Firewalking
Null Hyd 17May2014
Sujay Gankidi
http://en.wikipedia.org/wiki/Firewalk
Problem
 Security Assessments
 Network Troubleshooting
Definition
Firewalking is a technique developed by Mike Schiffman and David
Goldsmith that utilizes traceroute techniques ...
Traceroute
 Network debugging utility to map out all
hosts en route to a particular destination.
 Uses UDP or ICMP echo ...
Traceroute
x.x.x.x
A.A.A.A
B.B.B.B
z.z.z.z
Hop1 Y.Y.Y.Y
Hop2 A.A.A.A
Hop3 B.B.B.B
…
Traceroute to z.z.z.z
Firewalking
 Built-up on the idea of traceroute to identify ACL’s
allowed by firewalls
 Firewalk tries to find out what ...
Phases
 Network discovery phase
 Ramp-up TTL like traceroute
 Gateway is bound to
 Scanning phase
 TCP/UDP packets wi...
Firewalk
X.X.X.X
Hop n
Y.Y.Y.Y
?.?.?.?
Phase 1:
Find gateway Hop count
(bound)
Phase 2:
Scan for allowed protocols
and por...
concerns
 False Negatives
 Host could be down
 Packets could be dropped by any
gateway prior to our target gateway
slow walk/creeping walk
 Need to run if Packets are dropped
before reaching the gateway
 ramp-up to destination and scan...
Rfc1918 - Address Allocation
for Private Internets
Threats
 Firewall protocol scan
 Advanced Network Mapping
mitigation
 Disable egress ICMP TTL Exceeded
messages
 NAT
 Proxy
Tools and usage
 Firewalk
 firewalk [options] Gateway_IP Metric
 Nmap
 nmap --script-firewalk --traceroute --script-
a...
Q & A
Upcoming SlideShare
Loading in...5
×

Firewalking

868

Published on

null Hyderabad Chapter - May 2014 Meet

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
868
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Firewalking

  1. 1. Firewalking Null Hyd 17May2014 Sujay Gankidi
  2. 2. http://en.wikipedia.org/wiki/Firewalk
  3. 3. Problem  Security Assessments  Network Troubleshooting
  4. 4. Definition Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow. Ref: http://en.wikipedia.org/wiki/Firewalk_%28computing%29#cite_ref-1 firewalk is an Active Reconnaissance Network Security Tool with Extreme Prejudice Ref: http://linux.die.net/man/8/firewalk
  5. 5. Traceroute  Network debugging utility to map out all hosts en route to a particular destination.  Uses UDP or ICMP echo packets  Increases the time to live (TTL) field in the IP header each successive round (3 packets)  For UDP scan the destination port will be incremented with each probe sent  (target_port - (number_of_hops * num_of_probes)) – 1
  6. 6. Traceroute x.x.x.x A.A.A.A B.B.B.B z.z.z.z Hop1 Y.Y.Y.Y Hop2 A.A.A.A Hop3 B.B.B.B … Traceroute to z.z.z.z
  7. 7. Firewalking  Built-up on the idea of traceroute to identify ACL’s allowed by firewalls  Firewalk tries to find out what transport layer protocols are allowed by a gateway by:  Sending out TCP or UDP packets  with IP TTL one greater then the targeted gateway  In order to use this technique, we must know:  The IP address of the last known gateway before the firewalling takes place  The IP address of a host located behind the firewall.
  8. 8. Phases  Network discovery phase  Ramp-up TTL like traceroute  Gateway is bound to  Scanning phase  TCP/UDP packets with timeout  Response received – port open  No Response – port closed
  9. 9. Firewalk X.X.X.X Hop n Y.Y.Y.Y ?.?.?.? Phase 1: Find gateway Hop count (bound) Phase 2: Scan for allowed protocols and ports Hop 0 Hop n+m TCP/UDP Packet TTL = n + 1 Dest PortIf Reply is: ICMP time exceeded => port open Else keep guessing!
  10. 10. concerns  False Negatives  Host could be down  Packets could be dropped by any gateway prior to our target gateway
  11. 11. slow walk/creeping walk  Need to run if Packets are dropped before reaching the gateway  ramp-up to destination and scan each hop en route to the target  Very slow
  12. 12. Rfc1918 - Address Allocation for Private Internets
  13. 13. Threats  Firewall protocol scan  Advanced Network Mapping
  14. 14. mitigation  Disable egress ICMP TTL Exceeded messages  NAT  Proxy
  15. 15. Tools and usage  Firewalk  firewalk [options] Gateway_IP Metric  Nmap  nmap --script-firewalk --traceroute --script- args=<IP>
  16. 16. Q & A
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×