the art of_firewalking-by-sujay
TRANSCRIPT
Firewalking Null Hyd 17May2014
Sujay Gankidi
http://en.wikipedia.org/wiki/Firewalk
Problem
Security Assessments
Network Troubleshooting
Definition Firewalking is a technique developed by Mike Schiffman and David
Goldsmith that utilizes traceroute techniques and TTL values to analyze IP
packet responses in order to determine gateway ACL (Access Control List)
filters and map networks. It is an active reconnaissance network security
analysis technique that attempts to determine which layer 4 protocols a
specific firewall will allow.
Ref: http://en.wikipedia.org/wiki/Firewalk_%28computing%29#cite_ref-1
firewalk is an Active Reconnaissance Network Security Tool with Extreme
Prejudice
Ref: http://linux.die.net/man/8/firewalk
Traceroute
Network debugging utility to map out all
hosts en route to a particular destination.
Uses UDP or ICMP echo packets
Increases the time to live (TTL) field in the
IP header each successive round (3
packets)
For UDP scan the destination port will be
incremented with each probe sent (target_port - (number_of_hops * num_of_probes)) – 1
Traceroute
x.x.x.x
A.A.A.A B.B.B.B
z.z.z.z
Hop1 Y.Y.Y.Y
Hop2 A.A.A.A
Hop3 B.B.B.B
…
Traceroute to z.z.z.z
Firewalking Built-up on the idea of traceroute to identify ACL’s
allowed by firewalls
Firewalk tries to find out what transport layer protocols are allowed by a gateway by:
Sending out TCP or UDP packets
with IP TTL one greater then the targeted gateway
In order to use this technique, we must know:
The IP address of the last known gateway before the firewalling takes place
The IP address of a host located behind the firewall.
Phases
Network discovery phase
Ramp-up TTL like traceroute
Gateway is bound to
Scanning phase
TCP/UDP packets with timeout
Response received – port open
No Response – port closed
Firewalk
X.X.X.X
Hop n
Y.Y.Y.Y
?.?.?.?
Phase 1:
Find gateway Hop count
(bound)
Phase 2:
Scan for allowed protocols
and ports Hop 0
Hop n+m
TCP/UDP Packet
TTL = n + 1 Dest Port If Reply is:
ICMP time exceeded => port open Else keep guessing!
concerns
False Negatives
Host could be down
Packets could be dropped by any
gateway prior to our target gateway
slow walk/creeping walk
Need to run if Packets are dropped
before reaching the gateway
ramp-up to destination and scan each
hop en route to the target
Very slow
Rfc1918 - Address Allocation
for Private Internets
Threats
Firewall protocol scan
Advanced Network Mapping
mitigation
Disable egress ICMP TTL Exceeded
messages
NAT
Proxy
Tools and usage
Firewalk
firewalk [options] Gateway_IP Metric
Nmap
nmap --script-firewalk --traceroute --script-
args=<IP>
Q & A