1FIREWALK(8) System Manager's Manual FIREWALK(8)
2
6 firewalk - Active Reconnaissance Network Security Tool with Extreme
7 Prejudice
8
10 firewalk [-dhinprSsTtvx] target_gateway metric
11
13 Firewalk is an active reconnaissance network security tool that
14 attempts to determine what layer 4 protocols a given IP forwarding
15 device will pass. Firewalk works by sending out TCP or UDP packets
16 with a TTL one greater than the targeted gateway. If the gateway
17 allows the traffic, it will forward the packets to the next hop where
18 they will expire and elicit an ICMP_TIME_EXCEEDED message. If the
19 gateway hostdoes not allow the traffic, it will likely drop the packets
20 on the floor and we will see no response.
21 To get the correct IP TTL that will result in expired packets one
23 beyond the gateway we need to ramp up hop-counts. We do this
24 in the same manner that traceroute works. Once we have the gateway
25 hopcount (at that point the scan is said to be `bound`) we can begin
26 our scan.
27 It is significant to note the fact that the ultimate destination host
29 does not have to be reached. It just needs to be somewhere down‐
30 stream, on the other side of the gateway, from the scanning host.
31 Please see http://www.wiley.com/cda/product/0,,0471205443,00.html for
32 more information on Firewalking and networking security tools in gen‐
33 eral.
34
37 If an option takes an argument, it procedes the option letter, with the
38 default in parenthesis.
39 -d 1-65535 (34434)
41 Specify the initial destination port to use during the
42 network discovery (aka TTL ramping) phase.
43 -h Program help.
45 -i interface_name
47 Specify interface to use. Only neccessary on multi-
48 homed machines.
49 -n Do not resolve IP addresses into hostnames. This saves
51 a DNS lookup and speeds the scans (mainly during network
52 discovery).
53 -P 1-2000 (0) Set a network writing pause which may be neccessary to
55 keep the program from flooding the network.
56 -p TCP, UDP (UDP)
58 Type of scan to perform.
59 -r Strict RFC 793 compliance. This only comes into play
61 when doing a TCP scan when your packets have an expire
62 vector of one and your metric host is one hop from your
63 gateway. Since the packets will reach their destina‐
64 tion, they will not expire, so we look for terminal
65 responses. For a TCP port in the listen state, we will
66 get back a SYN|ACK with the ACK as our SEQ + 1. How‐
67 ever, for a closed port, the response is stack depen‐
68 dent. If the host is RFC compliant we will receive an
69 RST|ACK with the ACK as our SEQ + 1. However, if the
70 host is not compliant (ie: microsoft) then the best we
71 can do is inverse tuple matching (which is the default).
72 -S 1-65535,... (1-130,139,1025)
74 Specify the ports for the scan. Ports may be specified
75 in ranges, delimited by dashes, and multiple ranges may
76 be specified, delimited by commas. Ommiting the termi‐
77 nating port number is shorthand for 65535.
78 -s 1-65535 (53)
80 Specify the source port for the scan (both phases).
81 -T 1-2000 (2) Network packet reading timeout. This is the time fire‐
83 walk will spend waiting for a response before timing
84 out.
85 -t 1-25 (1) Set the initial IP time to live (TTL) value. If a tar‐
87 get gateway is known to be (at least) n hops from the
88 source host, the TTL can be preloaded to facilitate a
89 faster scan.
90 -v Dump program version and exit.
92 -x expire vector (1)
94 The expire vector is the number of hops that the scan‐
95 ning probes will expire, past the gateway host. The
96 binding hopcount is the hopcount of the gateway + the
97 expire vector.
98 COMMAND-LINE EXAMPLES
102
105 traceroute(8), tracerx(8), pcap(3), libnet(3), dnet(3)
106
108 Mike D. Schiffman <mike@infonexus.com>
109
111 Please send bug reports to mike@infonexus.com
112firewalk 04.20.2002 FIREWALK(8)