Sunday, November 24, 2024
HomeInformation GatheringFIREWALK - Active Reconnaissance Network Security Tool

FIREWALK – Active Reconnaissance Network Security Tool

Published on

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.

It works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message.

If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.

- Advertisement - SIEM as a Service

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hop count (at that point the scan is said to be `bound`) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

 Also Read :  Masscan-Worlds Fastest Scanner

How Does FIREWALK work

Firewalk attempts to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. It operates on an IP expiry technique, much like the commonly used Traceroute program.

The IP expiry technique involves manipulating the time to live (TTL) field of the IP header to map out all intermediate routers or hops between a scanning host and the target host. In Firewalk, scans are then sent with a TTL value one hop higher than that of the target host.

If the scan packets are blocked by an ACL or firewall, they are dropped or rejected. If allowed to pass through, they will expire and elicit an ICMP time exceeded message.

Based upon the results of the scans, Firewalk can identify which ports are open.

firewalk

HOW TO USE:

Download Firewalk from kali Linux  repository

root@kali:~# firewalk -h
Firewalk 5.0 [gateway ACL scanner]
Usage : firewalk [options] target_gateway metric
[-d 0 – 65535] destination port to use (ramping phase)
[-h] program help
[-i device] interface
[-n] do not resolve IP addresses into hostnames
[-p TCP | UDP] firewalk protocol
[-r] strict RFC adherence
[-S x – y, z] port range to scan
[-s 0 – 65535] source port
[-T 1 – 1000] packet read timeout in ms
[-t 1 – 25] IP time to live
[-v] program version
[-x 1 – 8] expire vector

gb@gbhackers:~$ sudo firewalk -S6045-6050 -i eth0 -n -pTCP 192.168.1.1 192.168.0.1
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 192.168.1.1 using 192.168.0.1 as a metric.
Ramping Phase:
 1 (TTL  1): expired [192.168.1.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase:
port 6045: open (expired) [122.168.96.1]
port 6046: open (expired) [122.168.96.1]
port 6047: open (expired) [122.168.96.1]
port 6048: open (expired) [122.168.96.1]
port 6049: open (expired) [122.168.96.1]
port 6050: open (expired) [122.168.96.1]

Scan completed successfully.

Total packets sent:                7
Total packet errors:               0
Total packets caught               7
Total packets caught of interest   7
Total ports scanned                6
Total ports open:                  6
Total ports unknown:               0
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

AgentTesla Stealer Delivered Via Weaponized PDF and CHM Files

AgentTesla, a notorious information stealer, is observed spreading via CHM and PDF Files, which...

InSpy – Linkedin Information Gathering Tool for Penetration Testers

The objective of this Information Gathering tool is to extract Linkedin users based on...

scanless – A Pentesting Tool to Perform Anonymous open Port Scan on Target Websites

Network Penetration Testing determines vulnerabilities on the network posture by discovering Open ports, Troubleshooting...