Firewalking
Upcoming SlideShare
Loading in...5
×
 

Firewalking

on

  • 443 views

null Hyderabad Chapter - May 2014 Meet

null Hyderabad Chapter - May 2014 Meet

Statistics

Views

Total Views
443
Views on SlideShare
285
Embed Views
158

Actions

Likes
0
Downloads
10
Comments
0

1 Embed 158

http://null.co.in 158

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Firewalking Firewalking Presentation Transcript

  • Firewalking Null Hyd 17May2014 Sujay Gankidi
  • http://en.wikipedia.org/wiki/Firewalk
  • Problem  Security Assessments  Network Troubleshooting
  • Definition Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow. Ref: http://en.wikipedia.org/wiki/Firewalk_%28computing%29#cite_ref-1 firewalk is an Active Reconnaissance Network Security Tool with Extreme Prejudice Ref: http://linux.die.net/man/8/firewalk
  • Traceroute  Network debugging utility to map out all hosts en route to a particular destination.  Uses UDP or ICMP echo packets  Increases the time to live (TTL) field in the IP header each successive round (3 packets)  For UDP scan the destination port will be incremented with each probe sent  (target_port - (number_of_hops * num_of_probes)) – 1
  • Traceroute x.x.x.x A.A.A.A B.B.B.B z.z.z.z Hop1 Y.Y.Y.Y Hop2 A.A.A.A Hop3 B.B.B.B … Traceroute to z.z.z.z
  • Firewalking  Built-up on the idea of traceroute to identify ACL’s allowed by firewalls  Firewalk tries to find out what transport layer protocols are allowed by a gateway by:  Sending out TCP or UDP packets  with IP TTL one greater then the targeted gateway  In order to use this technique, we must know:  The IP address of the last known gateway before the firewalling takes place  The IP address of a host located behind the firewall.
  • Phases  Network discovery phase  Ramp-up TTL like traceroute  Gateway is bound to  Scanning phase  TCP/UDP packets with timeout  Response received – port open  No Response – port closed
  • Firewalk X.X.X.X Hop n Y.Y.Y.Y ?.?.?.? Phase 1: Find gateway Hop count (bound) Phase 2: Scan for allowed protocols and ports Hop 0 Hop n+m TCP/UDP Packet TTL = n + 1 Dest PortIf Reply is: ICMP time exceeded => port open Else keep guessing!
  • concerns  False Negatives  Host could be down  Packets could be dropped by any gateway prior to our target gateway
  • slow walk/creeping walk  Need to run if Packets are dropped before reaching the gateway  ramp-up to destination and scan each hop en route to the target  Very slow
  • Rfc1918 - Address Allocation for Private Internets
  • Threats  Firewall protocol scan  Advanced Network Mapping
  • mitigation  Disable egress ICMP TTL Exceeded messages  NAT  Proxy
  • Tools and usage  Firewalk  firewalk [options] Gateway_IP Metric  Nmap  nmap --script-firewalk --traceroute --script- args=<IP>
  • Q & A