Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply



Published on

null Hyderabad Chapter - May 2014 Meet

null Hyderabad Chapter - May 2014 Meet

Published in: Education, Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Firewalking Null Hyd 17May2014 Sujay Gankidi
  • 2.
  • 3. Problem  Security Assessments  Network Troubleshooting
  • 4. Definition Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow. Ref: firewalk is an Active Reconnaissance Network Security Tool with Extreme Prejudice Ref:
  • 5. Traceroute  Network debugging utility to map out all hosts en route to a particular destination.  Uses UDP or ICMP echo packets  Increases the time to live (TTL) field in the IP header each successive round (3 packets)  For UDP scan the destination port will be incremented with each probe sent  (target_port - (number_of_hops * num_of_probes)) – 1
  • 6. Traceroute x.x.x.x A.A.A.A B.B.B.B z.z.z.z Hop1 Y.Y.Y.Y Hop2 A.A.A.A Hop3 B.B.B.B … Traceroute to z.z.z.z
  • 7. Firewalking  Built-up on the idea of traceroute to identify ACL’s allowed by firewalls  Firewalk tries to find out what transport layer protocols are allowed by a gateway by:  Sending out TCP or UDP packets  with IP TTL one greater then the targeted gateway  In order to use this technique, we must know:  The IP address of the last known gateway before the firewalling takes place  The IP address of a host located behind the firewall.
  • 8. Phases  Network discovery phase  Ramp-up TTL like traceroute  Gateway is bound to  Scanning phase  TCP/UDP packets with timeout  Response received – port open  No Response – port closed
  • 9. Firewalk X.X.X.X Hop n Y.Y.Y.Y ?.?.?.? Phase 1: Find gateway Hop count (bound) Phase 2: Scan for allowed protocols and ports Hop 0 Hop n+m TCP/UDP Packet TTL = n + 1 Dest PortIf Reply is: ICMP time exceeded => port open Else keep guessing!
  • 10. concerns  False Negatives  Host could be down  Packets could be dropped by any gateway prior to our target gateway
  • 11. slow walk/creeping walk  Need to run if Packets are dropped before reaching the gateway  ramp-up to destination and scan each hop en route to the target  Very slow
  • 12. Rfc1918 - Address Allocation for Private Internets
  • 13. Threats  Firewall protocol scan  Advanced Network Mapping
  • 14. mitigation  Disable egress ICMP TTL Exceeded messages  NAT  Proxy
  • 15. Tools and usage  Firewalk  firewalk [options] Gateway_IP Metric  Nmap  nmap --script-firewalk --traceroute --script- args=<IP>
  • 16. Q & A