|
Firewalk
Firewalk is an
active reconnaissance network security tool for enumerating firewalls. It
attempts to determine what layer 4 protocols a firewall within its current
configuration will allow to pass through to internal hosts. Firewalk sends
out TCP or UDP packets with a TTL one greater than the targeted
gateway/firewall. If the gateway/firewall allows the traffic, it will forward
the packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway host does not allow the traffic, it
will likely drop the packets on the floor and we will see no
response.
Installation:
Currently available from
here or I have an
rpm that does work on Fedora Core
4/5. ./configure
make
make install
Execution:
Syntax:
firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
Options:
-d 1-65535 Specify
initial dest port to use during the ramping phase. -h
Program help. -i Interface_name
Specify interface to use.
-n
Don't resolve IP's to hostnames.
-P 1-2000 Set a network writing pause,
to keep firealk from flooding the network. -p TCP,UDP Type of scan to perform. -r
Strict RFC 793 compliance.
-S
1-65535,... (1-130,139,1025) Specify ports to scan. Specified in ranges, delimited by dashes, multiple ranges
may be specified,
delimited by commas. Omitting the terminating port number is shorthand for
65535. -s 1-65535 (53)Specify the source port for the scan (both phases). -T 1-2000 (2)Network packet reading timeout.
-t 1-25 (1)Sets initial IP TTL value
(target gateway is known to be n hops from
the source host, the TTL can be preloaded to facilitate a faster scan. -v
Dump program version and exit. -x Expire vector (1)The expire
vector is the number of hops that the scanning probes will expire,past the gateway host. The binding hopcount is the hopcount of the gateway + the
expire vector.
Sample Output:
root@fc4>firewalk -n -p tcp -s 80 -d 80
192.168.0.1 192.168.1.1
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 80, destination port: 80
Hotfoot through 192.168.0.1 using 192.168.1.1 as a metric.
Ramping Phase:
expired [192.168.0.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase:
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
In this
example, traffic is allowed through ports 25 and 80, in essence Sendmail, (SMTP)
and Hypertext Transfer Protocol (HTTP). An
attacker trying t get inside your network could then quite possibly use tools
such as nmap to scan internal subnets for all hosts with these
distinct ports open. Having found some targets, they may try and bypass
your firewall by tunnelling traffic through these ports.
| 
