Firewalking Null Hyd 17May2014

Sujay Gankidi

http://en.wikipedia.org/wiki/Firewalk

Problem

Security Assessments

Network Troubleshooting

Definition Firewalking is a technique developed by Mike Schiffman and David

Goldsmith that utilizes traceroute techniques and TTL values to analyze IP

packet responses in order to determine gateway ACL (Access Control List)

filters and map networks. It is an active reconnaissance network security

analysis technique that attempts to determine which layer 4 protocols a

specific firewall will allow.

Ref: http://en.wikipedia.org/wiki/Firewalk_%28computing%29#cite_ref-1

firewalk is an Active Reconnaissance Network Security Tool with Extreme

Prejudice

Ref: http://linux.die.net/man/8/firewalk

Traceroute

Network debugging utility to map out all

hosts en route to a particular destination.

Uses UDP or ICMP echo packets

Increases the time to live (TTL) field in the

IP header each successive round (3

packets)

For UDP scan the destination port will be

incremented with each probe sent (target_port - (number_of_hops * num_of_probes)) – 1

Traceroute

x.x.x.x

A.A.A.A B.B.B.B

z.z.z.z

Hop1 Y.Y.Y.Y

Hop2 A.A.A.A

Hop3 B.B.B.B

…

Traceroute to z.z.z.z

Firewalking Built-up on the idea of traceroute to identify ACL’s

allowed by firewalls

Firewalk tries to find out what transport layer protocols are allowed by a gateway by:

Sending out TCP or UDP packets

with IP TTL one greater then the targeted gateway

In order to use this technique, we must know:

The IP address of the last known gateway before the firewalling takes place

The IP address of a host located behind the firewall.

Phases

Network discovery phase

Ramp-up TTL like traceroute

Gateway is bound to

Scanning phase

TCP/UDP packets with timeout

Response received – port open

No Response – port closed

Firewalk

X.X.X.X

Hop n

Y.Y.Y.Y

?.?.?.?

Phase 1:

Find gateway Hop count

(bound)

Phase 2:

Scan for allowed protocols

and ports Hop 0

Hop n+m

TCP/UDP Packet

TTL = n + 1 Dest Port If Reply is:

ICMP time exceeded => port open Else keep guessing!

concerns

False Negatives

Host could be down

Packets could be dropped by any

gateway prior to our target gateway

slow walk/creeping walk

Need to run if Packets are dropped

before reaching the gateway

ramp-up to destination and scan each

hop en route to the target

Very slow

Rfc1918 - Address Allocation

for Private Internets

Threats

Firewall protocol scan

Advanced Network Mapping

mitigation

Disable egress ICMP TTL Exceeded

messages

NAT

Proxy

Tools and usage

Firewalk

firewalk [options] Gateway_IP Metric

Nmap

nmap --script-firewalk --traceroute --script-

args=<IP>

Q & A