Script firewalk

Script types: hostrule
Categories: safe, discovery
Download: https://svn.nmap.org/nmap/scripts/firewalk.nse

Script Summary

Tries to discover firewall rules using an IP TTL expiration technique known as firewalking.

To determine a rule on a given gateway, the scanner sends a probe to a metric located behind the gateway, with a TTL one higher than the gateway. If the probe is forwarded by the gateway, then we can expect to receive an ICMP_TIME_EXCEEDED reply from the gateway next hop router, or eventually the metric itself if it is directly connected to the gateway. Otherwise, the probe will timeout.

It starts with a TTL equals to the distance to the target. If the probe timeout, then it is resent with a TTL decreased by one. If we get an ICMP_TIME_EXCEEDED, then the scan is over for this probe.

Every "no-reply" filtered TCP and UDP ports are probed. As for UDP scans, this process can be quite slow if lots of ports are blocked by a gateway close to the scanner.

Scan parameters can be controlled using the firewalk.* optional arguments.

From an original idea of M. Schiffman and D. Goldsmith, authors of the firewalk tool.

Script Arguments

firewalk.max-probed-ports

maximum number of ports to probe per protocol. Set to -1 to scan every filtered port.

firewalk.max-retries

the maximum number of allowed retransmissions.

firewalk.recv-timeout

the duration of the packets capture loop (in milliseconds).

firewalk.max-active-probes

maximum number of parallel active probes.

firewalk.probe-timeout

validity period of a probe (in milliseconds).

Example Usage

  • nmap --script=firewalk --traceroute <host>

  • nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>

  • nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>

  • nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>

Script Output 

| firewalk:
| HOP HOST         PROTOCOL  BLOCKED PORTS
| 2   192.168.1.1  tcp       21-23,80
|                  udp       21-23,80
| 6   10.0.1.1     tcp       67-68
| 7   10.0.1.254   tcp       25
|_                 udp       25

Requires

Author:

  • Henri Doreau

License: Same as Nmap--See https://nmap.org/book/man-legal.html

action

action (host)

firewalk entry point

Parameters

host
 

hostrule

hostrule (host)

host rule, check for requirements before to launch the script

Parameters

host