HostedDB - Dedicated UNIX Servers
nst_16 16 5.0 Firewalking Firewalking27 is a technique used to gather information about a remote network protected by a firewall. The technique is being used for two purposes: · Determining the rule set or ACL of a firewall or other packet-filtering device (mapping   open ports on a firewall). · Mapping a network behind a firewall. When a firewall’s policy is to drop ICMP ECHO Request/reply this technique is very effective. How does Firewalking work? It is using a traceroute-like packet filtering to determine whether or not a particular packet can pass through a packet-filtering device. Since traceroute is dependent on the IP layer (TTL field), any transport protocol can be used the same way (TCP, UDP, and ICMP). For Firewalking we need two pieces of information in advance: · The IP address of the last known gateway before the firewalling takes place   · The IP address of a host located behind the firewall. The first IP address serves as our waypoint. The second IP address is used as a destination to direct the packet flow. If we try to traceroute the machine behind a firewall and get blocked by an ACL filter that prohibits the probe, we can only determine what the last gateway which responded was – probably the firewall. The firewall then becomes a waypoint for further investigations. We try again to traceroute the same machine, this time we use a different traceroute-like probe using a different transport protocol. If we get a response we can conclude the following: · That particular traffic is allowed by the firewall · We know a host behind the firewall If we are continuously kept blocked by the ACL filters at out waypoint, we know that this kind of traffic is blocked. Trying to pass packets on all ports and protocols through the firewall and monitor the response, will produce the ACL. Sending packets to every host behind the packet-filtering device can generate an accurate map of a network’s topology. 27 Firewalking - A Traceroute-Like Analysis of IP Packet Responses to Determine Gateway Access Control Lists, http://www.packetfactory.net/firewalk/firewalk-final.html