Vulners
Lucene search
Traceroute Information
#TRUSTED 9431a5a0d15f6713b17ff181cea7e205b00cb6918eb770e9bd1ebbcc6cd8bc22aae3d07e6cd2992801f783d6dea396f70e0991acda540d6e988117cc830333b5069b3868e60bf5eb40f407c583c455dfff1659b773d4ae94546ac463ec160fd88c6b8b48d6388023ce9dd8a7951cfe55614b2d84f307d410cd4e2231ec537dce8cec0a17f4abf92213d62394925f8a5e0cb9f756f238ceae340f0a837e2712479b2de28a8cf49a0532e112ff91053ac551ee5bb071e8beebe3377eba32ccd3ec830f2cd20690950b7ef212ced4c6e5735e4aad3b05e53d71b8f6cd686df524d1d30f5824631e6a973bf08fc61bc6cd9572f8a180a2c62732e2fd87cfcbf0821571838cd368db52c333ecf7d266eeeb2b7864623835e441a9e8eb76c1b56d621c15724aba16fdfb9d14603070276dbbb990d5d13858be42cbee13c9b1900756317fc43633a4efe71cdf4b0185cf8b87f90578c826b848f9bc2d7d113b613fa47cea0c96f5664774053b62acd6a6739ad625f8e36da0b8be328d9d6263a7aa5cc0d93a3be12efeda70a6fed0fadd30347bdcc12223215b4e790803dd18604c9f245ab1cc5e5ba1e33222f49d9ba75e574245ce14ccad1fe5b9553666e80f299e5b5068158ae4caa7845746bf852aaed3b766dbbacc16fee6abce8eaa1a4ac6220b61c056ae0733cff8e6322fc5082f93ba68726a17d6d137a74c253740afc23064
#TRUST-RSA-SHA256 1f5507c0f54916a94731b7813816c349a33ce361d3033c3866b5c6f57ac4056a077b1b725e43045dfa2133757eb37c891b24acbcb505c6a46b53889321429c75b739b77838c682d27bdb253982f9eae325762b5e26585bc7d0bf3cbf4e2cc2c04f3a8976ee516b24feac56a693d4a9a4cf7bd229f996cc44d3dd5b03c14bd5b5827ba790b5cbf41193ce665e801243ac15cf12c04fd3114813031dc0a8667ed6b522ff170c68b2a59b0df9f414c5db6d99873c3f835005edbc817578d586a26e8e4c293c56d35adc81ccd87ad5faf51476f4d862386064501ff3a01c712c924f485c7084985ae320fbecbb0db5e34907411d5f615f34e172f178a028e3d936813c3c2f069802344bd1fe9a790e3c19761a6fa2817c096dd38eef2feb9788082042bbd5b41de4db308c38e8b2d036f428ae7535d5fb6ff76af47fdc31ffac9dd5aa68d80c779dbddd6b583c69f27be7cc2ddc5be161382d38b8a5d99a35e07929b7e40ce664fbf7cb0f57c87b9ffe2c392f1235f4fc1a3f1bb1309236dad7a7cda93e13c19e9664dda5da734e393332dc6f010ad44534f08246071557005d66dace1e6f765d05664f5415c196ca4a5546ce463d3c65bbd54b70189de9d39a10a4a5f77de81a1ddb520148c46f1bfb2311d1b9a6f9996f9bf5f5decbeaf8f5290c9d4805acd4c6fc20643fd136e208dc5c8dcb1410474851840bf12af151aedfad
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if ( isnull(nessus_version() ) ) exit(0);
if (description)
{
script_id(10287);
script_version("1.72");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/04/27");
script_name(english:"Traceroute Information");
script_summary(english:"traceroute");
script_set_attribute(attribute:"synopsis", value:"It was possible to obtain traceroute information.");
script_set_attribute(attribute:"description", value:"Makes a traceroute to the remote host.");
script_set_attribute(attribute:"solution", value:"n/a");
script_set_attribute(attribute:"risk_factor", value:"None");
script_set_attribute(attribute:"plugin_publication_date", value:"1999/11/27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 1999-2026 Tenable Network Security, Inc.");
script_family(english:"General");
exit(0);
}
#
# the traceroute itself
#
function make_pkt(ttl, proto)
{
local_var ip, p, src;
# proto = proto % 5;
# display("make_pkt(", ttl, ", ", proto, ")\n");
src = compat::this_host();
# Prefer TCP
if( proto == 0 || proto > 2)
{
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_id:ip_id,
ip_len:20, ip_off:0, ip_p:IPPROTO_TCP, ip_src:src, ip_ttl:ttl);
p = forge_tcp_packet(ip:ip, th_sport:my_sport, th_dport:dport,
th_flags:TH_SYN, th_seq:ttl, th_ack:0, th_x2:0, th_off:5,
th_win:2048, th_urp:0);
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Sending a forged TCP packet\n\n');
}
# then UDP
if (proto == 1)
{
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_id:ip_id,
ip_len:28, ip_off:0, ip_p:IPPROTO_UDP, ip_src:src, ip_ttl:ttl);
p = forge_udp_packet(ip:ip, uh_sport:my_sport, uh_dport:32768, uh_ulen:8);
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Sending a forged UDP packet\n\n');
return (p);
}
# then ICMP
if (proto == 2)
{
ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0, ip_id:ip_id,
ip_len:20, ip_off:0, ip_p:IPPROTO_ICMP, ip_src:src, ip_ttl:ttl);
p = forge_icmp_packet(ip:ip, icmp_type:8, icmp_code:0, icmp_seq:ttl, icmp_id:ttl);
return (p);
}
return (p);
}
## MAIN ###
var gateway, dport, ip_id, my_sport,finished, ttl, src, dst,
error, str_ip, z, ip_fields, ip_high, ip_low, report, filter,
d, proto, gateway_n, count, i, err, p, rep, then, psrc, max, y;
if (TARGET_IS_IPV6) exit(0, "This check is not implemented for IPv6 hosts.");
if (islocalhost()) exit(1, "localhost can not be tested.");
# does not run on cloud scanners
if (get_kb_item("Host/msp_scanner"))
exit(0, "This plugin does not run on Nessus Cloud Scanners.");
dport = get_host_open_port();
if (!dport) dport = 80;
ip_id = rand() % 65535;
my_sport = rand() % 64000 + 1024;
finished = 0;
ttl = 1;
src = compat::this_host();
dst = get_host_ip();
error = 0;
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' IP Address of Nessus Scanner - SRC: ' + obj_rep(src) + '\n\n');
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' IP Address of Destination Host - DST: ' + obj_rep(dst) + '\n\n');
str_ip = dst;
z = strstr(str_ip, ".");
#
# pcap filter
#
ip_fields = split(dst, sep:'.', keep:0);
ip_high = (int(ip_fields[0]) << 8) | int(ip_fields[1]);
ip_low = (int(ip_fields[2]) << 8) | int(ip_fields[3]);
#
report = 'For your information, here is the traceroute from ' +
src + ' to ' + dst + ' : \n' + compat::this_host() + '\n';
filter = "dst host " + src + " and ((icmp and ((icmp[0]=3) or " +
"(icmp[0]=11)) and ((icmp[8] & 0xF0) = 0x40) and icmp[12:2]=" +
ip_id + " and icmp[24:2]=" + ip_high + " and icmp[26:2]=" +
ip_low + ")" + " or (src host " + get_host_ip() + " and tcp" +
" and tcp[0:2]=" + dport + " and tcp[2:2]=" + my_sport +
" and (tcp[13]=4 or tcp[13]=18))" +
" or (icmp and icmp[0]=0 and src host " + get_host_ip() + "))";
d = get_host_ip();
proto = 0; # Prefer TCP
gateway_n = 0;
count = make_list();
if ( defined_func("platform") && platform() == "WINDOWS" && NASL_LEVEL >= 5000 ) mutex_lock(SCRIPT_NAME);
while(!finished)
{
var current_proto = proto;
for (i=0; i < 3; i=i+1)
{
err=1;
p = make_pkt(ttl: ttl, proto: current_proto);
rep = send_packet(p, pcap_active:TRUE, pcap_filter:filter, pcap_timeout:5);
then = unixtime();
if(rep)
{
psrc = get_ip_element(ip:rep, element:"ip_src");
if (++ count[psrc] >= 3)
{
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Encountered a loop: Plugin exiting \n\n');
report += '\nTraceroute exit: Encountered a loop.\n'; # We are running in circles
finished = 1;
break;
}
gateway[gateway_n ++] = psrc;
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Next Hop Identified : ' + obj_rep(psrc) + '\n\n');
d = psrc - d;
if (!d)
{
finished = 1;
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Traceroute list : ' + obj_rep(gateway) + '\n\n');
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Traceroute has completed \n\n');
}
error = 0; err = 0;
proto = current_proto; # Lock in the successful protocol for the next TTL
break; # Exit the retry loop cleanly
}
else
{
# Safely cycle: 0 (TCP) -> 1 (UDP) -> 2 (ICMP) -> 0...
current_proto = (current_proto + 1) % 3;
}
}
if (err)
{
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' An error was detected along the way \n\n');
if (!error)
{
gateway[gateway_n++] = '?';
error = error + 1;
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' Error determining hop ' + gateway[gateway_n++] + '\n\n');
}
}
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' ttl: ' + obj_rep(ttl) + '\n\n');
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg: crap(data:"=", length:70)+'\n');
ttl = ttl + 1;
#
# If we get more than 3 errors one after another, we stop
#
if (error > 3)
{
finished = 1;
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' More than 3 errors have been reported - Completing Traceroute \n\n');
report += '\nMore than 3 errors have been reported - Completing Traceroute.\n\n';
}
#
# Should not get here
#
if (ttl > 50)
{
finished = 1;
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:' ttl was greater than 50 - Completing Traceroute \n\n');
report += '\nttl was greater than 50 - Completing Traceroute.\n\n';
}
}
if (defined_func("platform") && platform() == "WINDOWS" && NASL_LEVEL >= 5000) mutex_unlock(SCRIPT_NAME);
max = 0;
for (i = 1; i < max_index(gateway); i ++)
{
if (gateway[i] != gateway[i-1])
max = i;
else
dbg::detailed_log(lvl:3, src:SCRIPT_NAME, msg:'Duplicate IP Detected : ' + i + ' ('+ gateway[i]+ ') in trace to '+ get_host_ip() + '\n\n');
}
for (i = 0; i <= max; i ++)
{
if (empty_or_null(gateway[i])) continue;
report = report + gateway[i] + '\n';
report_xml_tag(tag:'traceroute-hop-' + i, value:gateway[i]);
set_kb_item(name:'traceroute-hop/' + i, value:gateway[i]);
}
# hop count
report = report + '\nHop Count: ' + i + '\n';
if (err)
report = report + '\nAn error was detected along the way.\n\n';
# show if at least one route was obtained.
# MA 2002-08-15: I split the expression "ttl=ttl-(1+error)" because of
# what looked like a NASL bug
y = 1 + error;
ttl = ttl - y;
if (ttl > 0)
security_report_v4(port:0, proto:"udp", extra:report, severity:SECURITY_NOTE);Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2026 00:00Current
5.3Medium risk
Vulners AI Score5.3