the art of_firewalking-by-sujay
TRANSCRIPT
![Page 1: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/1.jpg)
Firewalking Null Hyd 17May2014
Sujay Gankidi
![Page 2: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/2.jpg)
http://en.wikipedia.org/wiki/Firewalk
![Page 3: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/3.jpg)
Problem
Security Assessments
Network Troubleshooting
![Page 4: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/4.jpg)
Definition Firewalking is a technique developed by Mike Schiffman and David
Goldsmith that utilizes traceroute techniques and TTL values to analyze IP
packet responses in order to determine gateway ACL (Access Control List)
filters and map networks. It is an active reconnaissance network security
analysis technique that attempts to determine which layer 4 protocols a
specific firewall will allow.
Ref: http://en.wikipedia.org/wiki/Firewalk_%28computing%29#cite_ref-1
firewalk is an Active Reconnaissance Network Security Tool with Extreme
Prejudice
Ref: http://linux.die.net/man/8/firewalk
![Page 5: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/5.jpg)
Traceroute
Network debugging utility to map out all
hosts en route to a particular destination.
Uses UDP or ICMP echo packets
Increases the time to live (TTL) field in the
IP header each successive round (3
packets)
For UDP scan the destination port will be
incremented with each probe sent (target_port - (number_of_hops * num_of_probes)) – 1
![Page 6: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/6.jpg)
Traceroute
x.x.x.x
A.A.A.A B.B.B.B
z.z.z.z
Hop1 Y.Y.Y.Y
Hop2 A.A.A.A
Hop3 B.B.B.B
…
Traceroute to z.z.z.z
![Page 7: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/7.jpg)
Firewalking Built-up on the idea of traceroute to identify ACL’s
allowed by firewalls
Firewalk tries to find out what transport layer protocols are allowed by a gateway by:
Sending out TCP or UDP packets
with IP TTL one greater then the targeted gateway
In order to use this technique, we must know:
The IP address of the last known gateway before the firewalling takes place
The IP address of a host located behind the firewall.
![Page 8: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/8.jpg)
Phases
Network discovery phase
Ramp-up TTL like traceroute
Gateway is bound to
Scanning phase
TCP/UDP packets with timeout
Response received – port open
No Response – port closed
![Page 9: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/9.jpg)
Firewalk
X.X.X.X
Hop n
Y.Y.Y.Y
?.?.?.?
Phase 1:
Find gateway Hop count
(bound)
Phase 2:
Scan for allowed protocols
and ports Hop 0
Hop n+m
TCP/UDP Packet
TTL = n + 1 Dest Port If Reply is:
ICMP time exceeded => port open Else keep guessing!
![Page 10: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/10.jpg)
concerns
False Negatives
Host could be down
Packets could be dropped by any
gateway prior to our target gateway
![Page 11: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/11.jpg)
slow walk/creeping walk
Need to run if Packets are dropped
before reaching the gateway
ramp-up to destination and scan each
hop en route to the target
Very slow
![Page 12: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/12.jpg)
Rfc1918 - Address Allocation
for Private Internets
![Page 13: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/13.jpg)
Threats
Firewall protocol scan
Advanced Network Mapping
![Page 14: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/14.jpg)
mitigation
Disable egress ICMP TTL Exceeded
messages
NAT
Proxy
![Page 15: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/15.jpg)
Tools and usage
Firewalk
firewalk [options] Gateway_IP Metric
Nmap
nmap --script-firewalk --traceroute --script-
args=<IP>
![Page 16: The art of_firewalking-by-sujay](https://reader036.vdocuments.us/reader036/viewer/2022071709/55a2c5a21a28ab77158b4712/html5/thumbnails/16.jpg)
Q & A