Firewalking with nmap

Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow.

Below description is about how to use nmap to perform firewalking. Some of the scripts arguments are also listed below for your reference.

firewalk.max-probed-ports
maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.

firewalk.max-retries
the maximum number of allowed retransmissions.

firewalk.recv-timeout
the duration of the packets capture loop (in milliseconds).

firewalk.max-active-probes
maximum number of parallel active probes.

firewalk.probe-timeout
validity period of a probe (in milliseconds).

Example Usage

• nmap --script=firewalk --traceroute
• nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1
• nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms
• nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7

Sample output is shown below.

$nmap --script=firewalk --traceroute 10.168.0.11

Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-11 17:25 IST
Nmap scan report for 10.168.0.11
Host is up (0.0033s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8009/tcp open  ajp13
8080/tcp open  http-proxy

TRACEROUTE (using port 1025/tcp)
HOP RTT     ADDRESS
1   2.63 ms 192.168.2.1
2   2.20 ms 10.168.0.11

Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds

Reference:
http://nmap.org/nsedoc/scripts/firewalk.html