nst_16
16
5.0 Firewalking
Firewalking27 is a technique used to gather information about a remote network protected by a
firewall.
The technique is being used for two purposes:
·
Determining the rule set or ACL of a firewall or other packet-filtering device (mapping
open ports on a firewall).
·
Mapping a network behind a firewall. When a firewalls policy is to drop ICMP ECHO
Request/reply this technique is very effective.
How does Firewalking work?
It is using a traceroute-like packet filtering to determine whether or not a particular packet can
pass through a packet-filtering device.
Since traceroute is dependent on the IP layer (TTL field), any transport protocol can be used
the same way (TCP, UDP, and ICMP).
For Firewalking we need two pieces of information in advance:
·
The IP address of the last known gateway before the firewalling takes place
·
The IP address of a host located behind the firewall.
The first IP address serves as our waypoint. The second IP address is used as a destination
to direct the packet flow.
If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that
prohibits the probe, we can only determine what the last gateway which responded was
probably the firewall. The firewall then becomes a waypoint for further investigations. We try
again to traceroute the same machine, this time we use a different traceroute-like probe using
a different transport protocol. If we get a response we can conclude the following:
·
That particular traffic is allowed by the firewall
·
We know a host behind the firewall
If we are continuously kept blocked by the ACL filters at out waypoint, we know that this kind
of traffic is blocked.
Trying to pass packets on all ports and protocols through the firewall and monitor the
response, will produce the ACL.
Sending packets to every host behind the packet-filtering device can generate an accurate
map of a networks topology.
27
Firewalking - A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access
Control Lists, http://www.packetfactory.net/firewalk/firewalk-final.html