Firewalking is a technique developed by Mike Schiffman and David Goldsmith that utilizes traceroute techniques and TTL values to analyze IP packet responses in order to determine gateway ACL (Access Control List) filters and map networks. It is an active reconnaissance network security analysis technique that attempts to determine which layer 4 protocols a specific firewall will allow.
Below description is about how to use nmap to perform firewalking. Some of the scripts arguments are also listed below for your reference.
firewalk.max-probed-ports
maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.
firewalk.max-retries
the maximum number of allowed retransmissions.
firewalk.recv-timeout
the duration of the packets capture loop (in milliseconds).
firewalk.max-active-probes
maximum number of parallel active probes.
firewalk.probe-timeout
validity period of a probe (in milliseconds).
Example Usage
Sample output is shown below.
$nmap --script=firewalk --traceroute 10.168.0.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-11 17:25 IST
Nmap scan report for 10.168.0.11
Host is up (0.0033s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8009/tcp open ajp13
8080/tcp open http-proxy
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 2.63 ms 192.168.2.1
2 2.20 ms 10.168.0.11
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Reference:
http://nmap.org/nsedoc/scripts/firewalk.html
Below description is about how to use nmap to perform firewalking. Some of the scripts arguments are also listed below for your reference.
firewalk.max-probed-ports
maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.
firewalk.max-retries
the maximum number of allowed retransmissions.
firewalk.recv-timeout
the duration of the packets capture loop (in milliseconds).
firewalk.max-active-probes
maximum number of parallel active probes.
firewalk.probe-timeout
validity period of a probe (in milliseconds).
Example Usage
- nmap --script=firewalk --traceroute
- nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1
- nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms
- nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7
Sample output is shown below.
$nmap --script=firewalk --traceroute 10.168.0.11
Starting Nmap 6.46 ( http://nmap.org ) at 2014-08-11 17:25 IST
Nmap scan report for 10.168.0.11
Host is up (0.0033s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8009/tcp open ajp13
8080/tcp open http-proxy
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 2.63 ms 192.168.2.1
2 2.20 ms 10.168.0.11
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
Reference:
http://nmap.org/nsedoc/scripts/firewalk.html