Thursday, March 28, 2024

FIREWALK – Active Reconnaissance Network Security Tool

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.

It works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message.

If the gateway host does not allow the traffic, it will likely drop the packets on the floor and we will see no response.

To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hop count (at that point the scan is said to be `bound`) we can begin our scan.

It is significant to note the fact that the ultimate destination host does not have to be reached. It just needs to be somewhere downstream, on the other side of the gateway, from the scanning host.

 Also Read :  Masscan-Worlds Fastest Scanner

How Does FIREWALK work

Firewalk attempts to determine which protocols a router or firewall will block and which they will pass on to downstream hosts. It operates on an IP expiry technique, much like the commonly used Traceroute program.

The IP expiry technique involves manipulating the time to live (TTL) field of the IP header to map out all intermediate routers or hops between a scanning host and the target host. In Firewalk, scans are then sent with a TTL value one hop higher than that of the target host.

If the scan packets are blocked by an ACL or firewall, they are dropped or rejected. If allowed to pass through, they will expire and elicit an ICMP time exceeded message.

Based upon the results of the scans, Firewalk can identify which ports are open.

firewalk

HOW TO USE:

Download Firewalk from kali Linux  repository

root@kali:~# firewalk -h
Firewalk 5.0 [gateway ACL scanner]
Usage : firewalk [options] target_gateway metric
[-d 0 – 65535] destination port to use (ramping phase)
[-h] program help
[-i device] interface
[-n] do not resolve IP addresses into hostnames
[-p TCP | UDP] firewalk protocol
[-r] strict RFC adherence
[-S x – y, z] port range to scan
[-s 0 – 65535] source port
[-T 1 – 1000] packet read timeout in ms
[-t 1 – 25] IP time to live
[-v] program version
[-x 1 – 8] expire vector

gb@gbhackers:~$ sudo firewalk -S6045-6050 -i eth0 -n -pTCP 192.168.1.1 192.168.0.1
Firewalk 5.0 [gateway ACL scanner]
Firewalk state initialization completed successfully.
TCP-based scan.
Ramping phase source port: 53, destination port: 33434
Hotfoot through 192.168.1.1 using 192.168.0.1 as a metric.
Ramping Phase:
 1 (TTL  1): expired [192.168.1.1]
Binding host reached.
Scan bound at 2 hops.
Scanning Phase:
port 6045: open (expired) [122.168.96.1]
port 6046: open (expired) [122.168.96.1]
port 6047: open (expired) [122.168.96.1]
port 6048: open (expired) [122.168.96.1]
port 6049: open (expired) [122.168.96.1]
port 6050: open (expired) [122.168.96.1]

Scan completed successfully.

Total packets sent:                7
Total packet errors:               0
Total packets caught               7
Total packets caught of interest   7
Total ports scanned                6
Total ports open:                  6
Total ports unknown:               0
Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles