FireWalk

Unknown
Share this Article on :

File firewalk


Script types: hostrule
Categories: safe, discovery
Download: http://nmap.org/svn/scripts/firewalk.nse

User Summary

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.
To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.
It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.
Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.
Scan parameters can be controlled using the firewalk.* optional arguments.
From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.

Script Arguments


firewalk.max-probed-ports

maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.

firewalk.max-retries

the maximum number of allowed retransmissions.

firewalk.recv-timeout

the duration of the packets capture loop (in milliseconds).

firewalk.max-active-probes

maximum number of parallel active probes.

firewalk.probe-timeout

validity period of a probe (in milliseconds).

Example Usage 


  • nmap --script=firewalk --traceroute <host>

  • nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>

  • nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>

  • nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>

Script Output 

| firewalk:
| HOP HOST         PROTOCOL  BLOCKED PORTS
| 2   192.168.1.1  tcp       21-23,80
|                  udp       21-23,80
| 6   10.0.1.1     tcp       67-68
| 7   10.0.1.254   tcp       25
|_                 udp       25

Requires

Author: Henri Doreau
License: Same as Nmap--See http://nmap.org/book/man-legal.html

action

action (host)
firewalk entry point

Parameters

  • host:

hostrule

hostrule (host)
host rule, check for requirements before to launch the script

Parameters

  • host:


Realted Article: