Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

(Source: http://www.packetfactory.net/projects/firewalk/)

(Copied from: http://www.vulnerabilityassessment.co.uk/firewalk.htm)

Syntax:

firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

Options:

-d 1-65535 Specify initial dest port to use during the ramping phase.

-h Program help.

-i Interface_name Specify interface to use.

-n Don’t resolve IP’s to hostnames.

-P 1-2000 Set a network writing pause, to keep firealk from flooding the network.

-p TCP,UDP Type of scan to perform.

-r Strict RFC 793 compliance.

-S 1-65535,… (1-130,139,1025)

Specify ports to scan. Specified in ranges, delimited by dashes, multiple ranges may be specified, delimited by commas. Omitting the terminating port number is shorthand for 65535.

-s 1-65535 (53)Specify the source port for the scan (both phases).

-T 1-2000 (2)Network packet reading timeout.

-t 1-25 (1)Sets initial IP TTL value (target gateway is known to be n hops from the

source host, the TTL can be preloaded to facilitate a faster scan.

-v Dump program version and exit.

-x Expire vector (1)The expire vector is the number of hops that the scanning probes will expire,past the gateway host. The binding hopcount is the hopcount of the gateway + the expire vector.

Sample Output:

root@fc4>firewalk -n -p tcp -s 80 -d 80 192.168.0.1 192.168.1.1

Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 80, destination port: 80
Hotfoot through 192.168.0.1 using 192.168.1.1 as a metric.
Ramping Phase:
expired [192.168.0.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase:
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]
A! open (port listen) [192.168.1.1]
A! open (port not listen) [192.168.1.1]

In this example, traffic is allowed through ports 25 and 80, in essence Sendmail, (SMTP) and Hypertext Transfer Protocol (HTTP). An attacker trying t get inside your network could then quite possibly use tools such as nmap to scan internal subnets for all hosts with these distinct ports open. Having found some targets, they may try and bypass your firewall by tunnelling traffic through these ports.

That’s it!!

pavs

ps, because my gateway doesn’t allow the right conditions in any easy way to simulate this example I had to copy someone else’s work. In future date if I find the right conditions I will update this howto with my own example.