1FIREWALK(8)                 System Manager's Manual                FIREWALK(8)
2
3
4

NAME

6       firewalk  -  Active  Reconnaissance  Network Security Tool with Extreme
7       Prejudice
8

SYNOPSIS

10       firewalk [-dhinprSsTtvx] target_gateway metric
11

DESCRIPTION

13       Firewalk  is  an  active  reconnaissance  network  security  tool  that
14       attempts  to  determine  what  layer 4 protocols a  given IP forwarding
15       device will pass.  Firewalk  works  by sending out TCP or  UDP  packets
16       with  a  TTL  one  greater  than  the targeted gateway.  If the gateway
17       allows the traffic, it will forward the packets to the next  hop  where
18       they  will  expire  and  elicit an ICMP_TIME_EXCEEDED  message.  If the
19       gateway hostdoes not allow the traffic, it will likely drop the packets
20       on  the floor and we will see no response.
21
22       To  get   the  correct  IP  TTL that will result in expired packets one
23       beyond the gateway we need  to  ramp  up  hop-counts.    We   do   this
24       in  the  same  manner  that traceroute works.  Once we have the gateway
25       hopcount (at  that point the scan is said to be `bound`) we  can  begin
26       our scan.
27
28       It  is  significant to note the fact that the ultimate destination host
29       does not have to be reached.  It just   needs  to  be  somewhere  down‐
30       stream,  on  the  other  side  of  the gateway, from the scanning host.
31       Please see  http://www.wiley.com/cda/product/0,,0471205443,00.html  for
32       more  information  on Firewalking and networking security tools in gen‐
33       eral.
34
35

COMMAND-LINE OPTIONS

37       If an option takes an argument, it procedes the option letter, with the
38       default in parenthesis.
39
40       -d 1-65535 (34434)
41                      Specify  the  initial destination port to use during the
42                      network discovery (aka TTL ramping) phase.
43
44       -h             Program help.
45
46       -i interface_name
47                      Specify interface to use.   Only  neccessary  on  multi-
48                      homed machines.
49
50       -n             Do  not resolve IP addresses into hostnames.  This saves
51                      a DNS lookup and speeds the scans (mainly during network
52                      discovery).
53
54       -P 1-2000 (0)  Set  a  network writing pause which may be neccessary to
55                      keep the program from flooding the network.
56
57       -p TCP, UDP (UDP)
58                      Type of scan to perform.
59
60       -r             Strict RFC 793 compliance.  This only  comes  into  play
61                      when  doing  a TCP scan when your packets have an expire
62                      vector of one and your metric host is one hop from  your
63                      gateway.   Since  the  packets will reach their destina‐
64                      tion, they will not expire,  so  we  look  for  terminal
65                      responses.   For a TCP port in the listen state, we will
66                      get back a SYN|ACK with the ACK as our SEQ  +  1.   How‐
67                      ever,  for  a  closed port, the response is stack depen‐
68                      dent.  If the host is RFC compliant we will  receive  an
69                      RST|ACK  with  the  ACK as our SEQ + 1.  However, if the
70                      host is not compliant (ie: microsoft) then the  best  we
71                      can do is inverse tuple matching (which is the default).
72
73       -S 1-65535,... (1-130,139,1025)
74                      Specify  the ports for the scan.  Ports may be specified
75                      in ranges, delimited by dashes, and multiple ranges  may
76                      be  specified, delimited by commas.  Ommiting the termi‐
77                      nating port number is shorthand for 65535.
78
79       -s 1-65535 (53)
80                      Specify the source port for the scan (both phases).
81
82       -T 1-2000 (2)  Network packet reading timeout.  This is the time  fire‐
83                      walk  will  spend  waiting  for a response before timing
84                      out.
85
86       -t 1-25 (1)    Set the initial IP time to live (TTL) value.  If a  tar‐
87                      get  gateway  is  known to be (at least) n hops from the
88                      source host, the TTL can be preloaded  to  facilitate  a
89                      faster scan.
90
91       -v             Dump program version and exit.
92
93       -x expire vector (1)
94                      The  expire  vector is the number of hops that the scan‐
95                      ning probes will expire, past  the  gateway  host.   The
96                      binding  hopcount  is  the hopcount of the gateway + the
97                      expire vector.
98
99
100
101       COMMAND-LINE EXAMPLES
102

CAVEATS

SEE ALSO

105       traceroute(8), tracerx(8), pcap(3), libnet(3), dnet(3)
106

AUTHOR

108       Mike D. Schiffman <mike@infonexus.com>
109

BUGS

111       Please send bug reports to mike@infonexus.com
112
113
114
115firewalk                          04.20.2002                       FIREWALK(8)
Impressum