge of the network or not.
Also when doing this if you do not specify the number of packets with the -c flag this process will continue to run until you stop it!
This can be bad depending on the TOS from your ISP or other networks along the route. Generally speaking most admins will not want you repeatedly pinging their networks. Sometimes one or two ping attempts may be ok. At a minimum it is plain rude to needlessly ping a node!


This tutorial should give you enough information to work with MTR.