FIREWALK – Active Reconnaissance Network Security Tool

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.

It works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message.

If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hop count (at that point the scan is said to be `bound`) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

Also Read : Masscan-Worlds Fastest Scanner

How Does FIREWALK work

Firewalk attempts to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. It operates on an IP expiry technique, much like the commonly used Traceroute program.

The IP expiry technique involves manipulating the time to live (TTL) field of the IP header to map out all intermediate routers or hops between a scanning host and the target host. In Firewalk, scans are then sent with a TTL value one hop higher than that of the target host.

If the scan packets are blocked by an ACL or firewall, they are dropped or rejected. If allowed to pass through, they will expire and elicit an ICMP time exceeded message.

Based upon the results of the scans, Firewalk can identify which ports are open.

HOW TO USE:

Download Firewalk from kali Linux  repository

root@kali:~# firewalk -h
Firewalk 5.0 [gateway ACL scanner]
Usage : firewalk [options] target_gateway metric
[-d 0 – 65535] destination port to use (ramping phase)
[-h] program help
[-i device] interface
[-n] do not resolve IP addresses into hostnames
[-p TCP | UDP] firewalk protocol
[-r] strict RFC adherence
[-S x – y, z] port range to scan
[-s 0 – 65535] source port
[-T 1 – 1000] packet read timeout in ms
[-t 1 – 25] IP time to live
[-v] program version
[-x 1 – 8] expire vector

gb@gbhackers:~$ sudo firewalk -S6045-6050 -i eth0 -n -pTCP 192.168.1.1 192.168.0.1
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 192.168.1.1 using 192.168.0.1 as a metric.
Ramping Phase:
 1 (TTL  1): expired [192.168.1.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase:
port 6045: open (expired) [122.168.96.1]
port 6046: open (expired) [122.168.96.1]
port 6047: open (expired) [122.168.96.1]
port 6048: open (expired) [122.168.96.1]
port 6049: open (expired) [122.168.96.1]
port 6050: open (expired) [122.168.96.1]

Scan completed successfully.

Total packets sent:                7
Total packet errors:               0
Total packets caught               7
Total packets caught of interest   7
Total ports scanned                6
Total ports open:                  6
Total ports unknown:               0