trt-scapy.py - v0.0
===================

  Another implementation of the  M.  Zalewski  0trace  tool  which performs hop
enumeration within "established" TCP connections. Trt-Scapy  is  based  on  the
Scapy tool (http://secdev.org/projects/scapy/)  from  P.  Biondi  and  performs
enumeration for TCP "established"  connections and UDP DNS requests streams.
Refer to the original http://lcamtuf.coredump.cx/soft/0trace.tgz.

===============================================================================

TCP to www.ebay.com on the TCP 80 port and  ttl  game  with  0trace  (refer  to
announcement http://www.securityfocus.com/archive/1/456213/30/0/threaded)
  > 13 4.68.110.81
  > 14 4.68.97.33
  > 15 64.159.1.130
  > 16 4.68.123.48
  > 17 166.90.140.134 <---
  > 18 10.6.1.166     <--- new data
  > 19 10.6.1.70      <---

Same game with trt-scapy :

# ./trt-scapy.py -i 66.135.192.124 -p 80 -r 1 -w .5
trt-scapy.py - v0.0
Connecting to 66.135.192.124:80
[...]
11 - 10.6.1.46 - 0 / time-exceeded
    IPerror payload : -> 66.135.192.124
12 - 10.6.105.8 - 0 / time-exceeded
    IPerror payload : -> 10.6.35.124
13 - 66.135.192.124
Done...

# ./trt-scapy.py -i sjc-dns2.ebaydns.com -p 53 -r 3 -w 4 -U
trt-scapy.py - v0.0
UDP - Connecting to sjc-dns2.ebaydns.com:53
[...]
 9 - 166.90.140.134 - 0 / time-exceeded
     IPerror payload : -> 66.135.207.138
10 - 10.6.1.162 - 0 / time-exceeded
     IPerror payload : -> 66.135.207.138
11 - 10.6.1.78 - 0 / time-exceeded
     IPerror payload : -> 66.135.207.138
12 - ?
13 - 66.135.207.138

===============================================================================

Thanks to TGW

J. - January 2007